ArchLinux Installation Guide on Encrypted SSD


2017 version of this installation guide can be found here

This tutorial will guide you for installing ArchLinux on a GPT partition while using GRUB2 on a BIOS enabled PC (see Wiki for EFI) and thus on a SSD media based upon LUKS (encryption) over LVM. It is not aimed to replace the official ArchLinux installation guide or Wiki. It is just a collection of notes gathered from the official sources. As a reminder the Installation Guide can now also be found on the USB flash drive under /root/install.txt.

Once you have installed your system please make sure to consult my emergency instructions for accessing your encrypted data with a LiveCD USB Flash drive and also perform seamless upgrades using LVM snapshots.

Pre-Installation Steps

Securely wipe SSD

Fill the new drive with random data using a working Linux system:

    # dd if=/dev/urandom of=/dev/sda iflag=nocache oflag=direct bs=4096

This operation takes a long time (eg. 8 hours for a 500GB SSD).

Prepare USB Flash drive

Based upon 2015.12.01 ISO image or later from

    # dd if=/dev/zero of=/dev/sdx  bs=1k count=1
        # dd if=archlinux-xxxxx.iso of=/dev/sdx

Replace sdx by your thumbdrive reference.

Boot from USB Flash drive

Go into BIOS menu and make sure to disable UEFI or enable legacy BIOS as default then boot & select x86_64 (or i686 if you want to stay with i686 architecture, max. 3GB SRAM). If you see UEFI in the boot menu, it is likely that your system is setup for UEFI boot only.

Change keyboard layout

    # loadkeys fr

Get IP address

Archlinux boot CD starts the network and get an IP address via DHCP. You can check that you have obtained an IP address with:

    # ip addr

In case you IP address was not automaticaly setup, you can use:

 # dhcpcd

It is also possible to use manual IP or wifi. Please refer to the official wiki for proper instructions.

Configure drive, block devices and encrypted filesystems

Identify the devices

The first step is to identify the devices where the new system will be installed. The following command will show all the available devices:

 # lsblk

Manually partition the SSD

 # gdisk /dev/sda

Remove old partitions then create the following partitions:

  • Enter n,1,[Enter],2M, EF02. This is the first partition (2MB) with type EF02 (BIOS partition) and used by GRUB2/BIOS-GPT. (/dev/sda1).
  • Enter n,2,[Enter],256M,8300. Second partition (256MB) with type 8300 (Linux) holds unencrypted /boot as well as backup copies of /boot between system upgrades. (/dev/sda2)
  • Enter n,3,[Enter],3G,8200. Third partition (3GB) with type 8200 (swap) is our optional swap partition that will be encrypted with random key but not part of lvm. (/dev/sda3)
  • Enter n,4,[Enter],[Enter]. Fourth partition occupies the remaining space with a type 8E00 (LVM). It will store the encrypted LVM for /, /home and snapshots (/dev/sda4)
  • Enter p to verify the above configuration
  • Enter w,Y

Prepare encrypted LUKS space

We need to align, enable TRIM and use the right payload for SSD.

 # cryptsetup -v --cipher aes-xts-plain64 --key-size 512 --hash sha512 --iter-time 5000 --use-random --align-payload=8192 luksFormat /dev/sda4
 # cryptsetup luksOpen --allow-discards /dev/sda4 enc-lvm

While we will be enabling TRIM at different stages we won’t activate the discard option for mounting the different partitions but rather use weekly fstrim checks. The iter-time at 5000 means it will take up to 5s to check the password hash.

Setup LVM space

20GB for root is usually enough but if you start installing large packages such as TeX or others it can become too small over time. Therefore 40GB gives some room. We don’t setup swap inside LVM but keep it outside with its own random key per reboot. For the home directory we don’t use all remaining space but save some spare space for snapshots.

  # lvm pvcreate --dataalignment 4M /dev/mapper/enc-lvm
  # lvm vgcreate vgroup /dev/mapper/enc-lvm
  # lvm lvcreate -L 40GB -n root vgroup
  # lvm lvcreate -l 95%free -n home vgroup

vgdisplay to see the remaining space for snapshot. If not ok,

 # lvremove /dev/mapper/vgroup-home
 # lvm lvcreate -l 97%free -n home vgroup

Format /boot, /root and /home

 # mkfs.ext2 /dev/sda2
 # mkfs.xfs /dev/mapper/vgroup-root
 # mkfs.xfs /dev/mapper/vgroup-home

ext4 was the filesystem of choice in the previous installation guide. Since I’m using XFS now on my NAS I thought it would make sense to use XFS here too especially with the latest developments including metadata checksums that are enabled by default.

Get 5% space back from /home partition (if using EXT4)

If you selected ext4 instead of XFS for /home you can gain 5% of space back since this is typically used on root partition as a safeguard when the disk gets full.

On non-root partition this hidden space can be easily and safely reclaimed back by using the following command.

 # tune2fs -m 0 /dev/mapper/vgroup-home

Mount the partitions

# mount /dev/mapper/vgroup-root /mnt
# mkdir /mnt/boot
# mount /dev/sda2 /mnt/boot
# mkdir /mnt/home
# mount /dev/mapper/vgroup-home /mnt/home

Install the base system

Select installation mirror is throttled to 50KB/s.

Before installing, you may want to edit /etc/pacman.d/mirrorlist such that your preferred mirror is first. This copy of the mirrorlist will be installed on your new system by pacstrap as well, so it’s worth getting it right.

Perform system installation

 # pacstrap /mnt base base-devel

Install a bootloader

The folllowing will install GRUB2. If you want EFI please refer to the official Wiki.

 # pacstrap /mnt grub-bios

Generate fstab for the new disk scheme

Generate a fstab file with the following command. UUIDs will be used because they have certain advantages (see official wiki). If you would prefer to use labels instead, replace the -U option with -L. Note: If you encounter errors running genfstab or later in the install process, do not run genfstab again; just edit the fstab file.

 # genfstab -U -p /mnt >> /mnt/etc/fstab

Setup mount Flags

When using SSD it’s important to disable some of the timestampgins that can impact the SSD lifetime. Edit the /mnt/etc/fstab generate above to reflect the following changes:

 UUID=XXX-YYY-ZZZ   /       xfs  rw,noatime,attr2,inode64,noquota 0 1
 UUID=TTT-UUU-VVV   /boot   ext2 rw,noatime 0 2
 UUID=PPP-QQQ-RRR   /home   xfs  rw,noatime,attr2,inode64,noquota 0 2

Enable TRIM support on LVM

We have to enable the option issue_discards in the LVM configuration. Edit /mnt/etc/lvm/lvm.conf

  # [...]
  devices {
  # [...]
  issue_discards = 1
  # [...]
  # [...]

Configure the newly installed system

Chroot into the installed system

 # arch-chroot /mnt /bin/bash

Set root password

Set a root password with:

 # passwd

Set hostname

Add your hostname in /etc/hostname.


Set it to your liking. This is the name of your computer.

Add also your hostname in /etc/hosts, coinciding with the one specified in /etc/hostname as an alias, so that it looks like this:   localhost.localdomain   localhost myhostname
 ::1         localhost.localdomain   localhost myhostname

Note: ::1 is the IPv6 equivalent of

Configure console fonts and keymap

Set keymap and font name in /etc/vconsole.conf.


KEYMAP The available keymaps are in /usr/share/kbd/keymaps. Please note that this setting is only valid for your TTYs, not any graphical window managers or X. FONT Available alternate console fonts reside in /usr/share/kbd/consolefonts/. The default (blank) is safe. FONT_MAP Defines the console map to load with the setfont program at boot. Possible maps are found in /usr/share/kbd/consoletrans, if needed. The default (blank) is safe.

Setup time

Select a time zone:
 # tzselect

Available time zones and subzones can also be found in the /usr/share/zoneinfo// directories.

Setup a timezone

Edit the file /etc/timezone and write your Zone/Subzone. Example:


Additionaly, create a symbolic link /etc/localtime to the same /usr/share/zoneinfo// using this command:

 # ln -s /usr/share/zoneinfo/Europe/Paris /etc/localtime
Adjust time skew

It is recommended to adjust the time skew, and set the time standard to UTC:

 # hwclock --systohc --utc


Enable locales

Edit /etc/locale.gen and uncomment:

 en_US.UTF-8 UTF-8
 fr_FR.UTF-8 UTF-8
 fr_FR ISO-8859-15
 fr_FR@euro ISO-8859-15
Generate locales
 # locale-gen
Setting up system-wide locale

Add your language to /etc/locale.conf.

Export current language for initramfs creation

We will be adding keymap to mkinicpio.conf therefore we need to environment variable LANG.

# export LANG=fr_FR.UTF-8

Configure the network

If not using DHCP or network manager, please see wiki for rc.conf configuration.

Prepare initramfs and bootloard

Prepare the initramfs build

Add keymap to kernel for non-US keyboard on boot as well as keyboard for usb support on boot, encrypt and lvm2 for accessing our encrypted space.

Edit /etc/mkinitcpio.conf to add required hooks for encryption, keyboard and LVM.

    HOOKS="base udev autodetect modconf block keyboard keymap encrypt lvm2 filesystems fsck"

Also add the required video driver for early display setup. For example for integrated Intel graphic card:


Create an initial ramdisk environment

    # mkinitcpio -p linux

Configure the bootloader

Install GRUB2 to the SSD
    # grub-install --recheck /dev/sda
Add SSD TRIM and encryption support

We need to allow discards in grub even if we only use the fstrim utility instead of the discard mount option. Edit /etc/default/grub and change with:

Generate GRUB2 configuration
    # grub-mkconfig -o /boot/grub/grub.cfg

Some warning will popup but it’s ok. Next time you regenerate the grub configuration, warnings should be gone.

Time to reboot into your freshly installed system

Unmount the partitions

If you are still in the chroot environment then type exit or Ctrl+D in order to exit chroot. Since the partitions are mounted under /mnt, we use the following command to unmount them.

    # exit
    # umount /mnt/boot
    # umount /mnt/home
    # umount /mnt


Execute the following command and remove the installation media.

    # reboot

Post Installation Steps

Start network

  # dhcpd eth0

Setup swap space

One can place a swap partition on an SSD. Note that most modern desktops with an excess of 2 Gigs of memory rarely use swap at all. The notable exception is systems which make use of the hibernate feature.

Enable encrypted swap with random key but without suspend-to-disk support

It is very dangerous to use crypttab swap with /dev/sdx3 or even /dev/disk/by-id/ata-SERIAL-partX. A small change in your device names or partitioning layout and /etc/crypttab will see your valuable data formatted on the next boot. It is more reliable to identify the correct partition by giving it a UUID or LABEL. By default that does not work because dm-crypt and mkswap would simply overwrite any content on that partition; however, it is possible to specify an offset. This allows you to create a very small, empty, bogus filesystem (with no other purpose than providing a UUID or LABEL), which survives the swap encryptions.

Create a filesystem with label of your choice:

    # mkfs.ext2 -L cryptswap /dev/sda3 1M

The unusual parameter after the device name limits the filesystem size to 1 MiB.

    # blkid /dev/sda3

    /dev/sda3: LABEL="cryptswap" UUID="b72c384e-bd3c-49aa-b7a7-a28ea81a2605" TYPE="ext2"

With this, /dev/sda3 now can easily be identified either by UUID or LABEL, regardless of how its device name or even partition number might change in the future. All that’s left is the /etc/crypttab and /etc/fstab entries:


    # <name>       <device>         <password>              <options>
    cryptswap      LABEL=cryptswap  /dev/urandom            swap,offset=2048,cipher=aes-xts-plain64,size=512,hash=sha512

Note the offset: it’s 2048 sectors of 512 bytes, thus 1 MiB. This way the filesystem LABEL/UUID remains intact, and data alignment works out as well.

Why /dev/urandom and not /dev/random? The latter blocks until it got enough entropy to continue, urandom don’t. So if you use random instead urandom you might have to wait during boot until enough entropy is collected. (It does help to type your keyboard and move the mouse.) Use /dev/random if you’re really paranoid.


    # <filesystem>         <dir>  <type>  <options>  <dump>  <pass>
    /dev/mapper/cryptswap  none   swap    defaults   0       0

Change swap space behavior

The following is recommended tweak for SSDs using a swap partition that will reduce the “swappiness” of the system thus avoiding writes to swap.





    # cat /proc/sys/vm/swappiness

Enable periodic TRIM operation

Since we haven’t enabled discards on mountpoints we need to perform trim operations on a regular basis.

The util-linux package (part of base and base-devel) provides fstrim.service and fstrim.timer systemd unit files. Enabling the timer will activate the service weekly, which will then trim all mounted filesystems on devices that support the discard operation. The timer relies on the timestamp of /var/lib/systemd/timers/stamp-fstrim.timer (which it will create upon first invocation) to know whether a week has elapsed since it last ran.

Therefore there is no need to worry about too frequent invocations, in an anacron-like fashion. It is also possible to query the units activity and status using standard journalctl and systemctl status commands:

    # journalctl -u fstrim
    # systemctl status fstrim

Change I/O scheduler for SSD

Both noop and deadline are recommanded for SSD operation. We will stick to deadline for SSD and CFQ for hard drives.

To do this, create and edit a file in /etc/udev/rules.d named something like ‘60-schedulers.rules’. In the file include the following:

    # set deadline scheduler for non-rotating disks
    ACTION=="add|change", KERNEL=="sd[a-z]", TEST!="queue/rotational", ATTR{queue/scheduler}="deadline"
    ACTION=="add|change", KERNEL=="sd[a-z]", ATTR{queue/rotational}=="0", ATTR{queue/scheduler}="deadline"

    # set cfq scheduler for rotating disks
    ACTION=="add|change", KERNEL=="sd[a-z]", ATTR{queue/rotational}=="1", ATTR{queue/scheduler}="cfq"

Of course, set deadline/cfq to the desired schedulers. Changes should occur upon next boot. To check success of the new rule:

    # cat /sys/block/sdX/queue/scheduler   #where X is the device in question

Note: Keep in mind cfq is the default scheduler, so the second rule with the standard kernel is not actually necessary. Also, in the example sixty is chosen because that is the number udev uses for its own persistent naming rules. Thus, it would seem that block devices are at this point able to be modified and this is a safe position for this particular rule. But the rule can be named anything so long as it ends in ‘.rules’. (Credit: falconindy and w0ng for posting on his blog)

Resolving NCQ errors

Some SSDs and SATA chipsets do not work properly with Linux Native Command Queueing (NCQ). The tell-tale dmesg errors look like this: [ 9.115544] ata9: exception Emask 0x0 SAct 0xf SErr 0x0 action 0x10 frozen [ 9.115550] ata9.00: failed command: READ FPDMA QUEUED [ 9.115556] ata9.00: cmd 6004:00:d4:82:8500:00:1f:00:00/40 tag 0 ncq 2048 in [ 9.115557] res 4000:18:d3:82:8500:00:1f:00:00/40 Emask 0x4 (timeout)

To disable NCQ on boot, add libata.force=noncq

to the kernel command line in the bootloader configuration. To disable NCQ only for disk 0 on port 1 use:


Add default user

    # useradd -m -G wheel -s /bin/bash archie

Setup password for new user:

    # passwd archie


    # pacman -S sudo

Configure for a given user:

    # visudo

and add:

    archie   ALL=(ALL) ALL

Add additional repositories

Most people will want to use [core], [extra] and [community].


If you installed Arch Linux x86_64, it’s recommended that you enable the [multilib] repository, as well (to be able to run both 32 bit and 64 bit applications):

    Include = /etc/pacman.d/mirrorlist


Required for installing yaourt & virtualbox and many other packages

Add as root the following into /etc/pacman.conf (this is for a 64-bit installation) :

    SigLevel = Optional TrustAll
    Server =

Refresh software list with:

    # pacman -Syy

Package management with Yaourt rather than pacman

Add nice colors when browsing packages

    # pacman -S yaourt colordiff

!!! What happened for pacman-color ???

Search both binary repo but also AUR

    # yaourt mc

Complete update and upgrade, even for packages coming from AUR

    # yaourt -Syu --aur

Setup automatic microcode loading

For AMD processors the microcode updates are available in linux-firmware, which is installed as part of the base system. No further action is needed.

For Intel processors, install the intel-ucode package, and continue reading:

    # pacman -S intel-ucode

grub-mkconfig will automatically detect the microcode update and configure grub appropriately. After installing the intel-ucode package, users are directed to regenerate the grub config to activate loading the microcode update by running:

    # grub-mkconfig -o /boot/grub/grub.cfg

Install Xorg

Core Xorg install

    # pacman -S xorg-server xorg-xinit xorg-server-utils

—> 4 providers for libgl: 1) mesa-libgl 2) nvidia-304xx-libgl 3) nvidia-340xx-libgl 4) nvidia-libgl

2 providers for xf86-input-driver 1) xf86-input-evdev 2) xf86-input-libinput


The 3D utilities glxgears and glxinfo are included in the mesa package:

    # pacman -S mesa

Identify video driver

Then you need to install a suitable driver for your graphic card. You need to know its brand and model then consult main Archlinux wiki to see which driver better fits your needs. The output of the command:

    # lspci | grep VGA

should help you to identify your card.

For a complete list of open-source video drivers, search the package database:

    # pacman -Ss xf86-video | less

The following is for an Intel based graphic card.

    # pacman -S xf86-video-intel lib32-mesa-libgl

Keyboard & mouse

NEW **** NO DONE YET!!! Udev will detect your hardware and evdev will act as the hotplugging input driver for almost all devices. Udev is provided by systemd and xf86-input-evdev is required by xorg-server, so there is no need to explicitly install those packages. You should have 10-evdev.conf in the /usr/share/X11/xorg.conf.d/ directory, which manages keyboards, mice, touchpads and touchscreens. If evdev does not support your device, install the needed driver from the xorg-drivers group. Alike evdev, libinput (xf86-input-libinput) is a driver which supports a wide array of hardware from all device categories. See the following pages for specific instructions, or the Fedora wiki entry for more examples.

Udev should be capable of detecting your hardware without problems. The evdev driver (xf86-input-evdev) is the modern hot-plugging input driver for almost all devices, so in most cases, installing input drivers is not needed.

Laptop users will also need the synaptics package to allow X to configure the touchpad:

    # pacman -S xf86-input-synaptics

The primary method of configuration for the touchpad is through an Xorg server configuration file. After installation of xf86-input-synaptics, a default configuration file is located at /usr/share/X11/xorg.conf.d/50-synaptics.conf. Users can copy this file to /etc/X11/xorg.conf.d/ and edit it to configure the various driver options available. Refer to the synaptics(4) manual page for a complete list of available options. Machine-specific options can be discovered using synclient.

The following lists options that many users may wish to configure. This example configuration file enables vertical, horizontal and circular scrolling as well as touchpad tap to click: /etc/X11/xorg.conf.d/50-synaptics.conf

    Section "InputClass"
        Identifier "touchpad"
        Driver "synaptics"
        MatchIsTouchpad "on"
        Option "TapButton1" "1"
        Option "TapButton2" "2"
        Option "TapButton3" "3"
        Option "VertEdgeScroll" "on"
        Option "VertTwoFingerScroll" "on"
        Option "HorizEdgeScroll" "on"
        Option "HorizTwoFingerScroll" "on"
        Option "CircularScrolling" "on"
        Option "CircScrollTrigger" "2"
        Option "EmulateTwoFingerMinZ" "40"
        Option "EmulateTwoFingerMinW" "8"
        Option "CoastingSpeed" "0"
        Option "FingerLow" "35"
        Option "FingerHigh" "40"


Set the keyboard layout (if you do not use a standard US keyboard). To change your keyboard layout, edit /etc/X11/xorg.conf.d/10-evdev.conf

and add a XkbLayout line so it looks like:

    Section "InputClass"
        Identifier "evdev keyboard catchall"
        MatchIsKeyboard "on"
        MatchDevicePath "/dev/input/event*"
        Option  "XkbLayout" "fr"
        Option  "XkbVariant" "latin9"
        Driver "evdev"

The XkbLayout key may differ from the keymap code you used with the loadkeys command. A list of many keyboard layouts and variants can be found in /usr/share/X11/xkb/rules/base.lst (after the line beginning with ! layout). For instance, the layout gb corresponds to “English (UK)”, whereas for the console it was loadkeys uk.

Test X

Install the default environment:

    # pacman -S xorg-twm xorg-xclock xterm

Start X

    # startx

Install fonts

At this point, you may wish to save time by installing visually pleasing, true type fonts, before installing a desktop environment/window manager. Dejavu and bitstream-vera are good, general-purpose font sets. You may also want to have the Microsoft font sets, which are especially popular on websites.

Install with:

    # pacman -S ttf-dejavu ttf-bitstream-vera
    # yaourt ttf-ms-fonts 

Allocine is missing one font that needs to be added manually!

Install Gnome

Base system

    # pacman -S gnome gnome-extra

Remove tracker to enable old-fashion search in nautilus/nemo.


GDM is part of gnome-extra.

To make GDM the default graphical login method for the system, use the packaged systemd service file, gdm.service. Simply run the following command once to bring up GDM on boot:

    # systemctl enable gdm

Starting GNOME manually

If you prefer to start GNOME manually from the console, add the following line to your ~/.xinitrc file:


    exec gnome-session

You can get .xinitrc template from /etc/skel/.xinitc

Enable Gnome NetworkManager

    # systemctl enable NetworkManager

GNOME tweak tool

This graphical tool customizes fonts, themes, titlebar buttons and other settings.

    # pacman -S gnome-tweak-tool


Configure sound

Install the alsa-utils package:

    # pacman -S alsa-utils

Also, you may want to install the alsa-oss package, which wraps applications written for OSS in a compatibility library, allowing them to work with ALSA. To install the alsa-oss package:

    # pacman -S alsa-oss

As normal, non-root user, invoke /usr/bin/alsamixer:

    # su - yourusername 
    # alsamixer

Unmute the Master and PCM channels by scrolling to them with cursor left/right and pressing M. Increase the volume levels with the cursor-up key. (70-90 Should be a safe range.) Some machines, (like the Thinkpad T61), have a Speaker channel which must be unmuted and adjusted as well. Leave alsamixer by pressing ESC.

Ensure your speakers are properly connected, and test your sound configuration as normal user using :

    # speaker-test -c 2

You should hear a very eloquent woman say, “Front, center.”

FOLLOWING… NOT SURE !!! Exit your normal user shell and run /usr/sbin/alsactl as root to save settings:

    # exit
    # alsactl store

Not sure about the following one… doens’t save anything. This will create the file ‘/etc/asound.state’, saving the alsamixer settings.


    pcie_aspm=force ??? in GRUB LINE ??


# pacman -S guake

Guake autostart, add an entry to gnome-session


# pacman -S zsh grml-zsh-config
# yaourt oh-my-zsh-git

Change the default shell for the current user:

# chsh -s $(which zsh)

TO ADD !!!! Vim Powerline patched font. Many different ones on the AUR Make sure terminal is using 256-colors mode with export TERM=“xterm-256color”.

Enable autologin

You can have GDM to directly log into your sessions without promptint for any password (safe since the whole disk is encrypted).

Edit /etc/gdm/custom.conf

 # GDM configuration storage

Check if SSD TRIM is working

sudo dmsetup table /dev/mapper/vgroup –showkeys

Enable predicatable network interface name

For motherboards that have integrated NICs, it is important to have fixed device name. Many configuration problems are caused by interface name changing.

Udev is responsible for which device gets which name. Systemd v197 introduced Predictable Network Interface Names, which automatically assigns static names to network devices. Interfaces are now prefixed with en (ethernet), wl (WLAN), or ww (WWAN) followed by an automatically generated identifier, creating an entry such as enp0s25.

This behavior may be disabled by adding a symlink:

# sudo ln -s /dev/null /etc/udev/rules.d/80-net-name-slot.rules


# sudo pacman -S virtualbox virtualbox-guest-iso virtualbox-host-source linux-headers
# yaourt virtualbox-ext-oracle

virtualbox-modules can be used if not using custom kernel

Add the desired username to the vboxusers group. Everything may work fine without this step but shared folders and possibly some other optional stuff require it to work. The new group does not automatically apply to existing sessions; the user has to log in again.

# gpasswd -a username vboxusers

Load module on boot

Edit /etc/modules-load.d/virtualbox.conf and add:


Frequency scaling

Normally the CPU frequency driver should be loaded automatically.

For example for Intel:

# lsmod | grep acpi_cpufreq 

If not To load the driver automatically at start-up, add a file specifying the appropriate driver to the /etc/modules-load.d/ directory. For example:


Install cpupower to monitor it:

# pacman -S cpupower

Change governor on boot


# Load cpufreq governors

cpupower includes a daemon which allows users to set the desired scaling governor and min/max clock speeds for all processor cores at boot-time.

Before starting the daemon, edit /etc/conf.d/cpupower as root, selecting the desired governor and setting the min/max speed for your CPU(s). Note: The exact min/max values of the CPU(s) can be determined by running cpupower frequency-info. However, these values are optional. Users may omit them entirely by deleting or commenting out the min/max_freq lines; scaling will work automatically.

With the appropriate configuration, start the daemon with the following command:

# systemctl start cpupower

To start the daemon automatically at startup:

# systemctl enable cpupower

threshold can be tweaked for better performance:


mplayer2, smplayer, vlc


# pacman -S gstreamer0.10-plugins


# pacman -S jre7-openjdk jre7-openjdk-headless icedtea-web-java7


# pacman -S flashplugin

Flash Player: Bad (choppy) sound on the 64-bit version

There is a problem with Flash plugin 11 on 64-bit systems and a new memcpy routine in glibc (for more details see this Fefora bug report), which makes the sound choppy on MP3 streams. Current workarounds are:

replacing the memcpy routine as suggested in this thread.
installing flashplugin-square from the AUR (this is a version of the Flash plugin with working hardware acceleration). 


# pacman -S ntfs-3g ntfsprogs


# pacman -S gimp-devel
# pacman -S gimp-dbp gimp-plugin-gmic gimp-plugin-fblur gimp-plugin-lqr gimp-plugin-wavelet-decompose gimp-plugin-wavelet-denoise gimp-refocus gimp-ufraw

Yaourt for: - gimp-fix-ca (erro) - gimp-plugin-image-reg (error) - *gimp-plugin-saveforweb - *gimp-plugin-separate+ - *gimp-plugin-wavelet-sharpen - *gimp-resynth-heal-selection - *gimpfx-foundry

PDF reader

evince, mupdf, acroread

Firefox pdf

External PDF viewers

To use an external PDF viewer you need #MozPlugger or #kpartsplugin.

If you want to use MozPlugger with Evince, for example, you have to find the lines containing pdf in the /etc/mozpluggerrc file and modify the corresponding line after GV() as below:

repeat noisy swallow(evince) fill: evince “$file”

(replace evince with something else if it is not your viewer of choice).

acroread + firefox

Be advised that the Firefox plugin cannot be used directly with this binary – it will not load in the 64-bit browser. To load it install the nspluginwrapper plackage from the official [multilib] repository and run:

$ nspluginwrapper -v -a -i

as a normal user. This checks the plugin directory and links the plugins as needed.


# pacman ntpd
# sytstemctl enable ntpd

File change detection

Is it required? Installed by samba. No longer required by gnome or Nautilus.

# pacman -S gamin


mkdir ~/go
export GOPATH=~/go
go get


==> You may need to delete your local ==> ~/.mozilla/firefox//pluginreg.dat file for mozplugger to be ==> enabled correctly after you update it. (It will get regenerated). ==> To add more helpers, edit /etc/mozpluggerrc. ==> The window name can be obtained using the utility xprop(1x). ==> Type xprop WM_CLASS and click on a window. yaourt mozplu 4,88s user 1,68s system 3% cpu 3:25,71 total


cups cups-filters cups-pdf system-config-printer-gnome

sudo pacman -S foomatic-db foomatic-db-engine foomatic-db-nonfree foomatic-filters

  • explaing PDF setup To use cups-pdf, restart cups and visit the cups web interface at http://localhost:631/

You can now add a “Virtual Printer (PDF Printer)” and use the Postscript/Generic postscript color printer driver.

Note that cups-pdf has a configuration file in /etc/cups. The default location for pdf output is /var/spool/cups-pdf/$username.


Please make sure your user is a member of “plugdev” group if you use UPEK non-free library, and modify your PAM configuration (e.g., /etc/pam.d/{login,su,sudo,gdm}).

fingerprint-polkit-agent conflicts with files in /etc/xdg/autostart that must be removed: “polkit-gnome-authentication-agent-1.desktop” and “polkit-kde-authentication-agent-1.desktop”.

Add “debug” switch to fingerprint-gui, you can see the debug log in /var/log/auth.log

Refer to “Manual_en.html” and “CHANGELOG” for more information. Dépendances optionnelles pour fingerprint-gui libusb: for libbsapi yaourt fingerprint 134,43s user 10,13s system 53% cpu 4:31,06 total


  • kipi + require for video thumbnails? + gtk theme manager!!

Disable pc speaker sound

créer le fichier /etc/modprobe.d/blacklist.conf avec pour contenu :

blacklist pcspkr

Cette petite ligne permet de désactiver le « beep » atroce et faisant saigner les oreilles sortant parfois des entrailles de la machine – pour un dispositif nomade, donc coutumier des salles de cours, c’est un comportement indisposant.

Intel Audio


créer le fichier /etc/modprobe.d/snd_hda_intel.conf avec le contenu :

options snd-hda-intel model=laptop
options snd_hda_intel power_save=1
options snd-hda-intel enable_msi=1

CK kernel

ajouter le répertoire à /etc/pacman.conf

SigLevel = PackageRequired
Server =$arch

ajouter la signature de graysky

# pacman-key -r 5EE46C4C
# pacman-key --lsign-key 5EE46C4C

mettre à jour la base de pacman (et avoir la musique en tête, accessoirement, de rien c’est gratuit)

# pacman -Syy

installer le noyau qui va bien (ici optimisé pour un Intel Atom)

# pacman -S linux-ck-corex linux-ck-corex-headers

If using SSD you might want to stick to deadline schedule as mentioned earlier.

If using HDD you might want ot use CK bfq scheduler. Append “elevator=bfq” to the kernel boot line in /boot/grub/menu.lst if using grub or in /etc/default/grub under the GRUB_CMDLINE_LINUX_DEFAULT=“quiet” line followed by rebuilding /boot/grub/grub.cfg via the standard “grub-mkconfig -o /boot/grub/grub.cfg” command.

Default application


xdg-open is a desktop-independent tool for configuring default applications.


Can stay in rc.conf Alternatively, you may remove the /etc/rc.conf file entirely and enable services in systemd (see wiki).

Kernel modules

Tip: Normally all needed modules are automatically loaded by udev, so you will rarely need to add something here. Only add modules that you know are missing.

Edit /etc/modules-load.d/ to configure kernel modules to load during boot in a static list. Each configuration file is named in the style of /etc/modules-load.d/.conf. The configuration files should simply contain a list of kernel module names to load, separated by newlines. Empty lines and lines whose first non-whitespace character is # or ; are ignored. Example:

/etc/modules-load.d/virtio-net.conf # Load virtio-net.ko at boot virtio-net

Browser Profiles

One can easily mount browser profile(s) such as chromium, firefox, opera, etc. into RAM via tmpfs and also use rsync to keep them synced with HDD-based backups. In addition to the obvious speed enhancements, users will also save read/write cycles on their SSD by doing so.

The AUR contains several packages to automate this process, for example profile-sync-daemon.

  • the underlying device must be aligned (if using partitions, be sure you have start of partition aligned, better use “fdisk -u” to calculate in sectors. If not sure, align to 1M or even 4M offset, this will always fit:-) (fdisk from latest util-linux-ng should support automatic alignment)

  • be sure that lvm2 PV metadata (data start) is always aligned (see pvcreate –dataalignment parameter) (latest lvm2 already have support for automatic data alignment if kernel exports proper alignment data)

  • for cryptetup/LUKS - use “–align-payload” parameter (default is alignment to 4k boundary, not enough for SSD). Note that parameter is in 512 bytes sectors!

e.g. you want to align to 4MB boundary ( = 8192 * 512 bytes), use

cryptsetup luksFormat –align-payload=8192 …

verify with cryptsetup luksDump (see Payload offset)

(I usually set lvm2 extent size to 4MB and aling LUKS the same, so the LUKS header takes exactly one extent.)

  • and finally, you should optimize FS above that device stack

(From the kernel point of view, there is no difference if you put lvm2 over LUKS or vice versa - both should work the same. Just configuration is different, I have some old slides describing activation of volumes here )

  • properly align partition (use sectors, not default: fdisk -u, or use parted)

  • align data on LUKS drive (e.g. cryptsetup luksFormat … –align-payload=8192 to align to 4MB)

  • pvcreate –dataalignment 4M to align PV to 4M offset, all LVs will be aligned automagically when created (option available in recent lvm2)


Add initial user

useradd -m -G users,audio,lp,optical,storage,video,wheel,power,network -s /bin/bash yourname

Next, add a password for your new user using

passwd yourname

Build mirrolist

Build a mirrorlist using the rankmirrors script

/usr/bin/rankmirrors is a python script which will attempt to detect the mirrors which are closest to the installation machine based on the mirrors specified in /etc/pacman.d/mirrorlist. Faster mirrors will dramatically improve pacman performance, and the overall Arch Linux experience. This script may be run periodically, especially if the chosen mirrors provide inconsistent throughput and/or updates.

First, use pacman to install python & curl :

pacman -Sy python curl

cd to the /etc/pacman.d/ directory:

cd /etc/pacman.d

Backup the existing /etc/pacman.d/mirrorlist:

cp mirrorlist mirrorlist.backup

Edit mirrorlist.backup and uncomment all mirrors on the same continent or within geographical proximity to test with rankmirrors.

nano mirrorlist.backup

Run the script against the mirrorlist.backup with the -n switch and redirect output to a new /etc/pacman.d/mirrorlist file:

rankmirrors -n 6 mirrorlist.backup > mirrorlist

-n 6: rank the 6 fastest mirrors<

After creating/editing /etc/pacman.d/mirrorlist, (manually or by /usr/bin/rankmirrors) issue the following command:

pacman -Syy

Install a logon manager

Install a graphical network manager

Disable default network manager

Edit /etc/rc.conf as root:

nano /etc/rc.conf

Disable (!) any devices in the INTERFACES array that you wish to manage with Wicd. For example:

INTERFACES=(!eth0 !wlan0)

#Static IP example
#eth0="eth0 netmask broadcast"
INTERFACES=(!eth0 !eth1)

# Routes to start at boot-up (in this order)
# Declare each route then list in ROUTES
#   - prefix an entry in ROUTES with a ! to disable it
gateway="default gw"

Option 1: wicd

If you don’t use OpenVPN, CiscoVPN or 3G broadband connection then wicd offers the best choice (fast, both GUI and CLI interface). When using the above modes it is recommended to use Gnome network manager

pacman -S wicd pacman -S hicolor-icon-theme gksu python-notify

DO NOT INSTALL notification-daemon!!!

Now, add wicd to the DAEMONS array (hal before wicd). The DAEMONS array should now look something like this:

DAEMONS=(syslog-ng hal !network !dhcdbd !networkmanager wicd ...)

Disable (!) any other existing network management daemons in the DAEMONS array, including network, dhcdbd, and networkmanager. Note: wicd uses dbus but as we have with hal in DAEMONS array the Hal daemon will automatically start dbus for you.

Save and close.

the Unix group that dbus allows to access wicd is subject to change, and may be different than network. Check which policy group is specified in /etc/dbus-1/system.d/wicd.conf, and add your user to that group.

Lastly, reboot your PC. Note: There is no need to reboot your computer after installing and configuring wicd. Arch != Windows so there’s no need to reboot after installing some (trivial) stuff like wicd. Start /etc/rc.d/dbus (or hal) and /etc/rc.d/wicd. If you want your new group for a user to be active you can just logout and login.

How to bypass Gnome keyring for normal users connecting with wireless

It’s super simple! First, create a group called networkmanager with the following command (or any other method you prefer):

# groupadd networkmanager

Then add your user to that group using the following command (or any other preferred method):

# gpasswd -a username networkmanager

Replace username in the above command with your actual username.

Now, as root, launch nm-connection-editor and configure the connections:

# nm-connection-editor

Put a check mark next to “Available to all users” and apply the settings. Note: on gnome3 you can just clik on Wireless settings, it will probably ask for password to run with root privileges.

Now you won’t be bothered by Gnome keyring! (citation needed) Also, if you additionally enable “connect automatically”, your connection will be available and connected before you even log in to your desktop, making your whole startup process even faster!

ADDED SLIM with autologin!

modified /etc/slim.conf login_cmd exec /bin/bash -login ~/.xinitrc %session auto_login yes

modified .xinitrc exec ck-launch-session dbus-launch gnome-session

for intel graphic cards edit /etc/mkinitcpio.conf


+++ Backup keys

dmsetup table --showkey

cryptsetup luksDump /dev/sda3 | grep "Payload offset"

Note Payload offset: 4040


dd if=/dev/sda3 of=./backup.img bs=512 count=4040

dmsetup info -c

How do I backup a LUKS header?

While you could just copy the appropriate number of bytes from the start of the LUKS partition, the best way is to use command option “luksHeaderBackup” of cryptsetup. This protects also against errors when non-standard parameters have been used in LUKS partition creation. Example:

     cryptsetup luksHeaderBackup --header-backup-file h /dev/mapper/c1
     cryptsetup luksHeaderBackup --header-backup-file h /dev/sda3

To restore, use the inverse command, i.e.

     cryptsetup luksHeaderRestore --header-backup-file h /dev/mapper/c1

LVM header backup vgcfgbackup -f x201-lvm vgroup

+++ Restore keys

If you have live mapping still, you are not lost completely yet. Do not reboot! First run “dmsetup table –showkeys” and “dmsetup info -c” and store the full mapping to some file.

If you see dm-crypt mapping there mapped to proper drive, you can still recreate LUKS header with some some magic.

(If you have saved that dmsetup mapping, I’ll describe hot to save you data - still depends how many of fs was overwritten.)

If you want help with that, paste here “dmsetup table” (without using –showkeys, we do not want see your master key:-). For recovery you will need to know that key, so be sure you have full table with key stored as written above.

(Table is created according to LUKS header which is lost, so after reboot you are lost completely. BTW Passphrase will not help here at all.)


p dd if=./backup.img of=/dev/sda3 bs=512 count=4040

+++ Mount from recovery CD - modprobe dm-crypt (not required) - cryptsetup luksOpen /dev/sda3 mylvm - vgscan - vgchange -ay - mkdir /mnt/oldroot - mount /dev/mapper/vgroup-root /mnt/oldroot

+++ fsck on lvm fsck on lvm can be a bit tricky. Like a the normal process, the partition needs to be umounted and we can boot up using the rescue cd or in emergency mode. Normally, you fsck /dev/sda1

if the partition is lvm, you need to activate the lvm first like so

vgchange –ignorelockingfailure -ay lvscan –ignorelockingfailure (this command should now work) fsck /dev/volumegroup/lvname

if the logical volume contains a partition, you need to kpartx the lv.

+++ LVM snapshot

LVM snapshot

lvcreate -L 10g -s -n mysnapshot /dev/vgroup/root

Revert back to LVM snapshot

Reboot with USB Archlinu key - loadkeys fr - cryptsetup luksOpen /dev/sda4 mylvm - vgscan - vgchange -ay - lvconvert –merge /dev/vgroup/mysnapshot - reboot for root partition

then for non root umount /home lvchange -an vgroup/home dmsetup status vgroup-snaphome lvchange -ay vgroup/home

remove snapshot

umount /dev/vgroup/mysnapshot

lvremove /dev/vgrou/mysnapshot

++ Manual Luks volume

dd if=/dev/zero of=/bigsecret bs=1M count=10 losetup /dev/loop0 /bigsecret cryptsetup luksFormat /dev/loop0 ===> cryptsetup luksFormat -c cast5-cbc-plain -s 128 -h sha256 /dev/$DEVICE cryptsetup luksOpen /dev/loop0 secret

FORMAT mkfs.ext2 /dev/mapper/secret

MOUNT mkdir /mnt/secret mount -t ext2 /dev/mapper/secret /mnt/secret

UMOUNT umount /mnt/secret cryptsetup luksClose secret losetup -d /dev/loop0 # free the loopdevice.

REMOUNT losetup /dev/loop0 /bigsecret cryptsetup luksOpen /dev/loop0 secret mount -t ext2 /dev/mapper/secret /mnt/secret

check if trim is enabled



power saving

nice example from postblue

Forcer ASPM powersave par un argument dans GRUB ;

Insérez pcie_aspm=force dans /etc/default/grub à la ligne GRUB_CMDLINE_LINUX, puis régénérez GRUB2 d’un grub-mkconfig -o /boot/grub/grub.cfg.

Change what systemd can control

permettre à systemd de gérer les événements du matériel en éditant le fichier /etc/systemd/logind.conf ;

Enable governors

créer le fichier /etc/modules-load.d/cpufreq.conf afin d’activer les modules de contrôle de la fréquence du processeur, avec le contenu suivant ; ici j’utilise le module acpi_cpufreq mais choisissez le module qui convient le mieux à votre matériel :

# Load cpufreq driver
# Load cpufreq governors


/etc/udev/rules.d/50-powersave.rules SUBSYSTEM==“power_supply”, ENV{POWER_SUPPLY_ONLINE}==“0”, RUN+=“/usr/bin/powersave true” SUBSYSTEM==“power_supply”, ENV{POWER_SUPPLY_ONLINE}==“1”, RUN+=“/usr/bin/powersave false” KERNEL==“sr0”, SUBSYSTEM==“block”, ENV{POWER_SUPPLY_ONLINE}==“0”, ENV{UDISKS_DISABLE_POLLING}=“1” KERNEL==“sr0”, SUBSYSTEM==“block”, ENV{POWER_SUPPLY_ONLINE}==“1”, ENV{UDISKS_DISABLE_POLLING}=“0”



case $1 in
    pre) /usr/bin/powersave false ;;
    if cat /sys/class/power_supply/ADP1/online | grep 0 > /dev/null 2>&1
             /usr/bin/powersave true
             /usr/bin/powersave false
exit 0

Change execution flag

# chmod +x /usr/lib/systemd/system-sleep/

/usr/bin/powersave #!/bin/sh

case “$1” in true) # Enable power saving settings on battery # bus for i in /sys/bus//devices//power/control; do echo auto > $i; done # usb autosuspend for i in /sys/bus/usb/devices//power/autosuspend; do echo 1 > $i; done for i in /sys/bus/usb/devices//power/control; do echo auto > $i; done # sata powersave for i in /sys/class/scsi_host/host/link_power_management_policy; do echo min_power > $i; done # disk powersave #for dev in /dev/sd[a-z]; do hdparm -S 12 -B 200 -a 2048 $dev; done # nmi_watchdog echo 0 > /proc/sys/kernel/nmi_watchdog # cpu for i in /sys/devices/system/cpu/cpu/cpufreq/scaling_governor; do echo powersave > $i; done #echo 1 > /sys/devices/system/cpu/sched_smt_power_savings #echo 1 > /sys/devices/system/cpu/sched_mc_power_savings #echo 80 > /sys/devices/system/cpu/cpufreq/conservative/up_threshold #echo 40 > /sys/devices/system/cpu/cpufreq/conservative/down_threshold #echo 20000 > /sys/devices/system/cpu/cpufreq/conservative/sampling_rate #echo 1 > /sys/devices/system/cpu/cpufreq/conservative/sampling_down_factor #echo 20 > /sys/devices/system/cpu/cpufreq/conservative/freq_step # aspm echo powersave > /sys/module/pcie_aspm/parameters/policy # kernel write mode echo 5 > /proc/sys/vm/laptop_mode echo 90 > /proc/sys/vm/dirty_ratio echo 1 > /proc/sys/vm/dirty_background_ratio echo 1500 > /proc/sys/vm/dirty_expire_centisecs echo 1500 > /proc/sys/vm/dirty_writeback_centisecs # sound card powersave echo 1 > /sys/module/snd_hda_intel/parameters/power_save echo Y > /sys/module/snd_hda_intel/parameters/power_save_controller #echo 1 > sys/module/snd_ac97_codec/parameters/power_save # wlan0/eth0 powersave iwconfig wlan0 power on ethtool -s eth0 wol d # i915 echo 1 > /sys/module/i915/parameters/i915_enable_rc6 echo 1 > /sys/module/i915/parameters/i915_enable_fbc echo 1 > /sys/module/i915/parameters/powersave echo 1 > /sys/module/i915/parameters/semaphores echo 1 > /sys/module/i915/parameters/lvds_downclock ;; false) # Return to default on AC power # bus for i in /sys/bus//devices//power/control; do echo on > $i; done # usb autosuspend for i in /sys/bus/usb/devices//power/autosuspend; do echo 0 > $i; done for i in /sys/bus/usb/devices//power/control; do echo on > $i; done # sata powersave for i in /sys/class/scsi_host/host/link_power_management_policy; do echo max_performance > $i; done # disk powersave rotational only #for dev in /dev/sd[a-z]; do hdparm -S 120 -B 255 -a 128 $dev; done # nmi_watchdog echo 1 > /proc/sys/kernel/nmi_watchdog # cpu for i in /sys/devices/system/cpu/cpu/cpufreq/scaling_governor; do echo performance > $i; done #echo 0 > /sys/devices/system/cpu/sched_smt_power_savings #echo 0 > /sys/devices/system/cpu/sched_mc_power_savings # aspm echo performance > /sys/module/pcie_aspm/parameters/policy # kernel write mode echo 0 > /proc/sys/vm/laptop_mode echo 10 > /proc/sys/vm/dirty_ratio echo 5 > /proc/sys/vm/dirty_background_ratio echo 500 > /proc/sys/vm/dirty_expire_centisecs echo 500 > /proc/sys/vm/dirty_writeback_centisecs # sound card powersave echo 0 > /sys/module/snd_hda_intel/parameters/power_save echo Y > /sys/module/snd_hda_intel/parameters/power_save_controller #echo 0 > sys/module/snd_ac97_codec/parameters/power_save # wlan0/eth0 powersave iwconfig wlan0 power off ethtool -s eth0 wol d # i915 echo 0 > /sys/module/i915/parameters/i915_enable_rc6 echo 0 > /sys/module/i915/parameters/i915_enable_fbc echo 0 > /sys/module/i915/parameters/powersave echo 0 > /sys/module/i915/parameters/semaphores echo 0 > /sys/module/i915/parameters/lvds_downclock ;; esac exit 0

chmod +x /usr/bin/powersave

disabled for now echo 1 > /sys/module/snd_hda_intel/parameters/power_save echo Y > /sys/module/snd_hda_intel/parameters/power_save_controller #echo 1 > sys/module/snd_ac97_codec/parameters/power_save

xdg-user-dirs uses a configuration file located at ~/.config/user-dirs.dir. Its format is as follows

## Localized folders

# This file is written by xdg-user-dirs-update
# If you want to change or add directories, just edit the line you're
# interested in. All local changes will be retained on the next run
# Format is XDG_xxx_DIR="$HOME/yyy", where yyy is a shell-escaped
# homedir-relative path, or XDG_xxx_DIR="/yyy", where /yyy is an
# absolute path. No other format is supported.

Remove or rename the one you like/don’t like and also delete the folders from the drives for the one you no longer want.

Remove guake title

# gconf-editor


Fix Nautilus sort

Create/Edit ~/.gnomerc

and add

#export LC_COLLATE=C  That was the original post

replaced by

#export LC_COLLATE="fr_FR.UTF-8"

IMPORTANT NOTE: You must make the ‘.gnomerc’ file executable before restarting your computer. You can use a command like

chmod 755 .gnomerc or chmod 700 .gnomerc

In the end I got it working with: /etc/locale.conf


and adding/modifying the following in ~/.zshrc.local

export LC_ALL="fr_FR.UTF-8"
#export LC_COLLATE="C"
export LC_COLLATE="fr_FR.UTF-8"


# systemctl enable cups.service


PDF virtual printer

CUPS-PDF is a nice package that allows one to setup a virtual printer that will generate a PDF from anything sent to it. Obviously this package is not necessary, but it can be quite useful.

Find generated PDF documents in a sub-directory located at /var/spool/cups-pdf. Normally, the subdirectory is named after the user who performed the job. A little tweak helps you to find your printed PDF documents more easily. Edit /etc/cups/cups-pdf.conf by changing the line

#Out /var/spool/cups-pdf/${USER}


Out /home/${USER}

This package can be installed by the following command: 

pacman -S cups-pdf

After installing the package, set it up as if it were for any other printer by using the web interface. For the Device, select CUPS-PDF (Virtual PDF Printer); Make/Manufacturer, choose Generic; Model/Driver, select Generic postscript color printer or Generic Cups-PDF Printer.

Quality sucks!


Not enabled by default

# systemctl enable cronie.service


Since version 38, systemd has its own logging system, the journal. Therefore, running a syslog daemon is no longer required. To read the log, use:

# journalctl

By default (when Storage= is set to auto in /etc/systemd/journald.conf), the journal writes to /var/log/journal/. If the directory /var/log/journal/ does not exist (e.g. if you or some program delete it), systemd will not create it automatically, but instead write its logs to /run/systemd/journal. This means that logs will be lost on reboot.

On default installation it appears to be using /var/log/journal

Disable IPV6

Adding ipv6.disable=1 to the kernel line disables the whole IPv6 stack, which is likely what you want if you are experiencing issues. See Kernel parameters for more information.

Crpyptostick & Gnome

  • Disabled gnome-keyring in gnome-session-properties

  • disable gpg-agent in ~/.gnupg.conf

  • create /etc/profile.d/


    envfile=“${HOME}/.gnupg/gpg-agent.env” if test -f “$envfile” && kill -0 $(grep GPG_AGENT_INFO “$envfile” | cut -d: -f 2) 2>/dev/null; then eval “$(cat “$envfile”)” else eval “$(gpg-agent –daemon –write-env-file “$envfile”)”

    eval “$(gpg-agent –daemon –enable-ssh-support –write-env-file “$envfile”)”

    fi export GPG_AGENT_INFO # the env file does not contain the export statement

chmod + x /etc/profile/d/

  • create /etc/udev/rules.d/40-cryptostick.rules

    do not edit this file, it will be overwritten on update

    SUBSYSTEM!=“usb”, GOTO=“cryptostick_rules_end” ACTION!=“add”, GOTO=“cryptostick_rules_end”

    ATTR{idVendor}==“20a0”, ATTR{idProduct}==“4107”, ENV{ID_SMARTCARD_READER}=“1”, ENV{ID_SMARTCARD_READER_DRIVER}=“gnupg”


sudo lvcreate -L 2g -s -n home-snapshot /dev/vgroup/home sudo lvcreate -L 2g -s -n root-snapshot /dev/vgroup/root sudo cp /boot/vmlinuz-linux /boot/vmlinuz-linux-PREVIOUS sudo cp /boot/vmlinuz-linux-ck /boot/vmlinuz-linux-ck-PREVIOUS sudo cp /boot/initramfs-linux.img /boot/initramfs-linux-PREVIOUS.img sudo cp /boot/initramfs-linux-ck.img /boot/initramfs-linux-ck-PREVIOUS.img

if everything is ok, remove snapshots: sudo lvremove /dev/vgroup/root-snapshot sudo lvremove /dev/vgroup/home-snapshot

issues with i915

removed echo 0 > /sys/module/i915/parameters/i915_enable_rc6 echo 0 > /sys/module/i915/parameters/i915_enable_fbc echo 0 > /sys/module/i915/parameters/powersave

from /usr/bin/powersave

Added i915 in /etc/mkinitcpio.conf Created /etc/modprobe.d/i915.conf

options i915 i915_enable_rc6=1 options i915 i915_enable_fbc=1 options i915 lvds_downclock=1

Removed from grub default

apparement si i915 est dans mkinitcpio.conf alors on ne peut plus l’écrire après, uniquement via i915.conf (a investiguer)

in case of duplicate vgroup, rename

vgs -v

vgrename UUID new-vgroup-name

prezto powerline-fonts-git

Il y a 2 fournisseurs disponibles pour phonon-qt4-backend : :: Dépôt extra 1) phonon-qt4-gstreamer 2) phonon-qt4-vlc

I took gstreamer !
:: Il y a 2 fournisseurs disponibles pour phonon-qt5-backend : :: Dépôt extra 1) phonon-qt5-gstreamer 2) phonon-qt5-vlc

alsa oss acpi gnochm didn’t work gtk-engine gtk-theme

glance already installed (nice monitoring tool)

pkgcleaner instead f cachecleaner

needed ? extra/gstreamer-vaapi 0.7.0-1 GStreamer Multimedia Framework VA Plugins 8 extra/gstreamer0.10-bad 0.10.23-12 GStreamer Multimedia Framework Bad Plugin libraries (gst-plugins-bad) 9 extra/gstreamer0.10-bad-plugins 0.10.23-12 (gstreamer0.10-plugins) GStreamer Multimedia Framework Bad Plugins (gst-plugins-bad) 10 extra/gstreamer0.10-base-plugins 0.10.36-3 (gstreamer0.10-plugins) GStreamer Multimedia Framework Base Plugins (gst-plugins-base) 11 extra/gstreamer0.10-good-plugins 0.10.31-10 (gstreamer0.10-plugins) GStreamer Multimedia Framework Good Plugins (gst-plugins-good) 12 extra/gstreamer0.10-ugly-plugins 0.10.19-16 (gstreamer0.10-plugins) GStreamer Multimedia Framework Ugly Plugins (gst-plugins-ugly)

i2p dep? pm-quirks pm-utils

==> You may need to delete your local ==> ~/.mozilla/firefox//pluginreg.dat file for mozplugger to be ==> enabled correctly after you update it. (It will get regenerated). ==> To add more helpers, edit /etc/mozpluggerrc. ==> The window name can be obtained using the utility xprop(1x). ==> Type xprop WM_CLASS and click on a window.

nemo ? rabbitvcs nemo

enable ntp!!

zim bzr: Version Control plugin [installé] git: Version Control plugin [installé] mercurial: Version Control plugin [installé] gnuplot: Insert Gnuplot plugin ditaa: Insert Ditaa plugin graphviz: Insert Diagram & Link Map plugins [installé] python2-gtkspell: Spell Checker plugin r: Insert GNU R Plot plugin scrot: Insert Screenshot plugin libzeitgeist: Log events with Zeitgeist plugin [installé] lilypond: Insert Score plugin texlive-bin: Insert Equation plugin [installé]






Installation: ==> Add theme to your /etc/default/grub: GRUB_THEME=“/boot/grub/themes/Archlinux/theme.txt” ==> Preferred resolution 1024x768: GRUB_GFXMODE=1024x768 ==> Update grub:# grub-mkconfig -o /boot/grub/grub.cfg

macchanger on boot /etc/systemd/system/macspoof@.service

[Unit] Description=macchanger on %I Before=NetworkManager.service After=sys-subsystem-net-devices-%I.device

[Service] ExecStart=/usr/bin/macchanger -r %I Type=oneshot


Then enable for each network interface.

    systemctl enable macspoof@

    sudo systemctl enable macspoof@enp0s25
    sudo systemctl enable macspoof@wlp3s0

dns cache + dns encrypt

pacman -S dnsmasq dnscrypt-proxy

/etc/dnsmasq.conf no-resolv server= listen-address= proxy-dnssec domain-needed bogus-priv dns-forward-max=150 cache-size=1000 no-negcache

Restart dnsmasq.service to apply the changes.

Enable on boot: systemctl enable dnsmasq.service

/etc/NetworkManager/NetworkManager.conf [main] plugins=keyfile dhcp=dhclient dns=default #dns=dnsmasq

    ## Set static hostname

    ## HTTP-based connectivity check

Then launch: # systemctl edit dnscrypt-proxy.socket


Then restart dnscrypt-proxy.socket and stop dnscrypt-proxy.service if already running to let it be started by the .socket unit.

Enable on boot:

    systemctl enable dnscrypt-proxy.socket 

Create an lock down /etc/resolv.conf echo “nameserver” > /etc/resolv.conf chattr +i resolv.conf

Script to enable dnscrypt & auto

~/ #!/bin/sh sudo systemctl stop NetworkManager.service sleep 1 sudo nmcli networking off sleep 1 sudo chattr -i /etc/resolv.conf sudo rm /etc/resolv.conf sudo systemctl start NetworkManager.service sleep 1 sudo nmcli networking on sleep 1

Then change mode: chmod +x #!/bin/sh sudo systemctl stop NetworkManager.service sleep 1 sudo nmcli networking off sleep 1 sudo chattr -i /etc/resolv.conf sudo sh -c “echo nameserver > /etc/resolv.conf” sudo chattr +i /etc/resolv.conf sudo systemctl start NetworkManager.service sleep 1 sudo nmcli networking on

Then change mode: chmod +x

to make sure resolv.conf is the right one on boot (and also locked down):

/etc/systemd/system/dnscrypt-reset.service [Unit] Description=Reset /etc/resolv.conf and lock it After=NetworkManager.service



Enable on boot:

    systemctl enable dnscrypt-reset.service 

Change default server systemctl edit dnscrypt-proxy.service –full


Note: Including DNSSEC checking significantly increases DNS lookup times for initial lookups. Once an address is cached locally, then the lookup is virtually instantaneous. bYou can now test if DNSSEC is working, using drill in ldns (installed as dependency): drill # should return rcode: SERVFAIL drill # should return rcode: NOERROR

trim test

This is just a script I would like to share if some lazy person come here. It was made out of the accepted answer from frostschutz.

    # This script is provided "as is" without warranty of any kind, either expressed or implied, including, but not limited to, the implied warranties of merchantability, fitness for a particular purpose, or non-infringement.
    # License GPL2
    # by desgua 2014/04/29

    function CLEAN {
            cd "$pasta"
            [ -f test-trim-by-desgua ] && rm test-trim-by-desgua && echo "Temp file removed"
            echo "Goodbye"
            exit 0

    trap 'echo ; echo "Aborted." ; CLEAN; echo ; exit 0' INT HUP

    if  "$(echo $USER)" != "root" ; then

    read -n 1 -p 'Become root? [Y/n]' a
        if  $a == "y" || $a == "" ; then
            sudo $0 $1
            exit 0
            echo "
            This script needs root privilege.
            exit 1



    name=$(echo $0 | sed 's/.*\///')
    if [ $# -ne 1 ]; then

    echo "
    Usage: $name /folder/to/test/

    exit 1


    read -n 1 -p 'Use fstrim? [y/N]' a
    if  $a == "y" ; then

    while  "$method" != "1" && "$method" != "2" ; do
    read -n 1 -s -p 'Choose a method:
    [1] hdparm (will fail in LUKS on LVM)
    [2] filefrag (warning: you may have to force quit - close the terminal - in some cases of success trim if you see an output that never ends) 
    ' method

    function SDATEST {
    disk=$(fdisk -l | grep /dev/sda)
    if [ "$disk" == "" ]; then
    echo "
    fdisk did not found /dev/sda 
    exit 1

    function TEST {
    echo "Entrying /" ; echo
    cd $pasta
    echo "Creating the file test-trim-by-desgua at $pasta" ; echo
    dd if=/dev/urandom of=test-trim-by-desgua count=10 bs=512k
    echo "Syncing and sleeping 2 seconds." ; echo
    sleep 2

    hdparm --fibmap test-trim-by-desgua
    lbab=$(hdparm --fibmap test-trim-by-desgua | tail -n1 | awk '{ print $2 }')

    echo "As you can see, the file was created and its LBA begins at $lbab" ; echo

    echo "Syncing and sleeping 2 seconds." ; echo
    sleep 2

    echo "Removing file test-trim-by-desgua" ; echo 
    rm test-trim-by-desgua

    trap 'echo ; echo ; echo "Aborted." ; echo ; exit 0' INT
    echo "Syncing and sleeping 2 seconds." ; echo
    sleep 2

    if  "$fs" == "1" ; then 
        echo "fstrim $pasta && sleep 2" ; echo
        fstrim $pasta
        sleep 2

    echo "This is readed from sector $lbab: "
    hdparm --read-sector $lbab /dev/sda

    pass=$(hdparm --read-sector $lbab /dev/sda | grep "0000 0000 0000 0000")

    if  $pass == "" ; then
        echo "
    Trim failed... 
    You should see only 0000 0000 0000 0000 ...
        echo "Success!!!"
    exit 0


    function LUKSTEST {
    # Reference:
    echo 1 > /proc/sys/vm/drop_caches
    cd $pasta
    echo "Creating a \"yes\" file."
    yes | dd iflag=fullblock bs=1M count=1 of=test-trim-by-desgua

    #position=`filefrag -s -v test-trim-by-desgua | grep "eof" | awk '{ print $3 }'`
    position=`filefrag -s -v test-trim-by-desgua | grep "eof" | sed 's| ||g ; s|.*255:|| ; s|\.\..*||'`
     "$position" == ""  && echo "Could not find the position of the file. Are you on a LUKS on LVM?" && CLEAN;

    device=`df test-trim-by-desgua | grep "dev/" | awk '{ print $1 }'`

    yes=`dd bs=4096 skip=$position count=256 if=$device | hexdump -C`

    echo "In the next line you should see a pattern like: 
    00000000  79 0a 79 0a 79 0a 79 0a  79 0a 79 0a 79 0a 79 0a  |y.y.y.y.y.y.y.y.|

    if  grep "y.y.y"`" == "" ; then 
        echo "The pattern could not be checked. Something went wrong. Exiting."
        echo "Pattern confirmed."

    echo "Removing the temp file." 
    rm test-trim-by-desgua

    echo "Syncing."
    sleep 1

    if  "$fs" == "1" ; then 
        echo "fstrim -v $pasta && sleep 2" ; echo
        fstrim -v $pasta
        sleep 2

    # Drop cache
    echo 1 > /proc/sys/vm/drop_caches

    echo "In the next line you should NOT see a yes pattern like: 
    00000000  79 0a 79 0a 79 0a 79 0a  79 0a 79 0a 79 0a 79 0a  |y.y.y.y.y.y.y.y.| 
    If you see, then trim is not working:
    `dd bs=4096 skip=$position count=256 if=$device | hexdump -C`"

    yes=`dd bs=4096 skip=$position count=256 if=$device | hexdump -C`
    if  grep "y.y.y"`" != "" ; then 
        echo "TRIM not working."
        echo "TRIM is working!"

    if  "$method" == "1" ; then
    elif  "$method" == "2" ; then
    exit 0

prezto only (no grml or ohmyzsh) not via yaourt, only git

Launch Zsh: zsh

Clone the repository: git clone –recursive “${ZDOTDIR:-$HOME}/.zprezto”

Create a new Zsh configuration by copying the Zsh configuration files provided:

setopt EXTENDED_GLOB for rcfile in “${ZDOTDIR:-$HOME}“/.zprezto/runcoms/^; do ln -s “$rcfile” “${ZDOTDIR:-$HOME}/.${rcfile:t}” done


Pull the latest changes and update submodules.

git pull && git submodule update –init –recursive

Paste my .zshrz and .zpreztorc examples!!

cursors !!!

ssh keychain for .zshrc but also

eval $(keychain –eval –nogui –quiet id_ed25519-nopass id_rsa_key-nopass) &

in .delayed_apps for the keys without password

issues with CUPS

issue with package keys pacman-key –refresh-keys

Share Comments
comments powered by Disqus