Vojtech Pavlovsky

Install Arch Linux With Dualboot & Encryption

I have been using Arch Linux for over a year now, and while I mostly enjoy it, installing it is rather cumbersome. Following Installation Guide on ArchWiki seems simple (kind of) but you will always forget to do something. More so if you want to diverge from their steps. Things like using a bootloader, encryption, or dualbooting are not exactly easy to follow for first time users.

To avoid problems in future installations I have put together a thorough guide. It is tailored to my needs. I am using Lenovo Thinkpad T480s with NVME SSD, integrated GPU and UEFI. I want to have Linux partition encrypted with LVM on LUKS method without the swap partition. I will be dualbooting with Windows 10.

You might need to adjust the following commands to your hardware (different network interface or disk names). Good luck.

Windows 10 Installation

It is recommended to first install the Windows system first and then Linux.

  1. Plug in Windows installation media (USB stick or CD).

  2. Delete all partitions. From the empty space create new partition for Windows. Size does not matter right now. Windows will create few required system partitions for you.

  3. Keep the first partition named Recovery (around 500 MB large) and delete all other partitions. Reason for this is that Windows creates too small EFI partition (~ 100 MB). It might be enough for Windows but you would get out of space pretty quickly when you add more systems. For dualbooting, more space is needed.

  4. Press Shift+F10 and type the following commands:

    1. diskpart
    2. select disk 0
    3. create partition efi size=500
    4. exit

  5. Now close the command line and click Refresh in partitions list. You should see two partitions: Recovery and System (EFI).

  6. From the remaining empty space on the disk create a new partition for Windows again. Don't use full disk capacity for Windows partition and leave empty disk space for Arch installation (e.g. 150 GB for Windows and rest empty). Installation media should add only the remaining partitions that we have deleted previously and have not created them manually in CMD.

  7. Continue with installation. Unplug the ethernet cable to use local account instead of online login (tell me something about dark patterns).

  8. After installation finishes, disable Fast Boot in system power management settings.

  9. Set time to use NTP so your time in Windows is correct. Open CMD with Administrator privileges and run following command.

    reg add "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\TimeZoneInformation" /v RealTimeIsUniversal /d 1 /t REG_QWORD /f

And you are done. You can set whatever else you require (like encryption or installing apps). This is outside the scope of this tutorial.

Arch Linux ISO

After you have installed Windows, unplug Windows installation media and plug your Arch installation media. Boot into Arch ISO.

  1. List available network interfaces with ip link. Enable ethernet with systemctl start dhcpcd@interface_name or wifi by wifi-menu.

  2. Test connection by ping 8.8.8.8 (Google DNS servers). If ping returns an error, wait a few seconds. Starting the network interface might take some time.

  3. Update the repository index using pacman -Syyy.

  4. Update system clock with timedatectl set-ntp true.

  5. List all partitions by fdisk -l.

  6. Use fdisk /dev/nvme... to open correct disk.

    1. Press n to create new partition. Accept everything to create partition from all remaining space.
    2. Now type t, choose partition number (5 in my case) and then type 31.
    3. Save changes with w.
    4. Exit.

  7. Encrypt partition using dm-crypt with LVM on LUKS. You will have one large encrypted partition which will contain virtual partitions for root and home.

    1. cryptsetup luksFormat /dev/partition_name
    2. cryptsetup open /dev/partition_name cryptlvm
    3. pvcreate /dev/mapper/cryptlvm
    4. vgcreate vg /dev/mapper/cryptlvm (name vg can be changed)
    5. lvcreate -L 32G vg -n root will create smaller partition for root (/) directory.
    6. lvcreate -l 100%FREE vg -n home will use the rest empty space to create another partition for /home.
    7. mkfs.ext4 /dev/vg/root
    8. mkfs.ext4 /dev/vg/home

  8. Mount partitions.

    1. mount /dev/vg/root /mnt
    2. mkdir /mnt/home
    3. mount /dev/vg/home /mnt/home
    4. mkdir /mnt/boot
    5. mount /dev/efi_partition /mnt/boot mounts EFI partition created by Windows. It is usually second partition.

  9. Next, install required packages.

    pacstrap /mnt base linux linux-lts linux-firmware base-devel lvm2 intel-ucode man-db man-pages vim

  10. genfstab -U /mnt >> /mnt/etc/fstab

Chroot into Arch

  1. arch-chroot /mnt

  2. ln -sf /usr/share/zoneinfo/Europe/Prague /etc/localtime

  3. hwclock --systohc

  4. Uncomment en_US.UTF-8 UTF-8 in /etc/locale.gen.

  5. locale-gen

  6. echo "LANG=en_US.UTF-8" >> /etc/locale.conf

  7. echo "arch" >> /etc/hostname

  8. Open /etc/hosts.

    127.0.0.1    localhost
::1          localhost
127.0.1.1    arch.localdomain    arch

  9. Edit /etc/mkinitcpio.conf

    HOOKS=(base udev autodetect keyboard keymap modconf block encrypt lvm2 filesystems fsck)

  10. Recreate initramfs by mkinitcpio -P.

  11. passwd

  12. useradd -m -g users -G wheel your_user_name

    1. passwd your_user_name

  13. Install DE (Plasma for me) and other useful things like ZSH, terminal emulator and GPU drivers.

    1. Install packages first.
    pacman -S plasma-meta kde-applications-meta xorg xf86-video-intel mesa sddm kitty git htop zsh zsh-autosuggestions zsh-completions zsh-syntax-highlighting
    1. systemctl enable sddm.service to enable desktop manager.

  14. Install bootloader (systemd-boot). I will include both Linux Stable and LTS version. It might be very useful in the future.

    1. bootctl --path=/boot install

    2. Create file /boot/loader/entries/arch.conf. You can find partition UUID in VIM by command :r !blkid. Copy UUID for main partition (not virtual group or volume).

      title Arch Linux Stable
linux /vmlinuz-linux
initrd /intel-ucode.img
initrd /initramfs-linux.img
options cryptdevice=UUID=YOUR-DEVICE-UUID:cryptlvm root=/dev/mapper/vg-root rw quiet

    3. For backup Linux LTS kernel, add second boot entry to /boot/loader/entries/arch-lts.conf. This comes handy when stable kernel goes wild.

      title Arch Linux LTS
linux /vmlinuz-linux-lts
initrd /intel-ucode.img
initrd /initramfs-linux-lts.img
options cryptdevice=UUID=YOUR-DEVICE-UUID:cryptlvm root=/dev/mapper/vg-root rw quiet

    4. Edit /boot/loader/loader.conf. You can choose either arch or arch-lts as default boot option.

      default arch
timeout 4

  15. Create swap file using systemd-swap. I use this instead of dedicated swap partition.

    1. pacman -S systemd-swap

    2. Set swappiness in file /etc/sysctl.d/99-sysctl.conf.

      vm.swappiness=5

    3. Customize value inside file /etc/sysctl.d/99-sysctl.conf .

      vm.vfs_cache_pressure=50

    4. Type sysctl -p /etc/sysctl.d/99-sysctl.conf.

    5. Inside file /etc/systemd/swap.conf edit following lines. They will not be together and you have to find them.

      zram_enabled=0
zswap_enabled=1
swapfc_enabled=1

    6. I had to set swapfc_force_preallocated=1 in file /etc/systemd/swap.conf. Otherwise I had errors. This might not apply to you. See Swap on ArchWiki.

    7. Start service.

      systemctl enable systemd-swap.service

  16. exit

  17. umount -R /mnt

  18. reboot

  19. Pray.

After rebooting you should be greeted with black screen asking for your encryption key. This will be shown on every cold-boot. Use password that you used for encryption, not your user account (they might not be the same depending on your setup).

If you do not see prompt for unlocking your partition, something went wrong. Welcome to the Arch world. In my case, most problems were usually with bootloader or fstab. Make sure you pass the correct partition UUID.

Final touch

This part is entirely optional. You will probably want to enable sudo though.

  1. Change default shell chsh -s /bin/zsh.

  2. Add user to sudoers. Install vi package. Then run visudo and uncomment wheel. You can disable timeout.

    Defaults passwd_timeout=0

  3. Enable multicore to makepkg in /etc/makepkg.conf.

    1. COMPRESSXZ=(xz -c -z - --threads=0) (0 for all cores or pick number)

  4. To enable proper tray icons, install libappindicator-gtk3 (this will make tray icon sharp and pretty).

  5. If there is no WiFi icon:

    sudo systemctl enable NetworkManager.service

  6. In case you suffer from long DNS resolution (approx. 5 seconds), add this line to your /etc/resolv.conf file.

    options single-request

  7. To enable emojis, install ttf-joypixels.

  8. You will probably want to use AUR packages. Install yay for easier usage.

    1. git clone https://aur.archlinux.org/yay.git
    2. cd yay
    3. makepkg -si
    4. cd .. && rm -rf yay to delete now useless folder.

  9. Enable SSD TRIM:

    sudo systemctl enable --now fstrim.timer

  10. Important. Create alias for sudo command to make your Linux usage more civilized. Open file ~/.zshrc or ~/.bashrc depending on your shell. Then add this line.

    alias please="sudo"

    After this you can use commands like please reboot instead of rude sudo reboot.