(5 February 2024)

 

Manual Encrypted Installation of Arch Linux for Beginners

 

Introduction

To follow this tutorial, you must know how to use an editor such as nano or vim (this manual shows commands for nano). Find a brief video tutorial about nano. Ideally, the reader is somewhat experienced and comfortable with computers; if not, then it’s a good idea spending a day or two familiarizing yourself with computer basics, for example, by watching a video course (here is a good one) so that you understand what we are doing. It is important that BIOS (lately known as UEFI) of your computer has not been updated. (If you don’t know what BIOS is or whether you have updated it, don’t worry and skip the rest of this paragraph.) If you have updated it for some reason, then you need to downgrade BIOS/UEFI to the factory-installed version or close to it; otherwise, you may run into problems with installation of any Linux (not only Arch).

 

This tutorial is organized into sections and subsections in the same way as the official installation guide is, and there are endnotes for some subsections. If you want more details about some step of this tutorial (or encounter some problems), then see the corresponding endnote at the bottom of this web page and/or the corresponding subsection of the official installation guide. Additionally, you can search Arch Wiki or Google. Because the present tutorial is not an official Arch Linux document, it’s not a good idea to seek technical support for this tutorial on the official Arch Linux forums. On the positive side, after completing this tutorial, you will be able to follow instructions in the official guide on your own and will be able to repeat Arch Linux installation on other computers, in accordance with the official installation guide. Don't blame yourself if you cannot follow the official guide or if you have worked through it and failed (see the endnote). Incidentally, there is a way to install Arch Linux automatically (a guided installer called archinstall, my tutorial is here), but I recommend installing Arch manually as described here because it will be a good learning experience and because the automatic installation has some disadvantages (the tutorial for manual installation without encryption is here). Let’s begin.

 

1. Preinstallation procedures

 

1.1. Downloading

Download an ISO file of Arch Linux on the official website either as a torrent or from one of the mirrors (scroll down to the bottom of that webpage).

 

1.2. Verification of the file

You need to verify the integrity of the downloaded file in Linux or Windows. In Linux, use Terminal to navigate to the folder containing the downloaded file, for example

cd ~/Downloads

Then execute this command:

sha256sum archlinux-2024.01.01-x86_64.iso

(use the actual name of the downloaded file in the command above)

 

Wait a minute or so and compare the hash value from the output (a string of letters and numbers) to the SHA256 hash value posted on the above webpage in the section “Checksums.”

In Windows, open Windows PowerShell by typing “PowerShell” (without quotes) in the Windows Start menu command box. In the window that opens, type the command Get-FileHash followed by a space. Drag the downloaded .iso file into the PowerShell window to a place after the Get-FileHash command. You will see something like this:

 

PS C:\Users\user> Get-FileHash C:\Users\user\Downloads\archlinux-2024.01.01-x86_64.iso

 

Press the Enter key. Wait a minute or so and compare the hash value from the output to the SHA256 hash value posted on the above-mentioned webpage in the section “Checksums.” By the way, all commands in this tutorial are blue, and my comments (which may be on the same line) are always the regular black font.

 

1.3. Create a USB flash drive

If these hashes match (upper and lower case of the letters do not matter), then you can burn the .iso file to a USB flash drive using a program called Balena Etcher (either in Windows or in Linux). Now you have your Arch Linux installation medium.

 

1.4. Boot your computer into the Arch ISO

Insert the flash drive into a USB port of your computer, reboot the latter, quickly press F2 and Del keys one after another repeatedly when you see the splash screen or when you hear a reboot sound. In the BIOS/UEFI, change the boot sequence, so that the computer boots from your USB drive first. Save and exit BIOS/UEFI, the computer will restart and will boot from the Arch Linux installation USB drive.

 

 

1.5. Font size

If the text is too small on your screen, you can make it larger by entering

setfont ter-128b

or

setfont ter-132b

 

1.7. Internet connection

I am assuming that your computer is connected to the Internet. The Arch Linux installation USB will be able to use your wired network connection without any problems (99.9% chance); if not, see the official guide. I do not use Wi-Fi and do not recommend it to others because it’s bad for health; the wired connection is much safer and faster. You can check whether the Internet connection works by typing this command at the command prompt of Arch ISO:

 

ping archlinux.org

You will see incoming packets, one line after another. To stop this process, hold down the Ctrl key and press the C key (hereafter referred to as Ctrl+C).

 

1.8. Updating the operating-system clock

Next, we will synchronize the time of your computer with Internet time:

timedatectl set-ntp true

 

 

1.9. Disks and partitions

Now let’s prepare a hard disk of your computer for the installation (to remind you, this procedure will encrypt your system partition). You probably already know where you are going to install Arch Linux, this is either an empty hard drive or empty space on your hard drive. You probably know the size of the destination hard drive in gigabytes and which partitions it contains or not contains. (If not, you can abort the installation by pressing the power button, find this information, and then continue from the start.) Launch this command

lsblk           

to see what your drives are called. Judging by the size and partitions within, you will recognize the hard drive where you are going to install Arch Linux. The hard drive(s) in the output of this command have such names as sda, sdb, nvme0n1, etc., and partitions have similar names, e.g., sda1, sda2, etc. Let’s say that the name of your destination hard drive is sdb. Then you need to execute this:

cfdisk /dev/sdb             

(replace “sdb” with the actual name of your hard drive). In the commands in this tutorial, you will need to replace green text with your own.

 

At the top of the screen, you will see disk size, and the next line below is “label”: dos or gpt. Alternatively (a new empty disk), you will be prompted to select the label type. If your computer is relatively new (manufactured in the last 7 years), then it does not matter what kind of label you have there, but gpt is preferable. If you have an old computer (manufactured 10-15 years ago), then see the endnote for this subsection.

 

In the cfdisk program, you can select partitions or free space on your hard drive (upper part of the screen) by means of up and down arrow keys. And you can select and perform actions (lower part of the screen) using left and right arrow keys and the Enter key.

 

We will create two partitions for the installation. Select the free space and create the first partition with a size of 2 gigabytes (enter “2G”) by selecting the “New” option at the bottom and pressing the Enter key. If asked about the type of new partition, choose “primary.” (In this case, while the new partition is selected above, press the space bar to make it bootable; you will see an asterisk appear in the table.) If not asked about “primary,” then don’t worry and move on. This will be a so-called “boot” partition of your Arch Linux.

 

After that, similarly, make a second (main) partition; preferably, the size should be 30 gigabytes (30G) or more. (If asked, choose “primary” but do not make it bootable.)

 

Make sure that it says “Linux filesystem” or “Lunix” in the “Type” column on the right. Select the “Write” option, press the “Enter” key, and type “yes” when asked for confirmation. Next, select the “Quit” option and press the Enter key. You will see the text “Syncing disks”; this means that everything went smoothly.

 

In the tutorial below, my boot partition is called sdb1 (2 gigabytes) and my encrypted (main) partition is sdb2 (100 gigabytes). Your disk may have other names of partitions.

Execute this again

lsblk                          

to verify the disks and partitions in your computer. We can proceed.

 

1.10. Formatting your partitions

Let’s format our partitions using these commands:

 

cryptsetup -y -v luksFormat /dev/sdb2     

 

cryptsetup open /dev/sdb2 mydrive              

Your encrypted drive doesn't have to be called "mydrive", but use this name anyway because it is mentioned many times below. Continuing the formatting:

 

mkfs.ext4 /dev/mapper/mydrive

 

If you see a message something like "the disk contains OpenPGP public key data," ignore it.

 

mkfs.fat -F 32 /dev/sdb1

 

1.11. Switching the partitions on

(If you have an old computer, then please see the endnote.) Let’s mount the partitions (i.e., make them available for work in your computer):

 

mount /dev/mapper/mydrive /mnt

 

mkdir -p /mnt/boot/efi       (here we are creating a boot folder)

 

mount /dev/sdb1 /mnt/boot/efi

 

Next, execute

lsblk                               

to verify that the partitions are mounted where they should be. Congratulations! The most difficult part of this tutorial is over.

 

2. Installing the operating system

 

2.1. Finding and enabling mirrors for downloading software

 

It’s time to select download mirrors for your installation. Launch this command (this is all one line):

 

curl -o /etc/pacman.d/mirrorlist https://archlinux.org/mirrorlist/all/

 

On another computer or tablet, go to https://archlinux.org/mirrors/status/

Click on “Successfully syncing mirrors” and sort mirrors by country (click on the “Country” column). At the top of the list for your country, make a note of three mirrors that have https in the “Protocol” column and 100% in the “Completion” column. Let us edit the mirrorlist file on your computer using nano:

nano /etc/pacman.d/mirrorlist          

 

(If the screen is empty [empty file], this means that something went wrong with the previous command. Redo it correctly.)

Scroll down the list using the down arrow key and/or the PageDown key. Activate the three chosen mirrors in this file. For this purpose, delete the # sign at the beginning of each line that contains a chosen mirror. The # sign makes the line of text that follows it inactive (turns the code into a comment). Therefore, by deleting # we activate (“uncomment”) this line of text in the configuration file. Press Ctrl+O and then the Enter key to save your changes, and after that, press Ctrl+X to exit nano.

Now, we need to synchronize mirrors and configuration information via this command:

pacman -Syy

 

2.2. Installation of crucial software packages

At this point, we can install Arch Linux by downloading all the necessary up-to-date software from the mirrors. My advice is to install all four official kernels and headers, this is all one command:

pacstrap -K /mnt base base-devel linux-firmware linux-lts linux-zen linux-hardened linux linux-lts-headers linux-zen-headers linux-hardened-headers linux-headers nano vim git neofetch terminus-font

 

When the operation finishes, look at the output of pacstrap; if you encounter some errors and the installation failed, then see the endnote.

 

 

3. Configuring the operating system

 

3.1. The table of partitions

If pacstrap installed the software without errors, then run the following command to create the table of partitions in your new file system:

genfstab -U /mnt >> /mnt/etc/fstab

 

3.2. Switching to the installed operating system

The next command will switch our active operating system from the Arch installation ISO to our newly installed Arch Linux:

 

arch-chroot /mnt

 

3.3. Your time zone

To find out your correct time zone settings, enter these commands:

cd /usr/share/zoneinfo

ls

You will see a list of folders; make a note of the folder whose name matches your geographic region, for example, Europe or America. Then enter this folder using the cd command, for example,

cd Europe

ls

and find your city or a city in the same time zone as your city or town.

Then run a command as follows by replacing Region and City with what you found above (this is all one line):

ln -sf /usr/share/zoneinfo/Region/City /etc/localtime

 

Let’s go back to the Home directory:

cd ~

 

Now we need to set the clock of your computer (a so-called hardware clock in BIOS/UEFI) to your system time (which we acquired from the Internet at the beginning). Execute this:

hwclock --systohc

 

(If you will be dual-booting with Windows, i.e., using two operating systems on this computer, then see the endnote).

 

3.4. Local language and text encoding settings

At this point, we need make sure that Arch Linux can recognize text in your native language. Edit the appropriate configuration file in nano:

nano /etc/locale.gen 

Uncomment the line en_US.UTF-8 UTF-8 (and other locales [language settings] if you need them).

 

Next, to enforce the settings for your language(s), execute this

locale-gen

 

After that, create the configuration file for the system language (the language of all options, labels, and buttons in Arch Linux):

nano /etc/locale.conf

 

and enter the desired system language:

LANG=en_US.UTF-8                                     (make sure that you enter the language that you need, in the format that you saw in the locale.gen file, only the first part without spaces)

Save the changes and exit nano.

 

3.5. Configuring the network connection

Let’s give your computer a name (for your local network, regardless of whether you have it or not)

nano /etc/hostname                                          

 

Enter a recognizable name, one word, such as archnotebook
Save and close the file. After that, let’s install network software and ensure that it is launched every time the computer boots:

pacman -S networkmanager

 

systemctl enable NetworkManager         

(make sure the letters N and M are capitalized)

 

3.7. The password of the root account

The most powerful user account on your computer is “root.” It can do anything it wants without restrictions. It’s time to give the root account a password:

 

passwd root                                  

 

Enter a desired password that you can remember, and confirm it. We will create a regular user account for you later.

 

3.8. Installing a bootloader

Install microcode for your microprocessor (CPU). Depending on whether your CPU was made by AMD or Intel, execute

pacman -S amd-ucode

or

pacman -S intel-ucode

 

Next, install a so-called bootloader, which loads your operating system when the computer boots:

 

pacman -S grub efibootmgr os-prober

 

Open a configuration file for editing:

nano /etc/default/grub

 

We installed four kernels of Arch Linux. To enable easy switching between kernels at boot, uncomment and/or edit these lines in the file as shown here:

GRUB_DEFAULT=saved           (I edited this line)

GRUB_TIMEOUT=10              (I edited this line)

...

GRUB_ENABLE_CRYPTODISK=y     (I uncommented these four lines)

...

GRUB_SAVEDEFAULT=true       

...

GRUB_DISABLE_SUBMENU=y

...

GRUB_DISABLE_OS_PROBER=false

 

One of the lines above enables booting into an encrypted disk.

 

After that, let’s finalize the installation of the bootloader.

grub-install

 

grub-mkconfig -o /boot/grub/grub.cfg

 

Let’s edit another configuration file to set up encryption:

nano /etc/mkinitcpio.conf

 

Scroll down to the uncommented HOOKs line (ignore commented out HOOKs lines), and between the words block and filesystems insert the word encrypt and save the file and exit nano.

 

Next, we will build startup files for the operating system:

mkinitcpio -P

 

Now you need to copy the UUID number of the encrypted partition sdb2 and type it into the grub file. First, we will save all partition UUIDs into a file:

 

blkid | tee -a uuid

 

Then, we will open two files at once in nano:

nano uuid /etc/default/grub

 

In the first file, let’s copy the UUID of encrypted partition sdb2 (this partition has a LUKS label). This UUID is a long string of letters, numbers, and dashes (without quote signs). Place the cursor at the beginning of a selection, press Ctrl+6 then select the text using the right arrow key and press Alt+6 to copy. You can switch between the two files in nano by pressing Alt+. (going forward) or Alt+, (going backward).

 

Go to line GRUB_CMDLINE_LINUX within the file /etc/default/grub and paste the UUID by pressing Ctrl+U

You need to add some text so that this line looks like this (this is all one line):

 

GRUB_CMDLINE_LINUX="cryptdevice=UUID=afedb6e0-c57c-407a-9561-96ceeb2b2c33:cryptmydrive mydrive=/dev/mapper/mydrive"

 

The UUID is green. Examine this line carefully. If this line contains a typo, then you won't be able to boot into your Arch Linux.

 

After that, we will finalize the configuration of the bootloader:

grub-mkconfig -o /boot/grub/grub.cfg

 

If there are no error messages, then the installation of Arch Linux is completed. We will perform some post-installation tasks after rebooting.

 

4. Reboot the computer

Execute this command to log out of the root account:

exit

Next, unmount (turn off) your file system:

umount -R /mnt

and finally

reboot

and remove the installation medium.

 

When the computer boots, you will be asked to enter the encryption passphrase. If it does not work ("Invalid passphrase" error), there are two possible reasons:

1) If you entered an incorrect passphrase during boot and end up with the "GRUB rescue" prompt, then try

cryptomount -a

and enter random passwords when presented with other partitions (so that their unlocking fails) until you reach your partition (you will recognize it by the UUID). Here, enter the correct password. Then proceed with

insmod normal

and

normal

 

2) If you entered the correct passphrase, but an "Invalid passphrase" error is immediately returned, then boot into the Arch installation USB and execute:

cryptsetup open /dev/sdb2 mydrive                  (rember that sdb2 is the name of my encrypted partition, yours could be different)

then change hash and PBDKDF algorithms by executing this (all one line):

cryptsetup luksConvertKey --hash sha256 --pbkdf pbkdf2 /dev/sdb2

 

Enter the correct passphrase when prompted. Under normal circumstances, it should take a few seconds before the passphrase is processed.

reboot

Remove the USB drive. For increased security, the procedure described above also encrypted the bootloader (grub). Thus, you will have to enter your encryption passphrase twice: to enter grub and then to unlock the hard drive containing Arch Linux (and then also enter your login password). My advice is to leave it as is; I cannot help you to remove the passphrase from grub. The correct passphrase was not recognized during your very first login probably because we encrypted only a part of a hard drive, and this stirred up some bugs. On the other hand, if you install Arch Linux on a whole hard drive with encryption by means of archinstall, then these two inconveniences will not present themselves (my tutorial is here).

 

 

5. Postinstallation tasks

When the computer restarts, on the grub screen, select the kernel that is called simply "linux"; it is also known as "Stable."

 

You will get to a login screen:

login: root

enter the password

 

Optional: make the text larger on the screen:  

setfont ter-128b or

setfont ter-132b

 

5.1. The user account

Create your user account by executing this command:

useradd -mg wheel yourusername

“-mg wheel” means that we are creating a home folder for your user account and assigning this user to the “wheel” group. This group can execute any commands by entering a password (so-called sudo privileges).

Let’s create a password for your account:

passwd yourusername

 

To activate the wheel group, we need to edit a so-called sudoers file. Remember that to prevent corruption of sensitive data, the sudoers file should be edited only using vim. You should not use nano directly with this file. It’s OK to use nano indirectly as follows:

 

EDITOR=nano visudo

 

Scroll down and uncomment this line

# %wheel ALL=(ALL:ALL) ALL

 

Save the file and exit nano. Now your user account can perform sudo commands.

To log out of root, enter this command:

exit

and then log in to your user account

 

5.2. Video drivers

Let's install a video driver. This is tricky; please read this whole subsection before you do anything.

To find out what kind of GPU (graphics card) you have, execute this command:

lspci -k | grep -A 2 -E "(VGA|3D)"

 

If the output says that a kernel driver is in use (for your GPU), and you think this driver is suitable, then you don't need to install a video driver. With some exceptions, you can uninstall the video driver (mentioned by the lspci command) as follows:

sudo pacman -R drivername 

 

but only if you think that one of the drivers described below is more suitable. After that, install the more suitable driver using one of these three commands:

sudo pacman -S mesa                         (for an AMD or Intel GPU; this command also installs nouveau, which is suitable for older Nvidia graphics cards: GeForce RTX 2060, GeForce GTX 1660, or older) or

sudo pacman -S nvidia-open       (for newer NVidia graphics cards: GeForce GTX 1660, GeForce RTX 2060, or newer) or

sudo pacman -S mesa-amber          (for an old AMD or Intel GPU)

 

If you have an NVidia graphics card, then see the endnote (it’s a somewhat complicated matter). Otherwise, things are much simpler. (If you want more details about mesa drivers, see this article).

 

5.3. Enabling the graphical user interface

Let's install some basic programs, a graphical login screen (i.e., a desktop manager), and several desktop environments (this is all one line):

sudo pacman -S libreoffice-still firefox timeshift lightdm lightdm-gtk-greeter cinnamon xfce4 awesome qtile   

 

We installed only desktop environments that are the stablest for Arch Linux. Enable the desktop manager:

sudo systemctl enable lightdm

sudo reboot

 

When presented with the graphical login screen, you can select one of several desktop environments in the upper right corner (I recommend "Cinnamon").

Later, if you are going to use the xfce4 desktop environment, you will need to also install a useful group of packages:

sudo pacman -Syu  

sudo pacman -S xfce4-goodies

 

Of the two commands, the first one updates your Arch Linux, and you need to always execute this command before installing any software package on Arch Linux.

 

The installation procedure is finished, now you can customize your desktop environment to make it more beautiful and convenient. If the stable kernel (“linux”) of Arch Linux works OK, then continue using it. If not, then you can try the fallback and other kernels.

 

What to expect from Arch Linux: This Linux distribution is for more advanced users and requires you to use the command line more often and to have more knowledge about computers and operating systems. Arch Linux is fast, reliable, and compatible with all kinds of hardware (especially new hardware). Of course, it is no rival to Windows in hardware support, but still very impressive. If you have a notebook from a less known manufacturer, some components (such as a touchpad) may not work with Arch Linux. This is normal; you need to find a workaround (such as using a mouse). Some features of some software packages may not work for some period of time, for example, spellchecking in LibreOffice (but the package is stable and will not crash the whole system). For comparison, everything works as expected in a stable or oldstable version of Debian, but the version of the Linux kernel is older (and the support of the latest hardware is worse as compared to Arch Linux). Finally, keep in mind that Arch Linux involves rolling updates (things change often, in contrast to Debian), and it is possible that some package updates in a distant future will break something on your system, for example, a wireless modem may start acting up. For this reason, I recommended installing timeshift above, which you can use to revert to a functional state of your operating system (kind of like System Restore in Windows). After that, wait 1-2 months before updating again. Alternatively, instead of using timeshift, try a different Arch kernel (you have four) or a fallback version; it may still be problem-free.

 

ENDNOTES:

 

intro) The official installation guide is written by people with advanced technical expertise for advanced techies. This is not a problem, but it would be nice to have another version of this guide tailored to less experienced Linux users. Furthermore, the official guide contains some errors and outdated details. For example, subsection 1.6 is applicable only to old computers and is best moved to a footnote. In subsection 1.9.1, the mention of swap is applicable to very old computers and needs to be either deleted or moved to a footnote. Although old computers that have a 32-bit CPU cannot have more than 4 GB of RAM, 4 GB is still enough for Arch Linux, and you can skip swap installation, or if you want a swap partition, you must install it on a solid-state drive. In subsection 1.11, the recommended scheme of mounting the boot partition, /mnt/boot, will not work with many UEFI computers; it should be replaced with /mnt/boot/efi

 

1.8) Keep in mind that the time zone of the IP address of your computer should be the same as the time zone of the download mirrors that you will choose later in this manual (at least in the same country) and the same as the time zone that you will chose later in this manual. Otherwise, you may experience some weird problems. This may be an issue if you have a proxy or VPN installed on your router. To find out your public (external) IP address, launch this command:

curl ifconfig.me

and using another computer, check the geographic location of this IP address for example at www.whatsmyip.com

 

1.9) If you have an old computer and it has BIOS instead of UEFI (check the technical specs of your motherboard or notebook), then you will need to choose or use “dos” formatting (also known as MBR) of your hard drive. A gpt-formatted disk may not work for booting an operating system in your computer. Keep in mind that dos-formatted hard drives can have no more than four primary partitions and bootable operating systems on them. In this tutorial, the mounting of the boot partition will be slightly different in your case, as you will see later in the tutorial.

 

1.11) If you have a dos-formatted disk (dos label), and BIOS instead of UEFI, then you need to ignore subsection 1.11 and execute the following commands instead:

mount /dev/mapper/mydrive /mnt

 

mkdir -p /mnt/boot           (here we are creating a boot folder)

 

mount /dev/sdb1 /mnt/boot

 

We just mounted the partitions (i.e., made them available for work in your computer). To verify:

lsblk

 

We did not create a so-called swap partition in this tutorial because it is not really needed on newer computers, but even on old computers, you can install 8 or 16 GB of random access memory (RAM), and it will work 10 times faster than the swap partition (which is intended to be a replacement of RAM when there is a shortage of the latter).

 

2.2) If you got an “unknown trust” error (the downloading and the installation failed), then execute:

pacman -Syy

pacman -S archlinux-keyring

 

and repeat the above pacstrap command (press the up arrow key to load previously entered commands).

If the error is “404,” (mirror cannot find the requested files), then execute this command

pacman -Syy

 

and repeat the above pacstrap command.

 

If the download is too slow, then rearrange the order of your active mirrors (place one above the others, we hope it’s faster) in the file /etc/pacman.d/mirrorlist  using nano.

For this purpose, place the cursor at the beginning of a line containing an active mirror, press Ctrl+K to cut the text, move the cursor up to an empty line (or create an empty line above) and paste the line by pressing Ctrl+U

Save your changes and exit nano.

 

3.1) With this command, we are copying the information about your mounted partitions into a table that will be used to mount these partitions automatically when your computer boots. The -U parameter makes sure that the table contains unique device IDs instead of plain names such as “/dev/sdb1”

 

3.3) For dual booting with Windows on the same computer, it is recommended to configure Windows to use UTC, rather than local time. (Windows by default assumes that the hardware clock shows local time, and therefore Windows will be displaying incorrect time.) The problem can be solved by editing the registry: Hold down the Windows key and press the R key, type regedit and press the Enter key. Go to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\TimeZoneInformation.

While “TimeZoneInformation” is selected in the left-hand panel, right-click in the right-hand panel, select “New” then “DWORD (32-bit) value,” name it RealTimeIsUniversal and press Enter. Double-click this registry entry and enter 1 as a hexadecimal value. Click OK and close the registry editor. The next time Windows boots, it will display the correct time.

 

 

5.2) If you have an NVidia graphics card, then this command

lspci -k | grep -A 2 -E "(VGA|3D)"

 

is likely to show that either nouveau or nvidia is in use as a video driver. Nouveau is an open-source driver suitable for older Nvidia graphics cards (GeForce RTX 2060, GeForce GTX 1660, or older with any Arch kernel), whereas “nvidia” may mean that Arch Linux installed either a proprietary (closed-source) NVidia driver or an open-kernel NVidia driver (open source). To find out which one, you need to launch this command:

pacman -Q | grep nvidia

 

If it outputs nvidia, nvidia-lts, or nvidia-dkms <version number>, then you have a proprietary driver installed, or if it outputs nvidia-open or nvidia-open-dkms <version number>, then you have an open-source driver installed. See the following list of installation commands and choose an appropriate one for your NVidia graphics card and for your kernel (right now, you are running the stable kernel “linux”):

 

sudo pacman -Syu             (updating the system; necessary before installing anything)

sudo pacman -S nvidia-open                                (for newer NVidia graphics cards: GeForce GTX 1660, GeForce RTX 2060, or newer and the stable kernel of Arch Linux) or

sudo pacman -S nvidia-open-dkms                    (for newer NVidia graphics cards: GeForce GTX 1660, GeForce RTX 2060, or newer and all other Arch kernels: zen, lts, and hardened)

Both of the above are open-source video drivers; there are of course closed-source NVidia drivers if you want them:

sudo pacman -S nvidia         (for new and moderately old NVidia GPUs and the stable kernel of Arch Linux) or

sudo pacman -S nvidia-lts    (for new and moderately old NVidia GPUs and the lts kernel of Arch Linux) or

sudo pacman -S nvidia-dkms   (for new and moderately old NVidia GPUs and all other Arch Linux kernels)

 

If you want to replace an nvidia driver with nouveau, then simply uninstall your nvidia driver:

sudo pacman -Rns nvidia-lts nvidia-settings nvidia-utils lib32-nvidia-utils
sudo reboot

(For more details about nouveau see this article.)

 

Unfortunately, you can install only one NVidia driver (they conflict with each other, two cannot coexist). On the other hand, you have four different Arch kernels, and they need different NVidia drivers. For now, you can install an appropriate driver for the stable kernel, and if you decide to use a different kernel in the future, then you will install a different video driver. Fortunately, the open-kernel drivers will work satisfactorily when they don’t match the kernel precisely. For example, nvidia-open-dkms will work more-or-less OK with the stable Arch kernel.

 

If you currently have the nouveau driver and you think that it is suitable, then do nothing. If you want to replace nouveau with an NVidia driver, then you don’t need to uninstall nouveau; simply install the desired NVidia driver, and nouveau will be automatically disabled. If you have an unsuitable NVidia driver installed, and you want to replace it with a different NVidia driver, then install the desired driver as described above. When presented with the option to remove the conflicting existing NVidia driver, select this option.

 

In most cases, it is preferable to remove or replace NVidia drivers in console mode (without a graphical user interface), which is the case right now because we have not yet installed the graphical interface. Therefore, your manipulations with video drivers will go smoothly. Later, after we install the graphical user interface and a desktop environment, you will have to reboot your computer into the minimal mode (no graphical interface) in order to remove or replace NVidia drivers. This is how to enter the minimal mode:

 

sudo systemctl set-default multi-user.target

sudo reboot

 

(you don’t need sudo if you are logged in as root.) After your manipulations with video drivers, to return to the normal mode (with graphical user interface), execute these commands:

 

sudo systemctl set-default graphical.target

sudo reboot

 

If your computer contains two graphics cards (for example, a weak GPU that comes with an Intel microprocessor and a powerful Nvidia GPU that you added to the motherboard), then it's a good idea to uninstall the mesa driver (if you have it) and install an appropriate NVidia driver (if you don't have it). In most cases, Arch Linux will install a video driver only for the powerful added GPU, and you don’t have to worry about the two drivers.

 

For more details:

https://wiki.archlinux.org/title/NVIDIA

 

 

5.3) No amount of encryption and passwords will protect you from hardware-level spyware such as Intel Management Engine and AMD Platform Security Processor (PSP). The official function of this separate chip on your motherboard is that it can be used by a sysadmin to manage your computer remotely. There are some complicated tutorials for disabling Intel Management Engine through physical access to and flashing of the BIOS chip and installation of different firmware such as coreboot or libreboot. A simpler solution is to use an off-board (added) LAN adapter because the tiny BIOS chip has a limited amount of storage space and cannot possibly hold drivers for various LAN adapters (credit for this idea goes to Youtube user monad_tcp). Although the spyware device in question may be able to connect to the Internet through a factory-installed version of Windows, this connection will be disabled for the same reason if you use a different operating system together with the off-board LAN adapter. You can verify that the Intel Management Engine is disabled in this way by attempting to remote control your PC on your local network via Active Management Technology (use open-source software such as MeshCommander, some videos here and here). With a notebook computer, things are a little more complicated. You need to disassemble the notebook, pull out the Wi-Fi modem, and throw it away, then put the notebook back together. Be careful not to damage the interior of your computer with static electricity. Ground yourself frequently while working inside the computer, and the computer should be disconnected from all peripherals and cords. You need to connect the notebook to the Internet through an external network adapter that is connected via USB or some other interface, not through the factory-installed Ethernet card. Alternatively or in addition to the above, in your router, enable NAT on your local network (if you know what you are doing). If possible, set the default connection policy to "no internet access" for new devices that join your local network. An external firewall (in your router) can help too (ports used by Intel Management Engine are known); use open-source firmware on your router. According to the Libreboot website, anything from AMD's 15h architecture (Bulldozer) down should be fine, as they released the source code for them. AMD PSP was introduced around 2013, and therefore AMD CPUs without the backdoor are more modern/powerful than Intel CPUs without the backdore (manufactured before 2008). The most powerful Intel CPU without the IME is the Xeon x5450. Intel removed the Management Engine from some recent notebook versions of its CPUs, check the Intel website for the specs of your CPU; if "Intel ME" or "vPro" is mentioned, then your computer has the Management Engine. Computers that are sold with Intel ME disabled are rather expensive and you have to verify this fact yourself, not blindly trust the vendors such as Purism, Tuxedo Computers, and System76. Coreboot still can't remove the entire management engine. Also, ARM CPUs probably already have a similar management engine, at least on the Raspberry Pi, the GPU has VideoCore IV which can control the CPU. According to some authors, there are hardware backdoors in your network controller, hard drive controller, and printer.