How-to: Arch Linux on a Librem

I had been having some problems with PureOS, even running a completely stock installation, so I went exploring other distros.

I decided to give Arch a try for a few reasons, and I’m glad I did. It has been incredibly stable and very fast! I have been using it for over two weeks now with the configuration provided here with zero issues so far.

With Arch being what it is, I had to do a lot of research and note taking before I felt confident enough to try it for myself. I expounded upon my notes to make them useful for others, and make them available to you now.

I did my best to be as thorough as possible, consolidating the steps relevant to the installation and configuration in one place, and clarified some topics that are otherwise explained too simply or tediously elsewhere.


  • Librem 15v4
  • Arch Linux Hardened
  • Grub Bootloader
  • Disabled IPv6
  • LUKS Encrypted LVM
  • System U2F Authentication
  • OpenVPN
  • H.264 Playback Enabled
  • GNOME Desktop Environment (Wayland only)
  • CUPS printer support
  • Periodic TRIM

Install Arch:

Things to know about Arch:

  • Rolling release
  • Base system is just that, very basic. The first boot will be only to a command prompt
  • Arch is as secure or insecure as you make it
  • There are four main repos: core, extra, community, and Arch User Repository (AUR)
    • core and extra are maintained by the Arch team
    • community is maintained by “trusted users”, and serves as a vetting ground for packages before they move into extra
    • AUR consists of packages that anyone can submit. Be careful when installing from this repo
  • Take a look at the Arch Wiki for guidance on nearly all things Arch

I provide no warranty or promise of support if you choose to proceed. You should read this entire guide through at least once before beginning, and print a copy if you have only one computer with internet.

I recommend trying this install on a VM or external drive before before working on your actual machine. While an external drive is slower than VM, it is closer to the configuration of an installation on your main disk, and thus preferrable unless you are already comfortable with the command line.

If your machine has a HiDPI display (as with the Librem 15v4), be prepared with glasses, a magnifying glass, or a set of sharp eyes. The prompt is very small before getting to the desktop environment.

1. Boot ISO, Set Keyboard Layout, and Check Boot Mode

  • The default keyboard layout is US
    • See the Wiki for information on selecting an alternate layout
  • Boot Mode: BIOS or UEFI? If it’s a Librem, it’s BIOS and you can move on to step 2
    • Not using a Librem? See the Wiki for information on checking Boot Mode
    • If your machine is using UEFI, review the sum of the Arch Wiki Install Guide for specific notes related to EUFI installations

2. Establish Wireless Connection

You will use this section again later, at which point you must prepend all of these commands with sudo.

Find name of wireless interface (If you’re on a Librem, likely to be wlp1s0):

$ iw dev

Take note of interface name. You can skip this first part (iw dev) when running through this section later.

Set interface status:

$ ip link set INTEFACE up
  • Create /etc/wpa_supplicant/wpa_supplicant.conf
  • Add the following, save, and exit:

Start wpa_supplicant:

$ wpa_supplicant -B -i INTERFACE -c /etc/wpa_supplicant/wpa_supplicant.conf

Run wpa_cli, scan for your network if needed, configure the network (leave the quotes below, replace what is between them), and connect (this is for WPA networks):

$ wpa_cli

$ scan
$ scan_results

$ add_network
$ set_network 0 ssid "YOUR_SSID"
$ set_network 0 psk "YOUR_PSK"

$ enable_network 0
$ save_config

$ quit

Restart dhcpcd:

$ systemctl restart dhcpcd

Verify wireless interface is up:

$ wpa_cli status

Ping something:

$ ping

If ping fails, re-enable to network after restarting dhcpcd:

$ wpa_cli enable_network 0

3. Update System Clock

$ timedatectl set-ntp true
$ timedatectl status

Good to proceed to the next step if the clock is synced.

4. Partition Disk

We will be using fdisk for partitioning.

If you are unfamiliar with this, the basic commands we will be using are:

  • “fdisk -l” to list available disks and partitions
  • “fdisk /dev/DISK” to select a disk to work with
  • “o” to create a new empty DOS partition table
  • “n” to add a new partition, which has a sequence of promts that follow it:
    • Partition type: primary or extended (we will be using primary, which is the default)
    • Partition number: 1-4 (we will be using sequential numbering, which is the default)
    • First sector: values vary depending on the size of your disk (we will be using the default)
    • Last sector: values again vary, but the default is the maximum possible (we will be creating a 500MB boot partition, with the root partition set to use the remaining disk space)
  • “a” marks a partition as bootable
  • “t” changes the partition type (we will be using 8E: Linux LVM)

If you are comfortable with fdisk and this up, do what you know is best for you here.

First, identify the disk you’ll be working with:

$ fdisk -l

Take note of the disk you want to install on. On a Librem, likely to be /dev/sda or /dev/nvme0n1.

Begin partitioning the drive:

$ fdisk /dev/DISK
> o

Create boot partition:

> n
> [return]
> [return]
> [return]
> +500MB
> a

Create root partition:

> n
> [return]
> [return]
> [return]
> [return]
> t
> 2
> 8E

Write the changes:

> w

5. Setup Encryption

Here ROOTPARTITION would be something like sda2. Run lsblk first to confirm if needed.

$ cryptsetup luksFormat /dev/ROOTPARTITION

Enter desired encryption password, and confirm it.

Open encrypted partition:

$ cryptsetup open --type luks /dev/ROOTPARTITION lvm

6. Setup LVM (Logical Volume Manager)

The encryption method used here does not support multi-disk logical volumes. Do some research if you want to configure an encrypted multi-disk LVM before beginning.

To keep things simple, I named the volume group and logical volumes in these commands. You can substitute per your preference as desired:

  • Volume Group: volgroup0
  • Root Volume: lv_root
  • Swap Volume: lv_swap
  • Home Volume: lv_home

If you don’t use these names, I do recommend using some other scheme that is easily remembered, or taking careful note of what’s what.

First, initialize physical volume:

$ pvcreate --dataalignment 1m /dev/mapper/lvm

Next, create the volume group:

$ vgcreate volgroup0 /dev/mapper/lvm

Next, create system volume (where arch will be installed, adjust from 30GB to meet your preference):

$ lvcreate -L 30GB volgroup0 -n lv_root

Next, create swap volume (adjust from 16GB as needed to match your RAM is recommended):

$ lvcreate -L 16GB volgroup0 -n lv_swap

Next, create home volume (set here to use the remaining space):

$ lvcreate -l 100%FREE volgroup0 -n lv_home

Wrap up LVM setup:

$ modprobe dm_mod
$ vgscan
$ vgchange -ay

7. Format Volumes and Enable Swap

Regain your bearings:

$ lsblk

Boot partition:

$ mkfs.ext2 /dev/BOOTPARTITION

System volume:

$ mkfs.ext4 /dev/volgroup0/lv_root

Home volume:

$ mkfs.ext4 /dev/volgroup0/lv_home

Enable swap:

$ mkswap /dev/volgroup0/lv_swap
$ swapon /dev/volgroup0/lv_swap

8. Mount em-up!

$ mount /dev/volgroup0/lv_root /mnt
$ mkdir /mnt/boot
$ mount /dev/BOOTPARTITION /mnt/boot
$ mkdir /mnt/home
$ mount /dev/volgroup0/lv_home /mnt/home

9. Install Arch

Install Arch, generate fstab, and chroot into the new system:

$ pacstrap /mnt base
$ genfstab -U -p /mnt >> /mnt/etc/fstab
$ arch-chroot /mnt

10. Configure Networking

  • Edit /etc/hostname

  • Add only your hostname

    • This can be anything you want in a basic home or business network setup, but it must fit on a single line and adhere to some minimal restrictions. More info on setting the hostname can be found on the Wiki.
  • Edit /etc/hosts; add:    localhost 
::1          localhost    HOSTNAME.localdomain    HOSTNAME

11. Clean up pacman mirrors

Edit /etc/pacman.d/mirrorlist

  • Delete any mirrors that are geographically far from you, as they can slow things down
    • in nano, ctrl+k deletes the currently selected line
  • Save and return to the prompt

12. Set Locale

Edit /etc/locale.gen

  • Uncomment the line with your locale
    • “en_US.UTF-8” would be for the US
  • Save and return to the prompt
$ locale-gen

13. Set Time and Sync Clock

View directory structure of /usr/share/zoneinfo to see what options are available here. When ready, proceed with:

$ ln -sf /usr/share/zoneinfo/REGION/CITY /etc/localtime

Now, sync the clock:

$ hwclock --systohc --utc

14. Pre-Boot Software Installation

Here we will install the things we will need for a smooth first boot.

First, decide if you want to choose an alternate kernerl or kernels, of which there are four pre-built choices:

  • Stable: default Arch kernel, installed already by the pacstrap command above
    • linux-headers
  • Hardened: A security-focused Linux kernel applying a set of hardening patches to mitigate kernel and userspace exploits; it also enables more upstream kernel hardening features than Stable
    • linux-hardened linux-hardened-headers
  • Longterm: Long-term support (LTS) Linux kernel and modules
    • linux-lts linux-lts-headers
  • ZEN: Result of a collaborative effort of kernel hackers to provide the best Linux kernel possible for everyday systems
    • linux-zen linux-zen-headers

You can find more info on these on the Wiki.

For performance and stability purposes, be sure to include both linux-X and linux-X-headers packages for all kernels installed.

If you install only one alternate kernel it will become the system default.

When ready, execute the below command. Add or remove kernel packages to match your selection. In this example, the Hardened kernel is being installed. Be sure to keep linux-headers in the below command, even if you are using an alternate kernel.

$ pacman -S grub-bios sudo linux-headers linux-hardened linux-hardened-headers wpa_supplicant wireless_tools networkmanager net-tools iw dialog util-linux

15. Set mkinitcpio.conf hooks

Edit /etc/mkinitcpio.conf:

  • Locate the uncommented line beginning with “HOOKS=”
  • In that line, place cursor between “block” and “filesystems”
    • There, enter encrypt lvm2
    • It should now read: HOOKS=(base udev autodetect modconf block encrypt lvm2 filesystems keyboard fsck)
  • Save and retrun to the prompt

Regenerate initcpio images:

$ mkinitcpio -p linux
$ mkinitcpio -p linux-hardened

16. Enable NetworkManager service

For networking:

$ systemctl enable NetworkManager.service

17. Set Root Password

$ passwd

18. Configure user(s)

Create plugdev group:

$ groupadd -r plugdev

Create your user accounts. Repeat the commands below for each account to be created. Omit adding the “wheel” group to anyone that should not have sudo priveleges.

$ useradd -m NEWUSERNAME
$ usermod -aG wheel,plugdev,audio,video,optical,storage NEWUSERNAME

Activate wheel group in sudoers (enabling sudo to work):

  • Edit /etc/sudoers
  • Uncomment the line %wheel ALL=(ALL) ALL
  • Save and return to prompt

19. Configure and Install Grub

First, edit /etc/default/grub:

  • Find the line starting with GRUB_CMDLINE_LINUX_DEFAULT=
  • Prepend the line following the = with cryptdevice=/dev/ROOTPARTITION:volgroup0
  • To disable ipv6, append the line with ipv6.disable=1
    • The final line should look something like this: GRUB_CMDLINE_LINUX_DEFAULT="cryptdevice=/dev/sda2:volgroup0 audit=0 loglevel=3 quiet ipv6.disable=1"
  • Save and return to prompt

Regain your bearings:

$ lsblk

The topmost designation of the disk you are working with is to be used in the following command. On a Librem, this will likely be “sda” or “nvme0n1”.

Install Grub:

$ grub-install /dev/DISK
$ grub-mkconfig -o /boot/grub/grub.cfg

20. Exit Root, Unmount, and Reboot

$ exit
$ umount /mnt/boot
$ umount /mnt/home
$ umount /mnt

You may get a resource busy error with the above. If you do, continue with the next command anyway.

$ reboot now

21. First Boot - Enable TRIM

Decrypt your drive, log in with your new user. If you cannot do one of these, time to start over.

Enable periodic TRIM:

$ sudo systemctl enable fstrim.timer

There are other means of enabling TRIM. This method provides enough for most people. See the Wiki for more on TRIM.

22. Set Locale (again)

$ localectl set-locale LANG="YOUR_LOCALE"

Here, YOUR_LOCALE is the same one identified in step 12. Leave the quotes, replace what is between them.

23. Disable ipv6 - Failsafe #1

This probobly is not necessary, but I like having at least two off-switches for some things (the first for ipv6 is in the grub config.

Edit /etc/sysctl.d/40-ipv6.conf:

net.ipv6.conf.all.disable_ipv6 = 1
net.ipv6.conf.lo.disable_ipv6 = 1
net.ipv6.conf.wlp1s01.disable_ipv6 = 1

24. Reconnect to internet

Follow the same procedure as Step 2.

25. Install Software

Now install the software you want and need. (Info on available packages available on the Arch site.

A good start (for me):

  • OpenVPN (needed for most VPN services):
    • networkmanager-openvpn resolvconf openvpn
  • Rootkit Hunter - rootkit screening application:
    • rkhunter
  • Firewalld - GUI firewall configuration
    • firewalld
  • PAM U2F and Yubikey support:
    • pam-u2f yubico-pam yubikey-manager
  • GNOME and Arch repo support:
    • gnome gnome-packagekit gnome-software-packagekit-plugin
  • Tilix, the best terminal emulator!
    • tilix python-nautilus
  • H.264 playback support:
    • ffmpeg gstreamer gst-libav
  • CUPS Printer Support (this brings support for most out there. More compatibility is available if needed. Info on Wiki.):
    • cups system-config-printer
  • Grub Customizer - a helpful GUI tool for editing /etc/default/grub. This is how you can easily change default kernels, among other things.
    • grub-customizer
sudo pacman -S networkmanager-openvpn resolvconf openvpn rkhunter firewalld pam-u2f yubico-pam yubikey-manager gnome gnome-packagekit gnome-software-packagekit-plugin tilix python-nautilus ffmpeg gstreamer gst-libav cups system-config-printer grub-customizer

If you prefer to have only Tilix on your system, run the following command after Tilix installation is complete:

$ sudo pacman -Rsu gnome-terminal

Once that is done, pick what you’d like from gnome-extra:

$ sudo pacman -S gnome-extra

You will be prompted to accept everything in the group, or to choose which you’d like to take.

A NOTE ON FLATPAK: If you plan to use flatpak with the Hardened kernel, you must execute the following command. Be aware that this decreases the security of your system.

$ sudo sysctl -w kernel.unprivileged_userns_clone=1

26. Enable GDM and other services

If you went with something other than GNOME for your desktop environment, be sure to replace gdm with the approriate service in the below command.

$ sudo systemctl enable gdm org.cups.cupsd.socket firewalld.service [...any other services you want to run...] 
$ sudo reboot now

This will boot to the GDM login screen.

27. Connect to the internet (last time!)

With GNOME loaded, you can now connect to the network via the standard means.

28. Set up PAM U2F

a. Enable Linux udev rules for U2F devices:

Note: the udev rules we will use (provided by Yubico) cover most widely available U2F keys, but it doesn’t cover all of them. If you follow this section exactly and cannot get U2F to work, it could be a udev issue, and you’ll need to go hunting for the needed rules for your device

Go to this page and copy the entire contents:

$ sudo mkdir -p /etc/udev/rules.d/
$ nano 70-u2f.rules

Paste content in, save, and return to prompt.

$ sudo mv 70-u2f.rules /etc/udev/rules.d/
$ sudo udevadm control --reload-rules && sudo udevadm trigger

b. Register your U2F device(s):

  • Primary U2F device:

  • Connect U2F device

$ mkdir u2f
$ pamu2fcfg --origin=pam://localhost > u2f/keys

Backup U2F device(s):
When setting up security like this, it is always a good idea to have at least one backup U2F device that you store somewhere safe – and almost always a bad idea to not have a spare. If you do not have a spare to configure now, you can do so later. Repeat for all backup devices.

  • Connect backup U2F device.
$ pamu2fcfg -n --origin=pam://localhost >> u2f/keys

c. Move registration to /etc:

$ sudo mv u2f /etc

d. Enable U2F authentication:

As far as I have experienced so far, this method requires U2F for literally every situation in which you must enter your password. It is possible to require it for only certain situations, such as login, sudo, unlocking the screen, etc. See @lipu’s U2F guide and the other sources listed at the bottom of this U2F guide for more information on that approach.

Edit /etc/pam.d/system-auth:

Choose one of the following:

To allow a U2F key or password for authentication, add the following line as the first in the “auth” section:

auth sufficient cue no detect origin=pam://localhost authfile=/etc/u2f/keys

To require both a U2F key and password for authentication, add the following line to the bottom of the “auth” section:

auth required cue no detect origin=pam://localhost authfile=/etc/u2f/keys

Configuration options from most secure to least:

  • Omit “cue no detect” to prevent prompting of any kind. Incorrect password and absent key failures both appear to be an incorrect password to the user.

  • Leave “cue no detect” in the above line if you want to be prompted to touch the device only when it is present. An absent key appears to be an incorrect password.

  • Omit “no detect” to always be prompted to touch the device, even when the key is not present. Arguably the least secure setup, as it reveals that a second factor exists when a key is absent.

Save and return to prompt.


  • Open new terminal window:
$ sudo echo success
  • If it returns “success”, you can safely close both terminal windows and enjoy system U2F authentication.
  • If you are not prompted to touch the device when expected (depends on configuration outlined above), or the device does not blink when expected, your password fails to be accepted, or authentication otherwise fails:
    • Close test terminal window (in which you ran echo), and return to the previous terminal window (in which you edited system-auth).

    • Edit /etc/pam.d/system-auth

    • Remove only the line you added above

    • Save and return to prompt

    • $ sudo rm -r /etc/u2f

    • Close terminal, and re-read this before trying again

29. Other things to consider:

  • Review Firewalld and configure it for yourself
  • Learn about laptop-mode-tools [Wiki] [AUR]
  • Learn about Rootkit Hunter [Wiki]
  • Learn about AppArmor [Wiki]
  • ipv6 failsafe #2: choose “ignore” when configuring networks in the GUI

That’s it! Enjoy your new speedy and reasonably secure Arch Installation!

Bonus Round: Custom Boot Splash

The Purism logo at first start will stay. This will get you a graphical spash and decrypt prompt following that logo. This process does bring back the moment of screen garbage during boot that currently happens in PureOS.

To make this work you need to install a few things from the AUR. Check out the Wiki entry on this for instructions on how to use the AUR. The applications we will be using have been in the AUR for quite some time and have had no issues reported.

  • grub-silent [Wiki] [AUR]
  • plymouth [Wiki] [AUR]
  • gdm-plymouth [AUR]
  • plymouth theme of your choosing (search “plymouth-theme” in the AUR as a good starting place)

And from the PureOS GitHub:

  • pureos theme (if you want the PureOS splash)


1. Back up current /etc/default/grub file

$ sudo cp /etc/default/grub ~

2. Install Grub-Silent

  • Clone, build, and install grub-silent from the AUR
  • Create ~/.hushlogin and reinstall grub:
$ touch ~/.hushlogin
$ sudo grub-install /dev/DISK

3. Configure Grub

  • Paste contents of /etc/default/grub.silent into /etc/default/grub
  • Copy the kernel parameter line from the backup copy of grub in your home folder, and integrate it with your new /etc/defaul/grub
    • The line should read something like: GRUB_CMDLINE_LINUX_DEFAULT="cryptdevice=/dev/sda2:volgroup0 quiet splash vt.global_cursor_default=0 loglevel=3 video=SVIDEO-1:d rd.systemd.show_status=false rd.udev.log-priority=3 ipv6.disable=1"
    • While yours may have additional parameters per your needs, all of the parameters above are required for the splash to work properly
    • It is critical that cryptdevice comes first, or your machine may not boot
    • Save and return to prompt

4. Install Plymouth

  • Clone, build, and install plymouth from the AUR
  • Ammend initcpio hooks:
    • Edit /etc/mkinitcpio.conf
    • Locate the HOOKS= line used above, and add:
    • “plymouth” after “udev”
    • replace “encrypt” with “plymouth-encrypt”
    • It should now read: HOOKS=(base udev plymouth autodetect modconf block plymouth-encrypt lvm2 filesystems keyboard fsck)
    • Save and return to prompt

5. Install GDM-Plymouth (if using GDM)

  • Clone, build, and install gdm-plymouth from the AUR
  • Disable GDM and enable GDM-Plymouth:
$ sudo systemctl disable gdm.service
$ sudo systemctl enable gdm-plymouth.service

6. Install theme(s) of choosing

  • Plymouth themes are stored at /usr/share/plymouth/themes
  • Check out this directory and the directories in it to get an understanding of the structure
  • To install new themes, copy only the theme directory to /usr/share/plymouth/themes
    • Using the PureOS theme as an example, you would copy only the “pureos” directory

A note on laggy Plymouth themes:

I notcied that some themes are laggy and have delayed keystrokes when entering the LUKS password. I found that these themes have a file called “background-title.png” (a totally tranparent image in every case I’ve found). You can safely remove that file, which should resolve the lag.

7. Configure Plymouth & Update Grub Config

You must repeat this entire section every time you change the active theme.

  • Check for available themes:
$ plymouth-set-default-theme -l
  • Edit /etc/plymouth/plymouthd.conf to reflect your selection.
  • Save and return to prompt
  • Update initcpio:
$ sudo plymouth-set-default-theme -R THEMENAME
$ sudo grub-mkconfig -o /boot/grub/grub.cfg

Reboot & Enjoy


though i don’t use arch - this looks so professional on this dark background and i bet you spent some time on it - damn good job !


Great tutorial. Thank you!

1 Like

Thanks! Markdown was definitely my friend on this endeavor.

1 Like

I’m curious but what have you got against IPv6?

In a nutshell, ipv6 can leak your true IP when connected through VPN and/or TOR. I don’t know exactly how or when it can occur, only that it can. This is based on a number of articles from those who understand these things well that I’ve read.

If you know differently or if this concern is no longer relevant, I’d like to be enlightened.


If you have dual stack then both protocols need to be dealt with if connecting through something like VPN or TOR.

That is, if you route IPv4 through the VPN but you don’t route IPv6 through the VPN then yes there is a risk of leaking your IPv6 address. So maybe that comes down to popular VPN services not supporting IPv6 or popular VPN clients not supporting IPv6.

TOR only has partial support for IPv6.

If you are not using a VPN or TOR then there are some additional considerations with IPv6 (e.g. randomising the interface identifier part of the IPv6 address - which a few years ago you would have had to choose to do explicitly but these days seems to be the default).

1 Like

That is exactly it! I may be a user of these services from time to time :slight_smile:

1 Like

I finished cleaning the guide up and editing. It is final unless someone spots an error :slight_smile:

Changes from the original post:

  • expounded upon fdisk commands to help those that are unfamiliar with it
    • corrected an error where I omitted selecting the partition number (2) when setting root partition type
  • added more Wiki and AUR reference links for convenience
  • changed TRIM method from continuous to intermittent; this was intended to be the case originally
  • cleaned up formatting, made language more consistent throughout

The PDF version is updated.

1 Like

It occurred to me that I didn’t have spell check anywhere except LibreOffice and Firefox today.

To make spellcheck available in other places, install:

Info on available languages is available on the Arch Repos.

1 Like

Can we try and move this to the arch wiki they have a page for supported hardware and is less likely to disappear than here


ok scroll right to the bottom of,

might try and arch install alongside manjaro on my 13v2 this seems to suggest that it’s entirely possible


I’d be interested to know your results! We know the 13v4 will work, as the relevant specs are identical to the 15v4.


To help people looking to experiment outside of PureOS, it would be very useful to have the hardware reference pages completed. – at least the specs.

Or a more logical place would be alongside the other information at

Current-model hardware is easy because the specs are on the main site. Once it is no longer current or no longer being sold, it can be difficult to determine exactly what internals you’re working with.


Just out of curiosity, can you decrypt luks with your pgp smartcard ?

I know it can be done, but I have not tried it. I use a split password: half of it is in my head, the other half is a complex 64 character string saved my second slot.

The link back here from the Arch wiki was removed by another for a fair enough reason. Upside: Purism and Librems are now listed in the wiki as known to be compatible! yeehaw

1 Like

Arch dont officially support ARM architecture!
How much pkgs for ARM?

There is a separate Arch-based distro for ARM:

I already tried it on my Raspberry and can confirm that I did not face serious issues with finding the required (for me) packages. All I needed was in the official repo.

1 Like

Very useful and interesting post, that might put Arch on my list of options!

How do I know what can and cannot be safely installed from AUR?
For example, I’d be interested in installing VMWare, which is under that branch, how do I go about assessing if it is safe, is there some sort of a “score” given to a package or “reputation” awarded to a package uploader?

Not directly related to Arch, but still on topic of “Other OS”, I encountered difficulties installing a new OS on my Librem 15 v4 with Pureboot. The only way out was to flash the BIOS to use SeaBIOS instead of HEADS (Coreboot).