I recently purchased a new notebook - an Acer Aspire V7 Nitro Black Edition with very nice specs for a very good price

  • Model: VN7-792G-710p
  • Processor: QuadCore i7-6700HQ 2.60 GHz
  • Memory: 16GB DDR4
  • Disk: 256 GB SSD + 2000 GB HDD (5400 RPM)
  • Display: 17,3"; Active Matrix TFT Color LCD 1920 x 1080
  • Dedicated Graphics: Nvidia® GeForce® GTX 960M 2GB VRAM
  • Battery: 3-cell Lithium Polymer (Li-Polymer) 4780 mAh
  • Physical Characteristics: 2.54cm x 42.4cm x 29.7″ (HxWxD), 3kg
  • Drives: DVD Writer and SD Card reader

New notebook means fresh setup as I don't use the pre-installed Windows 10 but rather Linux. My distro of choice is Arch Linux which is a great distro and most importantly for me, a rolling release distro, which means frequently updates of packages to have latest software.

Preparation

Before I can install Arch Linux I need a CD or a bootable USB with latest and greatest Arch Linux on it. I choose to create an bootable USB with latest ISO 2016.10.01 - I mean, who still burns CDs in these days? The notebook has an UEFI and implements Secure Boot, so the first thing I have to do is to disable Secure Boot, as otherwise the Computer would not let me boot from USB. This also indicates, I probably should provide a BIOS password, as otherwise anybody who has access to my PC can disable Secure Boot. Once done with the perparation steps I can boot into my live arch.

Installation - the Arch way

Installation of Arch is pretty straightforward by following the Installation Guide if you don't need something "non-standard". And here it got a bit tricky for me, especially when it comes to the partition of the disks. So my challenges are basically

  • I want to use systemd-boot
  • I want the have disk encryption on both disks (SDD and HDD)
  • I don't want to enter the encryption password twice on every startup for SSD and HDD

Sure all information can be found in the Arch Wiki but still, it needs a lot of context switching i.e. read different wiki articles. That's why I want to explain my setup here.

First steps

First of all I need to change my keyboard layout, otherwise it will drive me nuts

[root ~]$ loadkeys de_CH-latin1

Secondly I need a wifi connection, as I do not have a long enough cable from my router to my desk. So I use wifi-menu to connect to my wireless network. Once done I can ping archlinux.org successfully. Next think is to ensure the clock is accurate

[root ~]$ timedatectl set-ntp true

Partition Setup

My computer comes with two disks, an SSD and a normal HDD. I plan to use the HDD for user data  i.e. /home and SDD for all the rest (root, swap, ...). Both disks shall be fully encrypted using LVM on LUKS therefore I choose to create the following partition setup:

Device Start End&nbsp Sectors Size Type
/dev/sda1 2048   206847     204800     100M   EFI System
/dev/sda2 206848 500118158  499911311  238.4G Linux LVM
/dev/sdb1 2048   3907029134 3907027087 1.8T   Linux LVM
+---------------+-----------------+-----------------+ +----------------------------+
|ESP partition: |Volume 1:        |Volume 2:        | | Volume 1:                  |
|/boot          |root             |swap             | |home                        |
|               |/dev/mapper/root |/dev/mapper/root | |/dev/mapper/home            |
|/dev/sda1      +-----------------+-----------------+ +----------------------------+
|unencrypted    |/dev/sda2 encrypted LVM on LUK     | | /dev/sdb1 encrypted LUKS   |
+---------------+-----------------+-----------------+ +----------------------------+

Disk 1

/dev/sda2 will be encrypted with a password so when I boot-up it will ask me for a password. So first I format the partition

[root ~]$ cryptsetup luksFormat /dev/sda2

In this process I have to provide the password for encryption. After this, I open the container:

[root ~]$ cryptsetup open --type luks /dev/sda2 lvm

The decrypted container is now available at /dev/mapper/lvm.

On top of the opened LUKS container I create a physical volume and I create a volume group named CryptVol and add adding the previously created physical volume to it:

[root ~]$ pvcreate /dev/mapper/lvm
[root ~]$ vgcreate CryptVol /dev/mapper/lvm

Inside of the volume group I create the logical volumes. On disk 1 I only have swap (32GB) and root:

[root ~]$ lvcreate -L 32G CryptVol -n swap
[root ~]$ lvcreate -l 100%FREE Cryptvol-n root

After that the logial volumes are formated with a filesystem. I choose ext4 for my root partition:

[root ~]$ mkfs.ext4 /dev/mapper/CryptVol-root
[ropt ~]$ mkswap /dev/mapper/CryptVol-swap

Once this is done, I can mount the filesystems:

[root ~]$ mount /dev/mapper/CryptVol-root /mnt
[root ~]$ swapon /dev/mapper/CryptVol-swap

Disk 2

/dev/sdb1 will be encrypted with a keyfile which I first need to create a keyfile. I will use random characters:

[root ~]$ dd bs=512 count=4 if=/dev/urandom of=/etc/keyfile.enc iflag=fullblock

After that I can format the disk with the key and open it

[root ~]$ cryptsetup luksFormat /dev/sdb1 --key-file=/etc/keyfile.enc
[root ~]$ cryptsetup open --type luks /dev/sdb1 --key-file=/etc/keyfile.enc home

Now I can format and mount the partition

[root ~]$ mkfs.ext4 /dev/mapper/home
[root ~]$ mkdir /mnt/home mount
[root ~]$ /dev/mapper/home /mnt/home

Boot Partition

In plan to use UEFI directly without an intermediate bootloader. Therefore I mount the efi partition /dev/sda1 directly to /boot

[root ~]$ mount /dev/sda1 /mnt/boot

Fstab and Crypttab

I generate an fstab file by using UUID:

[root ~]$ genfstab -U /mnt >> /mnt/etc/fstab

As I plan to use systemd-boot I will remove the entry for the root partition as this will be specified in the boot loader later on. So here is my modified fstab

#
# /etc/fstab: static file system information
#
# <file system>    <dir>    <type>    <options>    <dump>    <pass>
UUID=3E22-B7AB          /boot         vfat          rw,relatime,fmask=0022,dmask=0022,codepage=437,iocharset=iso8859-1,shortname=mixed,errors=remount-ro    0 2

# /dev/mapper/home
/dev/mapper/home    /home         ext4          rw,relatime,data=ordered    0 2

As /dev/mapper/home is based on an encrypted partition I also need an appropriate crypttab so that the partition is decrypted upon boot

# crypttab: mappings for encrypted partitions
#
# Each mapped device will be created in /dev/mapper, so your /etc/fstab
# should use the /dev/mapper/<name> paths for encrypted devices.
#
# The Arch specific syntax has been deprecated, see crypttab(5) for the
# new supported syntax.

# <name>       <device>                                     <password>              <options>
home           UUID=1d8820b3-346c-424c-aa56-c7a6c4874e86     /etc/keyfile.enc       luks,timeout=15

Install the base packages

Run the pacstrap script to install the base and gnome package groups:

[root ~]$ pacstrap /mnt base gnome gnome-extra

Configure the system

Time setup and localization

To configure the system I haft to change root into the new system and setup time and timezone

[root ~]$ arch-chroot /mnt
[root ~]$ ln -s /usr/share/zoneinfo/Europe/Zurich /etc/localtime
[root ~]$ hwclock --systohc

Afterwards, I setup the localization. I setup my system using 3 different locales and therefor have the following/etc/locale.gen

es_AR.UTF8 UTF8
en_US.UTF8 UTF8
de_CH.UTF8 UTF8

Now I can create the localizations by running

[[email protected] ~]$ locale-gen

My default language is English, so I set the LANG variable in /etc/locale.conf as follows:

LANG=en_US.UTF-8

In contrary to the keyboard layout which shall be Swiss German so I make the appropriate changes /etc/console.conf:

KEYMAP=de_CH-latin1

Last steps are defining hostname in /etc/hostname and adding a matching entry to /etc/hosts:

127.0.0.1   localhost.localdomain   localhost
::1     localhost.localdomain   localhost
127.0.1.1   archlinux.localdomain   archlinux

See also Network configuration#Set the hostname.

Root password and additional user

Set the root password:

[[email protected] ~]$ passwd

Then I need at least a user as running the system with root is definitively not a good idea. The user shall be admin (i.e. in the wheel group) and as well to other groups:

[[email protected] ~]$ useradd -m -G wheel,gdm,rfkill,sys,log,http -p <password> adrian

A quick check in an TTY shall ensure that the login works.

Sudo

After adding the user, I will establish sudo and harden the system a bit. Therefore I have to install sudo via pacman and then modify the /etc/sudoers file with visudo. For now I just uncomment the following line:

%wheel      ALL=(ALL) ALL

Now that my user is setup, I can disable root user

[[email protected] ~]$ passwd -l root

Network configuration

I plan to use NetworkManager therefore I have to install additional packages ...

[[email protected] ~]$ pacman -S NetworkManager network-manager-applet

... then enable the service

[[email protected] ~]$ systectl enable NetworkManager
...
[[email protected] ~]$ systectl start NetworkManager

Boot Manager

I choose to use systemd-boot and not using any intermediate boot manager like GRUB. I've already booted in UEFI mode and mounted efi partition to /boot. The following command installs systemd-boot:

[[email protected] ~]$ bootctl install

Once this is done I configure the boot loader entries in /boot/loader/loader.conf

default  arch
timeout  4
editor   0

and the /boot/loader/entries/arch.conf. Remember that I have setup disk with full encryption:

title   Arch Linux
linux   /vmlinuz-linux
initrd  /initramfs-linux.img
options luks.uuid=556bf1e4-3730-4da3-8688-0f3c468bf5bb resume=/dev/mapper/CryptVol-swap root=/dev/mapper/CryptVol-root rw
1d8820b3-346c-424c-aa56-c7a6c4874e86

Remark: Unfortunately the above configuration does not w0rk, as my home partition is not decrypted. I solved this by providing some additional luks parameters, which is not nice and should not be required as the information is provided in fstab and crypttab and shall be decrypted automatically by the systemd-cryptsetup-generator. However, for now I am fine with that.

title   Arch Linux
linux   /vmlinuz-linux
initrd  /initramfs-linux.img
options luks.uuid=556bf1e4-3730-4da3-8688-0f3c468bf5bb luks.uuid=1d8820b3-346c-424c-aa56-c7a6c4874e86 luks.key=/etc/keyfile.enc resume=/dev/mapper/CryptVol-swap root=/dev/mapper/CryptVol-root rw
1d8820b3-346c-424c-aa56-c7a6c4874e86

Initramfs

As I use systemd, lvm and disk encryption I have to modify /etc/mkinitcpio.conf as follows:

HOOKS="base systemd autodetect modconf block sd-encrypt sd-lvm2 filesystems keyboard fsck"

With this I can create the new initramfs

mkinitcpio -p linux

Power Management

For power management I choose to use TLP based on this Reddit thread. From the project page:

TLP brings you the benefits of advanced power management for Linux without the need to understand every technical detail. TLP comes with a default configuration already optimized for battery life, so you may just install and forget it. Nevertheless TLP is highly customizable to fulfill your specific requirements.

In order to do that, I have to install tlp, enable and start the service

[[email protected] ~]$ pamcan -S tlp smartmontools lm_sensors
...
[[email protected] ~]$ sudo systemctl enable tlp
...
[[email protected] ~]$ sudo systemctl start tlp

Gnome

When using pacstrap I also installed Gnome environment. I want it started when I boot my computer, therefore gdm service needs to be enabled

[[email protected] ~]$ sudo systemctl enable gdm
...

Finishing and rebooting

Finally my system is installed and ready, so one has to exit chroot and then reboot the system:

[[email protected] ~]$ exit
[root ~]$ umount -R /mnt
[root ~]$ reboot

Before I continue booting into the system I will enable Secure Boot again, which I have disabled in the beginning. Afterwards, the system boots up and asks me for the encryption password for my lvm volume. By providing the correct password my system boots up and shows me the Gnome Login Screen.

Post Installation

Now that my system is up and running I can move forward installing missing software and do the fine tuning of my system.