Tutorial ini juga tersedia dalam Bahasa Indonesia
This is a guide to install Arch/Artix Linux with full disk encryption (including /boot), Btrfs, snapper and booting from snapshot.
You can use fdisk, gdisk or cfdisk to partition your drive, if you are using UEFI system also create an ESP partition.
If you are dual booting just create a LUKS partition & jump to Formatting Partitions but don't format the ESP.
Example Partition for EFI
| Partition | Size | Type | Notes |
|---|---|---|---|
| ESP | 200M | EFI system | If you already installed an OS on UEFI system this partition already has been created |
| LUKS | >20GB | Linux filesystem |
Format ESP partition if you're using UEFI system, in this tutorial it's /dev/sda1.
# mkfs.vfat /dev/sda1
Format LUKS partition, in this example we use /dev/sda2 as our partition.
# cryptsetup luksFormat --pbkdf=pbkdf2 /dev/sda2
Open LUKS partition, we use btw as the name of the LUKS & LVM partition.
# cryptsetup open /dev/sda2 btw
We use LVM on LUKS so both root & swap is on the same LUKS partition.
For swap volume create with the size of your RAM, in this tutorial it's 4GB.
Create LVM volume group (VG) on LUKS, in this case we also use btw as VG's name.
# vgcreate btw /dev/mapper/btw
Create root & swap logical volumes (LV) on VG, in this example we create a 4GB swap, to change swap LV size, change 4G to desired size.
# lvcreate -L 4G -n swap btw
# lvcreate -l +100%FREE -n root btw
Format LVs.
# mkswap /dev/btw/swap
# mkfs.btrfs /dev/btw/root
Use swap LV as swap.
# swapon /dev/btw/swap
Mount root volume.
# mount -o compress=zstd,noatime /dev/btw/root /mnt
Create btrfs subvolumes.
# btrfs subvol create /mnt/@
# btrfs subvol create /mnt/@var
# btrfs subvol create /mnt/@home
# btrfs subvol create /mnt/@snapshots
| Subvolume | Mountpoint | Description |
|---|---|---|
@ |
/ |
Root subvolume |
@var |
/var |
/var subvolume |
@home |
/home |
Home subvolume |
@snapshots |
/.snapshots/ |
Root's subvolume snapshots |
Optional subvolumes
| Subvolume | Mountpoint | Description |
|---|---|---|
@srv |
/srv |
|
@libvirt-image |
/var/lib/libvirt/images/ |
libvirt image pool |
@mysql |
/var/lib/mysql |
MariaDB/MySQL database |
Disable Copy on write (COW) for the @var subvolume.
# chattr +C /mnt/@var
Unmount btrfs volume & mount the root (@) subvolume.
# umount /mnt
# mount -o compress=zstd,noatime,subvol=@ /dev/btw/root /mnt
Mount rest of the subvolumes & ESP.
# mkdir -p /mnt/{boot/efi,var,home,.snapshots}
# mount /dev/sda1 /mnt/boot/efi
# mount -o compress=zstd,noatime,subvol=@home /dev/btw/root /mnt/home
# mount -o compress=zstd,noatime,subvol=@var /dev/btw/root /mnt/var
# mount -o compress=zstd,noatime,subvol=@snapshots /dev/btw/root /mnt/.snapshots
Install CachyOS key
Note: You can check https://wiki.cachyos.org/features/optimized_repos/#tab-panel-22 in case the key is updated
# pacman-key --recv-keys F3B607488DB35A47 --keyserver keyserver.ubuntu.com
# pacman-key --lsign-key F3B607488DB35A47
Install necessary packages from CachyOS repo.
pacman -U 'https://mirror.cachyos.org/repo/x86_64/cachyos/cachyos-keyring-20240331-1-any.pkg.tar.zst' \
'https://mirror.cachyos.org/repo/x86_64/cachyos/cachyos-mirrorlist-18-1-any.pkg.tar.zst' \
'https://mirror.cachyos.org/repo/x86_64/cachyos/cachyos-v3-mirrorlist-18-1-any.pkg.tar.zst' \
'https://mirror.cachyos.org/repo/x86_64/cachyos/cachyos-v4-mirrorlist-6-1-any.pkg.tar.zst' \
'https://mirror.cachyos.org/repo/x86_64/cachyos/pacman-7.0.0.r6.gc685ae6-2-x86_64.pkg.tar.zst'
Check microarchitecture level supported by your CPU.
# /lib/ld-linux-x86-64.so.2 --help
The output below is an example for CPU that supports x86-64-v3 microarchitecture level
Subdirectories of glibc-hwcaps directories, in priority order:
x86-64-v4
x86-64-v3 (supported, searched)
x86-64-v2 (supported, searched)
Add these lines above [core] depending on your microarchitecture level supported by your CPU (replace v3 with v4 if your CPU support v4 microarchitecture level).
[cachyos-v3]
Include = /etc/pacman.d/cachyos-v3-mirrorlist
[cachyos-core-v3]
Include = /etc/pacman.d/cachyos-v3-mirrorlist
[cachyos-extra-v3]
Include = /etc/pacman.d/cachyos-v3-mirrorlist
[cachyos]
Include = /etc/pacman.d/cachyos-mirrorlist
(Optional, Arch only) Use reflector to generate mirrorlist or if you want to choose mirrors manually and/or you're installing Artix you can edit /etc/pacman.d/mirrorlist.
Note: For the country you may change
--countryto your country and/or nearest countries but in this tutorial we use--country Indonesia,Singaporeto include mirrors in Indonesia & Singapore as an example.
# reflector --save /etc/pacman.d/mirrorlist --latest 20 --sort rate --verbose --protocol http,https --country Indonesia,Singapore
Install base packages.
- For Arch:
# pacstrap -K /mnt base linux linux-firmware lvm2 cryptsetup btrfs-progs snapper sudo
# pacstrap -K /mnt base linux-cachyos linux-firmware lvm2 cryptsetup btrfs-progs snapper sudo cachyos-keyring cachyos-mirrorlist cachyos-{v3,v4}-mirrorlist cachyos-settings mkinitcpio
- For Artix:
Note: you can choose your init which are
openrc,runit,s6ordinit.
# basestrap /mnt base linux linux-firmware <b>init</b> elogind-<b>init</b> lvm2-<b>init</b> cryptsetup snapper sudo
For Arch with CachyOS repositories copy /etc/pacman.conf to /mnt/etc/pacman.conf
cp /etc/pacman.conf /mnt/etc/pacman.conf
Generate fstab.
- For Arch:
# genfstab -U /mnt >> /mnt/etc/fstab - For Artix:
# fstabgen -U /mnt >> /mnt/etc/fstab
Edit fstab file.
Note: you can use vim or nano to edit files, nano is the easiest to use but we use vim in this tutorial. Artix can use vi instead of vim as Artix Live ISO only include Vi instead of Vim.
# vim /mnt/etc/fstab
Remove all subvolid=xxx from the options for btrfs mounts.
Tip: if you use vim you can use
%s/subvolid=[0-9][0-9][0-9],//gto remove all subvolid options.
For example, /mnt/etc/fstab on my installation look like this:
# Static information about the filesystems.
# See fstab(5) for details.
# <file system> <dir> <type> <options> <dump> <pass>
# /dev/mapper/btw-root
UUID=bd4b4ae8-007b-41d2-8518-0a2414a6cf70 / btrfs rw,noatime,compress=zstd:3,space_cache=v2,subvol=/@ 0 1
# /dev/sda1
UUID=F1FA-F389 /boot/efi vfat rw,relatime,fmask=0022,dmask=0022,codepage=437,iocharset=ascii,shortname=mixed,utf8,errors=remount-ro 0 2
# /dev/mapper/btw-root
UUID=bd4b4ae8-007b-41d2-8518-0a2414a6cf70 /home btrfs rw,noatime,compress=zstd:3,space_cache=v2,subvol=/@home 0 2
# /dev/mapper/btw-root
UUID=bd4b4ae8-007b-41d2-8518-0a2414a6cf70 /var btrfs rw,noatime,compress=zstd:3,space_cache=v2,subvol=/@var 0 2
# /dev/mapper/btw-root
UUID=bd4b4ae8-007b-41d2-8518-0a2414a6cf70 /.snapshots btrfs rw,noatime,compress=zstd:3,space_cache=v2,subvol=/@snapshots 0 2
# /dev/mapper/btw-swap
UUID=6c55e2c4-09a6-4836-b67f-c0a25c460098 none swap defaults 0 0
Move pacman's database directory from /mnt/var/lib/pacman/ to /mnt/usr/var/lib/pacman so it will be included in snapshot.
# mkdir -p /mnt/usr/var/lib/
# mv /mnt/var/lib/pacman /mnt/usr/var/lib
Then edit /mnt/etc/pacman.conf and change DBPath = /var/lib/pacman/ to DBPath = /usr/var/lib/pacman/.
- For Arch:
# arch-chroot /mnt /bin/bash - For Artix:
# artix-chroot /mnt /bin/bash
Link /etc/localtime to /usr/share/zoneinfo/<Region>/<City>, in this tutorial we use Barnaul's time zone.
# ln -sf /usr/share/zoneinfo/Asia/Barnaul /etc/localtime
Generate /etc/adjtime
# hwclock --systohc
Edit /etc/locale.gen and uncomment en_US.UTF-8 UTF-8 and other necessary locales.
Note: We didn't install an editor yet, to install editor use
pacman -S vimfor vim orpacman -S nanofor nano.
Generate locale.
# locale-gen
Create /etc/locale.conf to set locale systemwide.
In this example /etc/locale.conf on my installation look like this:
LANG=en_US.UTF-8
Change your hostname in this tutorial we use i-use-arch-btw as our hostname.
echo i-use-arch-btw > /etc/hostname
Generate second LUKS key to /etc/lukskeys/root.
# mkdir /etc/lukskeys
# chmod 700 /etc/lukskeys
# dd if=/dev/random of=/etc/lukskeys/root bs=1024 count=128
Add second key to LUKS partition.
# cryptsetup luksAddKey /dev/sda2 /etc/lukskeys/root
Edit /etc/mkinitcpio.conf to add second key to initramfs & add encrypt, LVM2 & resume hook to initramfs.
- systemd initramfs hook (Arch only):
HOOKS=(base systemd autodetect microcode modconf kms keyboard keymap consolefont block sd-encrypt lvm2 filesystems fsck) - udev initramfs hook (Arch & Artix):
HOOKS=(base udev autodetect microcode modconf kms keyboard keymap consolefont block encrypt lvm2 filesystems fsck)
And add second LUKS key to initramfs.
FILES=(/etc/lukskeys/root)
(systemd initramfs) Edit /etc/crypttab.initramfs and add your LUKS partition.
Note: you can get UUID of each partition/volume using
blkid <device>.# blkid /dev/sda2 /dev/sda2: UUID="cc1b673c-159d-4224-9af0-5465373b63a9" TYPE="crypto_LUKS" PARTUUID="408fb50d-bb3b-2344-b928-ebcee8d2cc61" # blkid /dev/btw/swap /dev/btw/swap: UUID="ed071d58-59cf-4c38-8fc4-3d775207c5c2" TYPE="swap"
btw UUID=your-LUKS-partition-UUID /etc/lukskeys/root
Or if you're installing on SSD or VM you may want to enable trim support.
btw UUID=your-LUKS-partition-UUID /etc/lukskeys/root discard
(udev initramfs) Configure GRUB to unlock the LUKS partition and change GRUB_CMDLINE_LINUX_DEFAULT=.
Note: if you're using udev init you must install GRUB first, follow Installing Chaotic-AUR repo & Installing & configuring GRUB section first before configuring GRUB.
GRUB_CMDLINE_LINUX_DEFAULT="cryptdevice=UUID=your-LUKS-partition-UUID:btw cryptkey=rootfs:/etc/lukskeys/root resume=UUID=your-swap-LV-UUID loglevel=3 quiet"
Or if you're installing on SSD or VM you may want to enable trim support.
GRUB_CMDLINE_LINUX_DEFAULT="cryptdevice=UUID=your-LUKS-partition-UUID:btw:allow-discards cryptkey=rootfs:/etc/lukskeys/root resume=UUID=your-swap-LV-UUID loglevel=3 quiet"
Generate GRUB Config
# grub-mkconfig -o /boot/grub/grub.cfg
Generate Initramfs.
# mkinitcpio -P
Edit sudoers file with visudo & uncomment %wheel ALL=(ALL:ALL) ALL.
Note: If you're using nano you can use
EDITOR=nano visudoinstead.
Create new user, we create a new user called cincinmasukmangkok in this tutorial.
# useradd -mG wheel cincinmasukmangkok
# passwd cincinmasukmangkok
In order to boot from LUKS2 we need to install grub-improved-luks2-git on AUR, not grub in the main repository, to install packages from AUR we need to install paru first from AUR.
Note: if you're using Arch with CachyOS repo paru is available on main repository
# pacman -S base-devel paru
# pacman -S base-devel
# sudo -iu cincinmasukmangkok
$ git clone https://aur.archlinux.org/paru.git
$ cd paru
$ makepkg -si
$ exit
# sudo -u cincinmasukmangkok paru -S grub-improved-luks2-git
Install grub-improved-luks2-git
# sudo -u cincinmasukmangkok paru -S grub-improved-luks2-git
(UEFI only) Install efibootmgr.
# pacman -S efibootmgr
Edit /etc/default/grub & uncomment GRUB_ENABLE_CRYPTODISK=y
Install GRUB.
- For UEFI:
# grub-install --target=x86_64-efi --efi-directory=/boot/efi --bootloader-id="Arch Linux" - For BIOS:
# grub-install --target=i386-pc /dev/sda
Generate GRUB Config
# grub-mkconfig -o /boot/grub/grub.cfg
Create root Snapper config.
# umount /.snapshots
# rm -rf /.snapshots
# snapper --no-dbus -c root create-config /
# btrfs subvol delete /.snapshots
# mkdir /.snapshots
# mount /.snapshots
Edit /etc/snapper/configs/root and change TIMELINE_CREATE="yes" to TIMELINE_CREATE="no" so snapshots are only automatically created by pacman hook before and after installing or updating packages.
Edit /etc/snapper/configs/root and change TIMELINE_CREATE="yes" to TIMELINE_CREATE="no" so snapshots are only automatically created by pacman hook before and after installing or updating packages.
Install `snap-pac` & `grub-btrfs`.
# pacman -S snap-pac grub-btrfs
(Arch) enable GRUB btrfs service.
# systemctl enable grub-btrfsd
Or you can install grub-btrfs hook
# pacman -S snap-pac-grub
snapper-rollback is on AUR but it's not on Chaotic-AUR when this tutorial is created, but we can use paru to install snapper-rollback.
# pacman -S base-devel paru
# sudo -u cincinmasukmangkok paru -S snapper-rollback
Edit /etc/snapper-rollback.conf and change dev to dev = /dev/<VG>/<LV>.
Find out your network interface name which is usually enpXsY or ethX for ethernet.
# ip addr
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: enp1s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
link/ether 52:54:00:86:35:4f brd ff:ff:ff:ff:ff:ff
inet 192.168.1.105/24 brd 192.168.1.255 scope global dynamic noprefixroute enp1s0
valid_lft 40615sec preferred_lft 35215sec
Create /etc/systemd/network/20-wired.network file, in this example the network name is enp1s0 :
[Match]
Name=enp1s0
[Network]
DHCP=yes
Link /etc/resolv.conf to /run/systemd/resolve/stub-resolv.conf.
ln -s /run/systemd/resolve/stub-resolv.conf /etc/resolv.conf
Enable systemd-networkd & systemd-resolved service
# systemctl enable systemd-networkd
# systemctl enable systemd-resolved
Install dhcpcd
Note: if you're installing Artix also install it's service depending on your init like
dhcpcd-openrc,dhcpcd-runit,dhcpcd-s6ordhcpcd-dinit.
# pacman -S dhcpcd
Enable dhcpcd service
- systemd (Arch) :
systemctl enable dhcpcd - OpenRC (Artix) :
rc-update add dhcpcd - runit (Artix) :
ln -s /etc/runit/sv/dhcpcd /etc/runit/runsvdir/default - s6 (Artix) :
touch /etc/s6/adminsv/default/contents.d/dhcpcd && s6-db-reload - dinit (Artix) :
ln -s ../dhcpcd /etc/dinit.d/boot.d/
Unmount Arch Linux install volume.
# exit
# umount -R /mnt
Reboot.
# reboot