Installing Arch with Full-Disk Encryption on a Dell XPS 15 7590

This is a quick rundown of how I installed Arch with full-disk encryption on a Dell XPS 15 7590.

Specs

The XPS 15 7590 comes in many possible configurations. Here’s the one I used:

Component Selected Option
Processor Intel i7-9750H
Memory 16GB DDR4-2666MHz
Graphics Nvidia GTX 1650 4GB
Storage 2TB M.2 PCIe NVMe SSD
WiFi Killer Wireless 1650X
Screen 4K UHD (3840 x 2160) Touch IPS

Everything works out of the box except for the fingerprint reader. To be fair, Dell doesn’t even support its fingerprint readers on the “developer edition” XPS 13 that comes with Ubuntu factory-installed.

BIOS Settings

Arch—along with any other mainstream Linux distro I’m aware of—will not be able to recognize your hard drive using the factory BIOS settings. You need to go into the BIOS menu (by pressing F2 at the boot screen) and enable AHCI mode instead of RAID.

I also chose to disable Secure Boot. It’s entirely possible to use Secure Boot with Arch but I’m not convinced that the security benefits outweigh the inconvenience. Your mileage may vary. The rest of this guide will assume that Secure Boot is disabled.

Having made those changes, you’re now ready to boot from the Arch ISO. Press F12 at the boot screen to show the boot menu and choose the USB drive or CD that contains the Arch installation image.

Setting a Larger Console Font

You encounter your first problem the moment you boot the Arch installer: the text is microscopic. The very first thing we’ll do is install and enable a larger console font so we can actually see what we’re doing.

You need a network connection to install the larger font. If you have an ethernet connection—perhaps through a USB dongle—you can skip this step. If you need to connect using wifi, get out your magnifying glass and type:

wifi-menu

Then follow the prompts to connect to a wireless network. You can verify that your connection is active and working by typing:

ping -c2 archlinux.org

Install the font:

pacman -Sy terminus-font

And use it in the installer by running:

setfont /usr/share/kbd/consolefonts/ter-132n.psf.gz

The setfont command only changes the font for the current session. If you restart the installation for any reason, you’ll need to do this again.

System Clock

Update the system clock by running:

timedatectl set-ntp true

Partitioning

We’re going to create three partitions on the physical drive: one for /boot, one for /boot/efi, and one for the encrypted LVM. Then, we’ll create a volume group for the encrypted root, home, and swap partitions.

Start the disk partitioner:

cgdisk nvme0n1

Use the menu options and prompts in cgdisk to create the following partitioning scheme:

Size Hex Code Label
512MiB ef00 efi
512MiB 8300 boot
(remainder) 8300 lvm

Write your changes to disk.

Next, format the efi and boot partitions:

mkfs.fat -F32 /dev/nvme0n1p1
mkfs.ext4 /dev/nvme0n1p2

And encrypt the LVM partition:

cryptsetup luksFormat /dev/nvme0n1p3
cryptsetup luksOpen /dev/nvme0n1p3 luks

The next step is to create the volume group and partitions on the encrypted LVM partition:

pvcreate /dev/mapper/luks
vgcreate vg0 /dev/mapper/luks
lvcreate -L 32G -n root vg0
lvcreate -L 20G -n swap vg0
lvcreate -l 100%FREE -n home vg0

Format the partitions:

mkfs.ext4 /dev/mapper/vg0-root
mkfs.ext4 /dev/mapper/vg0-home
mkswap /dev/mapper/vg0-swap

And mount your new filesystem:

mount /dev/mapper/vg0-root /mnt
mkdir -p /mnt/{boot,home}
mount /dev/mapper/vg0-home /mnt/home
mount /dev/nvme0n1p2 /mnt/boot
mkdir /mnt/boot/efi
mount /dev/nvme0n1p1 /mnt/boot/efi
swapon /dev/mapper/vg0-swap

Installing the Base System

Now that you’ve created the filesystem, you have a target you can install the base Arch system onto. Resist the urge to install anything more than the base system at this stage, as they may depend on settings we haven’t configured yet. For example, if you try to install Gnome before you configure your locale, much of the text in Gnome’s UI won’t display properly. (Not that I’d know anything about that from experience, of course. 😉)

pacstrap -i /mnt base base-devel linux linux-firmware git intel-ucode lvm2 vim

Generate an fstab config file, which controls how our filesystem is mounted on boot:

genfstab -pU /mnt >> /mnt/etc/fstab

Now we can log into our newly installed copy of Arch:

arch-chroot /mnt /bin/bash

Basic System Configuration

Set the timezone. I’m using Los Angeles time, but you should choose whichever file in /usr/share/zoneinfo matches your local timezone:

ln -s /usr/share/zoneinfo/America/Los_Angeles /etc/localtime

Now set the hardware clock mode to UTC:

hwclock --systohc --utc

Use vim to uncomment your locale’s name:

vim /etc/locale.gen

In my case, my locale is en_US.UTF-8. Generate the locale and select it by doing the following, substituting in your own locale as needed:

locale-gen
echo LANG=en_US.UTF-8 > /etc/locale.conf
export LANG=en_US.UTF-8

User Account

Create a user:

useradd -m -g users -G wheel -s /bin/bash liv
passwd liv

And grant users in the wheel group (like the one you just created) the ability to use the sudo command. You’ll need to uncomment the line %wheel ALL=(ALL) ALL:

visudo

Networking

Install and enable Network Manager:

pacman -S networkmanager
systemctl enable NetworkManager

Set your hostname:

echo xps15 > /etc/hostname
echo "127.0.0.1    xps15" >> /etc/hosts
echo "::1          xps15" >> /etc/hosts
echo "127.0.1.1    xps15.localdomain xps15" >> /etc/hosts

Boot Loader

First, we need to edit our mkinitcpio hooks so that we can decrypt and mount the encrypted partition Arch is installed on. Edit the config file with:

vim /etc/mkinitcpio.conf

And edit the HOOKS section so that it looks like this:

HOOKS=(base udev autodetect consolefont keyboard keymap modconf block lvm2 encrypt filesystems fsck)

Then build the linux image:

mkinitcpio -p linux

Now set up the Grub boot loader:

pacman -S grub efibootmgr
grub-install /dev/nvme0n1p1

As with mkinitcpio, you need to make some edits related to the encrypted filesystem. You should also consider hiding the Grub menu by default as it will increase boot times. You can always enter the Grub menu by holding down the Shift key while your laptop is booting.

Edit the Grub config by doing:

vim /etc/default/grub

And edit the values in that file to match the values here:

GRUB_CMDLINE_LINUX="cryptdevice=/dev/nvme0n1p3:luks:allow-discards"
GRUB_TIMEOUT=0
GRUB_TIMEOUT_STYLE=hidden
GRUB_CMDLINE_LINUX_DEFAULT=“quiet”

Build the full Grub config file:

grub-mkconfig -o /boot/grub/grub.cfg

When the laptop boots, you’ll get a text prompt to enter the password for your encrypted filesystem. To make that experience a bit more pleasant, do this to permanently use the larger console font we enabled temporarily:

pacman -S terminus-font
echo FONT=ter-132n > /etc/vconsole.conf

Now reboot and verify that you can log in:

exit
reboot --reboot

Graphical Desktop Environment

You should’ve gotten dumped back into a console environment. This might be all you need, but you probably want a graphical desktop environment. Arch gives you many choices here, but I personally like using Gnome with LightDM.

Install Gnome and LightDM:

pacman -S gnome gnome-extras xorg lightdm

Install the “slick” LightDM Greeter from the AUR:

cd /tmp
git clone https://aur.archlinux.org/lightdm-slick-greeter.git
cd lightdm-slick-greeter
makepkg -si

Edit the LightDM config to use the slick greeter:

vim /etc/lightdm/lightdm.conf

You’ll need to change this line:

greeter-session=lightdm-slick-greeter

Now you can disable gdm (which came with Gnome) and use LightDM instead:

systemctl disable gdm
systemctl enable lightdm

Set a background for the LightDM greeter, since without one it looks pretty odd:

echo "[Greeter]" >> /etc/lightdm/slick-greeter.conf
echo "background=/usr/share/backgrounds/gnome/adwaita-night.jpg" >> /etc/lightdm/slick-greeter.conf

Reboot and verify that everything still works:

reboot --reboot

Nvidia Optimus

Optionally, you can install Nvidia with Optimus for switching between dedicated and integrated graphics. You can also enable Nvidia’s power management:

pacman -S nvidia nvidia-settings
git clone https://aur.archlinux.org/optimus-manager.git
cd optimus-manager
makepkg -si
systemctl enable optimus-manager

Create the file /lib/udev/rules.d/80-nvidia-pm.rules with these settings:

# Remove NVIDIA USB xHCI Host Controller devices, if present
ACTION=="add", SUBSYSTEM=="pci", ATTR{vendor}=="0x10de", ATTR{class}=="0x0c0330", ATTR{remove}="1"

# Remove NVIDIA USB Type-C UCSI devices, if present
ACTION=="add", SUBSYSTEM=="pci", ATTR{vendor}=="0x10de", ATTR{class}=="0x0c8000", ATTR{remove}="1"

# Remove NVIDIA Audio devices, if present
ACTION=="add", SUBSYSTEM=="pci", ATTR{vendor}=="0x10de", ATTR{class}=="0x040300", ATTR{remove}="1"

# Enable runtime PM for NVIDIA VGA/3D controller devices on driver bind
ACTION=="bind", SUBSYSTEM=="pci", ATTR{vendor}=="0x10de", ATTR{class}=="0x030000", TEST=="power/control", ATTR{power/control}="auto"
ACTION=="bind", SUBSYSTEM=="pci", ATTR{vendor}=="0x10de", ATTR{class}=="0x030200", TEST=="power/control", ATTR{power/control}="auto"

# Disable runtime PM for NVIDIA VGA/3D controller devices on driver unbind
ACTION=="unbind", SUBSYSTEM=="pci", ATTR{vendor}=="0x10de", ATTR{class}=="0x030000", TEST=="power/control", ATTR{power/control}="on"
ACTION=="unbind", SUBSYSTEM=="pci", ATTR{vendor}=="0x10de", ATTR{class}=="0x030200", TEST=="power/control", ATTR{power/control}="on"

Create the file /etc/modprobe.d/nvidia.conf with these contents:

options nvidia "NVreg_DynamicPowerManagement=0x02"

Set the graphics to hybrid mode on boot; there’s no point in using the integrated graphics since Nvidia’s power management should theoretically be handling that for us:

optimus-manager --set-startup hybrid

Closing Thoughts

Given the state of hardware support for this laptop, using a bleeding-edge distribution like Arch actually meant fewer problems instead of more. The installation process was pretty painless and everything works out of the box.

That said, battery life is pretty terrible even after I used powertop and tlp, in part because it seems like CPU usage is much higher than in Windows 10. I can even see that my processor is throttling under what should be pretty minimal load. It remains to be seen whether I’ll stick with Arch as my primary OS on this laptop or just use Windows 10’s Linux subsystem.