Reference Arch Install (Encrypted / and suspend to disk)


April 2025

Table of Contents

Prep

Choosing a Laptop

  • Any non-Nvidia Lenovo Thinkpad will work. Anything else you should research first
  • "Business class" laptops from Dell or Lenovo usually work
  • Most other consumer laptops work, but you get poor value for money and higher probability of issues
  • The golden rule when choosing a laptop for Linux is Skip Nvidia. Intel and AMD are fine.
  • Touchscreens are worthless. They are inefficient compared to mouse+kb on desktop operating systems. They drain the battery faster and jack up the sale price. Dedicated tablets like Wacom work better if a touchscreen workflow is really needed.
  • Boutique products exist like purism and system76 but if you're just going to throw money away, send it to me instead

Laptop Research.

  • Use a search engine to see if the laptop model has a page on the Arch Wiki
  • See if any other Linux distributions work on the laptop. They are all the same. If it works with Ubuntu, it will work with Arch

  • If you can't find info for the specific model, you can research the following specific things:

    • CPU (Intel/AMD)
    • GPU, if any. Avoid NVIDIA at all costs. Ignore online success stories.
    • Wifi/Bluetooth
    • Sound Card (research ALSA/PulseAudio support)
    • Touchpad (research libinput support)
    • Suspend/Resume(On older laptops, S3 suspend is good. Newer laptops only support S0, it works fine)

Boot into Arch Installation Image

Follow the official guide. Make sure you have a second internet-connected device for troubleshooting.

Format Drive

  • cfdisk /dev/nvme0n1

    • choose GPT partition table
    • make a 1G partition for /boot/, toggle it bootable, and change its type to EFI System
    • make the remaining free space one Linux filesystem partition

Encrypt root partition

  • cryptsetup -v luksFormat /dev/nvme0n1p2
  • open the partition: cryptsetup open /dev/nvme0n1p2 crypt

Write and mount filesystems

  • mkfs.fat -F32 /dev/nvme0n1p1 (this will be /boot/)
  • mkfs.ext4 /dev/mapper/crypt
  • mount /dev/mapper/crypt /mnt/
  • mkdir /mnt/boot
  • mount /dev/nvme0n1p1 /mnt/boot

Install system

  • pacstrap /mnt base base-devel networkmanager gnome emacs git vim linux-firmware xf86-input-libinput xf86-video-intel intel-ucode firefox acpi_call tp_smapi x86_energy_perf_policy gdm stow keepassxc bluez cmake chromium ttf-iosevka-nerd gnome-tweaks ripgrep aspell-en grub fprintd power-profiles-daemon bash-completion okular ebook-tools rsync gdb
  • genfstab -p /mnt >> /mnt/etc/fstab

Chroot in and configure system time, language, etc

  • arch-chroot /mnt/
  • echo "my_hostname" > /etc/hostname
  • ln -sf /usr/share/zoneinfo/America/New_York /etc/localtime
  • uncomment language in /etc/locale.gen
  • locale-gen
  • locale > /etc/locale.conf

Set up Kernel and Bootloader

  • edit /etc/mkinitcpio.conf and put encrypt and resume before filesystems in the HOOKS array:

  • generate ramdisk:

    • mkinitcpio -p linux

Install Bootloader:

  • pacman -S grub efibootmgr
  • grub-install --target=x86_64-efi --efi-directory=/boot --bootloader-id=grub --removable
  • edit /etc/default/grub and add the following kernel parameters:
GRUB_CMDLINE_LINUX_DEFAULT="loglevel=3 quiet cryptdevice=/dev/nvme0n1p2:crypt"
  • grub-mkconfig -o /boot/grub/grub.cfg

User and root setup

  • set root passwd: passwd
  • useradd -m -g wheel -s /bin/bash youruser
  • passwd youruser
  • visudo
  • systemctl enable NetworkManager.service
  • systemctl enable gdm.service
  • systemctl enable bluetooth.service
  • systemctl enable fprintd.service
  • Now make sure you can boot into the system before continuing with final configurations

Final configurations after rebooting

Swap and hibernate

  • fallocate -l 20G /swapfile
  • chmod 600 /swapfile
  • mkswap /swapfile
  • swapon /swapfile
  • and add the following to fstab:
  • /swapfile none swap defaults 0 0

Swap is enabled, but we need to tell Grub how to resume from hibernation:

  • edit /etc/default/grub and add the two resume parameters:
GRUB_CMDLINE_LINUX_DEFAULT="loglevel=3 quiet cryptdevice=/dev/nvme0n1p2:crypt resume=/dev/mapper/crypt resume_offset=2512896"
  • (the value for resume_offset can be found by running:
filefrag -v /swapfile | awk '{if($1=="0:"){print $4}}'

Don't forget to regenerate the grub configuration:

  • grub-mkconfig -o /boot/grub/grub.cfg

Now test hibernation after rebooting

Security

  • MAC address spoofing:

    • to turn it on by default, edit /etc/NetworkManager/NetworkManager.conf and add:
[connection]
wifi.cloned-mac-address=random

[connection]
ethernet.cloned-mac-address=random
  • Now every new connection (including new connections to the

same network) will have a random MAC address

Miscellaneous configuration

  • set up fast pacman mirrors:

    • pacman -S pacman-contrib
    • cp /etc/pacman.d/mirrorlist /etc/pacman.d/mirrorlist.bak
    • check arch wiki for the current way to rank mirrors
  • start up syncthing: systemctl enable syncthing@youruser.service