Installing Hyperbola GNU/Linux-libre with disk encryption (excluding /boot)

Create bootable image

Download live image

Make sure to change your BIOS settings so that your computer will boot from your optical disk or USB stick.

Download the new Hyperbola ISO from the download page.

  • Instead of six different images we only provide a single one which can be booted into an i686 and x86_64 live system to install Hyperbola GNU/Linux-libre over the network.

Verify the live image

Once you have downloaded the Live image as described you should verify it following:

This page explains how to verify their integrity and authenticity.
  1. Create a directory called live_image in your home directory.
  2. Move the live image you downloaded in this directory.
  3. Download the following files and move them into the live_image directory.
Hyperbola live image

File Description
hyperbola-milky-way-v0.4.3-dual.iso.sha512 Contains the SHA512 sums to check the integrity of the Hyperbola live image.
hyperbola-milky-way-v0.4.3-dual.iso.sha512.sig Signed by the Hyperbola team to check the authenticity of the sha512sum file of the Hyperbola live image.

Your live_image directory should now contain 3 files: Your live image and the sha512 file and the signed one, like this:

  • hyperbola-milky-way-v0.4.3-dual.iso
  • hyperbola-milky-way-v0.4.3-dual.iso.sha512
  • hyperbola-milky-way-v0.4.3-dual.iso.sha512.sig
Integrity check

To verify the integrity of your live image, generate its SHA512 sum and compare it to the one found in the sha512sum file.

In most GNU/Linux distributions the SHA512 sum can be generated by opening a terminal and running the following commands:

cd live_image
sha512sum -b *.iso

The last command should show you the SHA512 sum of your live file. Compare it to the sha512sum file. If it match, you've successfully verified the integrity of your live image.

If you have coreutils version 8.25 or newer, another way of checking the sum is to ask the sha512sum command to check the file against the sha512sum file, like this:
sha512sum -c hyperbola-milky-way-v0.4.3-dual.iso.sha512
Authenticity check

To verify the authenticity of the sha512sum file, we need to check the signature on the signed file.

Import the Hyperbola signing key:

gpg --keyserver --recv-key "C92B AA71 3B8D 53D3 CAE6 3FC9 E697 4752 F970 4456"
If gpg complains about the key ID, try the following commands instead:
gpg --keyserver --recv-key F9704456
gpg --list-key --with-fingerprint F9704456

Check the output of the last command, to make sure the fingerprint is C92B AA71 3B8D 53D3 CAE6 3FC9 E697 4752 F970 4456.

Verify the authenticity of the sha512sum file, like this:

cd live_image
gpg --verify hyperbola-milky-way-v0.4.3-dual.iso.sha512.sig

The output of the last command should tell you that the file signature is 'good' and that it was signed with the following key: F9704456.


This wiki article is based on Mint's download page. We may have removed non-FSDG bits from it.

2017/09/27 01:49


  • Install images are signed and it is highly recommend to verify their signature before use. On Hyperbola, this can be done by using pacman-key -v <iso-file>.sig
  • The image can be burned to a CD, mounted as an ISO file, or directly written to a USB stick using a utility like dd. It is intended for new installations only; an existing Hyperbola GNU/Linux-libre system can always be updated with pacman -Syu.

Writing a Hyperbola ISO image to an USB drive

Burn the image to your optical disk

To create a disk to use as your install medium, insert a blank or re-writable disk, CD or DVD, into your disk drive. Next, you will need to mount the disk.

mount sr0

Provided your computer has a disk drive. Sr0 should the first or only, if you only have one disk drive, mount point of disk drives. You will need to address the correct destination for the command to work.

dd if=~/hyperbola-milky-way-v0.2.1-dual.iso of=/dev/sr0 bs=2048 conv=noerror && sync

Write the image to your USB

If you don’t have an ISO writer, go (change directory) to the folder where you saved the downloaded Live image (probably the Downloads folder) and type the following into your terminal:

dd if=hyperbola-milky-way-v0.2.1-dual.iso of=/dev/sdb bs=2048 && sync
Usually works fine, even though I’ve seen other commands; feel free to modify it.

To find out what’s the name of the USB device, type fdisk -l

You’ll probably see something like this:

Device             Boot    Start                  End              Sectors               Size        Id    Type
/dev/sda1                    2048                   8390655       8388608              4G           82    Linux swap /Solaris
/dev/sda2       *          8390656             976773167  968382512          461,8G   83    Linux
Device             Boot    Start                 End              Sectors                Size        Id    Type
/dev/sdb1       *           0                         1255423      1255424               613M      0     Empty
/dev/sdb2                     172                    63659           63488                   31M        ef    EFI (FAT-12/16/32)

From the above, sda is your HDD, and the sdb is your USB device where you’re going to write your Live image.

Also take a note of your partitions, you will come to need it when you’re creating the file system and mounting the root partition during the installation.

Once you’ve downloaded, verified and written the Live image to your USB device, you can move on to boot your computer from your USB.

dd if=''[iso file]'' of=''[usb device file]'' bs=1M && sync
[iso file] is the path to the ISO image file.
[usb device file] is the path to the USB device file. dmesg or lsblk –fs can be used to learn this path. It is often similar to device filenames of storage devices like hard drives and SSDs, e.g. /dev/sdb 'It is very important to use the correct value' to avoid overwriting other storage devices.

Keyboard layout

For many countries and keyboard types appropriate keymaps are available already, and a command like loadkeys gr might do what you want. More available keymap files can be found in /usr/share/kbd/keymaps/ (you can omit the keymap path and file extension when using loadkeys).

If you’re not using an English keyboard, you can set your language by typing loadkeys followed by you language. For British users, type:

loadkeys gr.

Internet Connection

First check if there is an Internet connection already,

ping -c 3

If don´t get any connection, follow steps bellow:

Connect to the Internet

As of v197, udev no longer assigns network interface names according to the wlanX and ethX naming scheme. If you are coming from a different distribution or are reinstalling Hyperbola and not aware of the new interface naming style, please do not assume that your wireless interface is named wlan0, or that your wired interface is named eth0. You can use the command ip link to discover the names of your interfaces.

A DHCP service is already enabled for all available devices. If you need to setup a static IP or use management tools, you should stop this service first:

rc-service dhcpcd stop

The dhcpcd network daemon starts automatically during boot and it will attempt to start a wired connection. Try to ping a server to see if a connection was established. For example,

ping -c 3
PING ( 56(84) bytes of data.
64 bytes from ( icmp_seq=1 ttl=47 time=183 ms
64 bytes from ( icmp_seq=2 ttl=47 time=168 ms
64 bytes from ( icmp_seq=3 ttl=47 time=183 ms
--- ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2002ms
rtt min/avg/max/mdev = 168.131/178.357/183.914/7.248 ms

If you get a ping: unknown host error, first check if there is an issue with your cable or wireless signal strength. If not, you will need to set up the network manually, as explained below.


Follow this procedure if you need to set up a wired connection via a static IP address.

First, disable the dhcpcd service which was started automatically at boot:

rc-service dhcpcd stop

Identify the name of your Ethernet interface.

ip link
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN mode DEFAULT
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
2: enp2s0f0: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN mode DEFAULT qlen 1000
    link/ether 00:11:25:31:69:20 brd ff:ff:ff:ff:ff:ff
3: wlp3s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP mode DORMANT qlen 1000
    link/ether 01:02:03:04:05:06 brd ff:ff:ff:ff:ff:ff

In this example, the Ethernet interface is enp2s0f0. If you are unsure, your Ethernet interface is likely to start with the letter “e”, and unlikely to be “lo” or start with the letter “w”. You can also use iwconfig and see which interfaces are not wireless:

enp2s0f0  no wireless extensions.
wlp3s0    IEEE 802.11bgn  ESSID:"NETGEAR97"
          Mode:Managed  Frequency:2.427 GHz  Access Point: 2C:B0:5D:9C:72:BF
          Bit Rate=65 Mb/s   Tx-Power=16 dBm
          Retry  long limit:7   RTS thr:off   Fragment thr:off
          Power Management:on
          Link Quality=61/70  Signal level=-49 dBm
          Rx invalid nwid:0  Rx invalid crypt:0  Rx invalid frag:0
          Tx excessive retries:0  Invalid misc:430   Missed beacon:0
lo        no wireless extensions.

In this example, neither enp2s0f0 nor the loopback device have wireless extensions, meaning enp2s0f0 is our Ethernet interface.

You also need to know these settings:

  • Static IP address.
  • Subnet mask.
  • Gateway's IP address.
  • Name servers' (DNS) IP addresses.
  • Domain name (unless you are on a local LAN, in which case you can make it up).

Activate the connected Ethernet interface (e.g. enp2s0f0):

ip link set enp2s0f0 up

Add the address:

ip addr add ip_address/subnetmask dev interface_name

For example:

ip addr add dev enp2s0f0

For more options, run man ip.

Add your gateway like this, substituting your own gateway's IP address:

ip route add default via ip_address

For example:

ip route add default via

Edit resolv.conf, substituting your name servers' IP addresses and your local domain name:

nano /etc/resolv.conf
nameserver 61.95.849.8
Currently, you may include a maximum of three nameserver lines. In order to overcome this limitation, you can use a locally caching nameserver like dnsmasq.

You should now have a working network connection.


Follow this procedure if you need wireless connectivity (Wi-Fi) during the installation process.

First, identify the name of your wireless interface.

iw dev
        Interface wlp3s0
                ifindex 3
                wdev 0x1
                addr 00:21:6a:5e:52:bc
                type managed

In this example, wlp3s0 is the available wireless interface. If you are unsure, your wireless interface is likely to start with the letter “w”, and unlikely to be “lo” or start with the letter “e”.

If you do not see output similar to this, then your wireless driver has not been loaded. Please see Wireless Setup for more detailed information.

Bring the interface up with:

ip link set wlp3s0 up
If you get this error message:
SIOCSIFFLAGS: No such file or directory

Then, your wireless chipset could need a non-free firmware to function. This is not supported on Hyperbola. Please see Wireless Setup if you are unsure if this is the true for your particular chipset.

Next, use iw dev wlp3s0 scan | grep SSID to scan for available networks, then connect to a network with:

wpa_supplicant -B -i wlp3s0 -c <(wpa_passphrase "ssid" "psk")

You need to replace ssid with the name of your network (e.g. “Linksys etc…”) and psk with your wireless password, leaving the quotes around the network name and password.

Finally, you have to give your interface an IP address. This can be set manually or using the dhcp:

dhcpcd wlp3s0

If that does not work, issue the following commands:

echo 'ctrl_interface=DIR=/run/wpa_supplicant' > /etc/wpa_supplicant.conf
wpa_passphrase <ssid> <passphrase> >> /etc/wpa_supplicant.conf
ip link set <interface> up # May not be needed as dhcpcd should bring it up but may be needed for wpa_supplicant.
wpa_supplicant -B -D nl80211 -c /foobar.conf -i <interface name>
dhcpcd -A <interface name>


Follow this procedure if you need ADSL with PPPoE/PPPoA during the installation process.

First, identify the name of your Ethernet interface.

ip link
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN mode DEFAULT
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
2: enp2s0f0: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN mode DEFAULT qlen 1000
    link/ether 00:11:25:31:69:20 brd ff:ff:ff:ff:ff:ff
3: wlp3s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP mode DORMANT qlen 1000
    link/ether 01:02:03:04:05:06 brd ff:ff:ff:ff:ff:ff

In this example, the Ethernet interface is enp2s0f0.

Second, create the PPP net script and the net script for the Ethernet interface to be used by PPP:

ln -s /etc/init.d/net.lo /etc/init.d/net.ppp0
ln -s /etc/init.d/net.lo /etc/init.d/net.enp2s0f0
Be sure to set rc_depend_strict to YES in /etc/rc.conf.

Now we need to configure /etc/conf.d/net.

nano /etc/conf.d/net

config_eth0=null (Specify the ethernet interface)
link_ppp0="enp2s0f0" (Specify the ethernet interface)
holdoff 3
child-timeout 60
lcp-echo-interval 15
lcp-echo-failure 3
noaccomp noccp nobsdcomp nodeflate nopcomp novj novjccomp"
It is also possible to set the password in /etc/ppp/pap-secrets.
Please carefully read the section on ADSL and PPP in /usr/share/doc/netifrc-*/net.example.bz2. It contains many more detailed explanations of all the settings any particular PPP setup will likely need.

Now that the interface is configured, we can start it using the following commands:

rc-service net.ppp0 start

Behind a proxy server

If you are behind a proxy server, you will need to export the http_proxy and ftp_proxy environment variables.

Preparing the storage device for installation

You need to prepare the storage device that we will use to install the operating system. You can use same device name that you used earlier, to determine the installation device for the ISO.

Wipe storage device

You want to make sure that the device you’re using doesn’t contain any plaintext copies of your personal data. If the drive is new, then you can skip the rest of this section; if it’s not new, then there are two ways to handle it:

  1. If the drive were not previously encrypted, securely wipe it with the dd command; you can either choose to fill it with zeroes or random data; I chose random data (e.g., urandom), because it’s more secure. Depending on the size of the drive, this could take a while to complete:
    # dd if=/dev/urandom of=/dev/sdX; sync
  2. If the drive were previously encrypted, all you need to do is wipe the LUKS header. The size of the header depends upon the specific model of the hard drive; you can find this information by doing some research online. You can either fill the header with zeroes, or with random data; again, I chose random data, using urandom:
# head -c 3145728 /dev/urandom > /dev/sdX; sync

Also, if you’re using an SSD, there are a two things you should keep in mind:

  • There are issues with TRIM; it’s not enabled by default through LUKS, and there are security issues, if you do enable it.

Formatting the storage device

Now that all the personal data has been deleted from the disk, it’s time to format it. We’ll begin by creating a single, large partition on it, and then encrypting it using LUKS.

Initial setup

First you will need to install cryptsetup package in the live system run from the iso, given it is a utility we will use to encrypt your disk

pacman -S cryptsetup
You can ignore error messages given this is only temporary and later cryptsetup will be installed in your system as well

Disk configuration

Partition disk

We then need to select the device name of the drive we’re installing the operating system on; see the above method, if needed, for figuring out device names.


Now that we have the name of the correct device, we need to create the partition on it. For this, we will use the cfdisk command:

You can allways use other utilities like cfdisk, or others if prefered.
cfdisk /dev/sdX

This will bring up a graphical partitioning table, use the Tab and arrow keys to navigate.

If there are no partitions present select dos, try to avoid gpt only for very large disks. If intended to leave any partition on the drive, select Delete, to clear some space for new system installation.

To make a new partitions use the arrow keys and select your partition, choose New, to create intended partition sizes.

First we need make a boot partition. When creating it, will see an option for Primary or Logical; choose Primary, and make sure that the partition type is Linux (83), then choose the Boot flag to make this partition “bootable”, for the partition size is advised to use 500 MB for the unencrypted boot. Then create a partition with the rest of the disk where the encrypted LUKS container would be allocated. Again chose as Primary go to “Type” option and select Linux (83) from list, then choose the End flag.

Select Write; it will ask you if you are sure that you want to overwrite the drive. Type yes, and press enter to save your changes to disk. A message at the bottom will appear, telling you that the partition table has been altered. Select Quit, to return you to the main terminal.

Create the LUKS partition

Now that you have created the partition, it’s time to create the encrypted volume on it.

cryptsetup benchmark (to make sure that the list below is populated)


cat /proc/crypto

This gives us the crypto options that can be used. It also provides a representation of the best way to set up LUKS. In our case, security is a priority and speed a distant second, considering the above requirements, we do the following based on Encryption options for LUKS mode. Reading through, it seems like Serpent (encryption) and Whirlpool (hash) is the best option, according to the performance test executed by previous commands.

using the cryptsetup command, like this:

cryptsetup --cipher serpent-xts-plain64 --key-size 512 --hash whirlpool --use-random luksFormat /dev/sda2

These are just recommended defaults; if you want to use anything else, or to find out what options there are in order to gain a better understandment of this programme, run man cryptsetup, and read through its manual pages.

You will now be prompted to enter a passphrase; be sure to make it secure. For passphrase security, length is more important than complexity (e.g., correct-horse-battery-staple is more secure than bf20$3Jhy3), but it’s helpful to include several different types of characters (e.g., uppercase/lowercase letters, numbers, special characters). The password length should be as long as you are able to remember, without having to write it down, or store it anywhere.

Use of the diceware method is recommended, for generating secure passphrases (rather than passwords).

Create the volume group and logical volumes

The next step is to create two logical volumes within the LUKS-encrypted partition: one will contain your main installation, and the other will contain your swap space.

We will create this using, the Logical Volume Manager (LVM).

Open LUKS partition

First, we need to open the LUKS partition, at /dev/mapper/lvm:

cryptsetup open /dev/sda2 lvm

Create physical volume

Then, we create LVM partition:

pvcreate /dev/mapper/lvm

Check to make sure that the partition was created:


Create volume group

Next, we create the volume group, inside of which the logical volumes will be created. For this example, we will call this group matrix. You can call yours whatever you would like; just make sure that you remember its name:

vgcreate matrix /dev/mapper/lvm

Check to make sure that the group was created:


Setup logical volumes

Lastly, we need to create the logical volumes themselves, inside the volume group; first will create our / logical volume, named root, another will be our /swap volume, again named as swap, and finally the last will be our /home volume, consequently named as home.

Root volume

Now we will create a single, large partition in the rest of the space, for root:

lvcreate -L 40G matrix -n root
Swap volume

First to create the swap (again, choose your own name, if you feel like). With 4 GB of available memory, your Swap would then be arround the same equivalent size to your computer’s memory should be more then enough.

For checking how much RAM memory you have installed on your computer check the line “MemTotal” of the results given by the following command:

cat /proc/meminfo A

Alternatively these commands maybe be used for the same purpose: vmstat -s.

Make sure to choose an appropriate swap size (e.g., 2G refers to two gigabytes; change this however you see fit)

lvcreate -L 4G matrix -n swap
Home Volume
lvcreate -l +100%FREE matrix -n home

Verify that the logical volumes were created correctly:


Filesystem Configuration

The last steps of setting up the drive for installation are to make drive ready to receive installation.

to make it ready for installation, we do this with the mkfs (i.e., make file system) command. We choose the ext4 filesystem, but you could use a different one, depending on your use case:

Partition Formatting

Create a file system


Now we have to format `/`, ext4 will be used for root.

mkfs.ext4 /dev/mapper/matrix-root

Now we have to format `/home`, ext4 will be used for home.

mkfs.ext4 /dev/mapper/matrix-home

Swap creation

First we have to format swap, to make it an active swap partition.

Activate swap

To make swap into a swap partition, we run the mkswap (i.e., make swap) command:

mkswap /dev/mapper/matrix-swap
Enable swap partition

Activate the swap, allowing it to now be used as swap, using swapon (i.e., turn swap on) command:

swapon /dev/matrix/swap

Mount root partition

We now must mount the root partition on /mnt. You should also create directories for and mount any other partitions (/mnt/boot, /mnt/home, …) and mount your swap partition if you want them to be detected by genfstab.

Mount root in /mnt

So to mount root type:

mount /dev/mapper/matrix-root /mnt

Since root has been mounted at /mnt, now is needed to create the remaining directories. This is where will do so, using mkdir. These folders contain each user’s personal documents, videos, log files, etc:

Make remaining directories

Create home
mkdir -p /mnt/home

Mount other partitions

Mount home
mount /dev/mapper/matrix-home /mnt/home

Boot Setup

Setup the boot partition:

mkfs.ext4 /dev/sda1
mkdir -p /mnt/boot
mount /dev/sda1 /mnt/boot

You could also create two separate partitions for /boot and /home, but such a setup would be for advanced users, and is thus not covered in this guide. The setup of the drive and partitions is now complete; it’s time to actually install Hyperbola.

Verification of package signatures

New packager keys are necessary by default to install Hyperbola from current ISOs. Because changes in existing keys might happen since the ISO release, it is recommended, if not mandatory, to update the keys before attempting an install.

Keep in mind these steps will fail if your system is not set to the correct time, or if you are not connected to the internet.

To check that your computer has the correct time, enter date in the terminal.


If the date is incorrect, you will need to manually set the correct time.

date MMDDhhmm[[CC]YY][.ss]

where MM is the month, DD the day, hh the hour, mm the minutes, CC the century, YY the year and .SS the seconds of current time, the seconds can be omitted (and then also the dot before them should be omitted), the year can also be submitted or just the century. for instance if the current time is 32 seconds and 44 minutes past 18 (6 pm) on the 13th November 2013. Then the command would be:

date 111318442013.32

Once the date is correct, we need to initialize the gnupg directory and update pacman's keys.

pacman-key --init
mount -o remount,size=100M,noatime /etc/pacman.d/gnupg
pacman-key --populate hyperbola
pacman-key --refresh-keys

If you get GPG errors updating those packages, you can try running these commands to start over:

rm -r /etc/pacman.d/gnupg/*
pacman-key --init
pacman-key --populate hyperbola
pacman-key --refresh-keys

If you get an error related to dirmngr, you can get rid of it with:

mkdir /root/.gnupg && chmod go-rx /root/.gnupg && touch /root/.gnupg/dirmngr_ldapservers.conf

For the time being, running the previous command might also be needed in the newly installed system.

Base system installation

Before installing, you may want to edit /etc/pacman.d/mirrorlist such that your preferred mirror is first. This copy of the mirrorlist will be installed on your new system by pacstrap as well, so it's worth getting it right.

Update keys of hyperiso:

pacman -S hyperbola-keyring

Install the base system using pacstrap:

pacstrap /mnt base

You can install additional packages passing base and the names of these packages as arguments after the root directory of the new installation (all packages from the base group are installed if no package is specified).

You can also use package group base-devel to include developement and contribution tools Install base packages:

Install `xenocara-input-synaptics` only on laptops that have touchpad

pacstrap /mnt xenocara-input-synaptics
If you have a btrfs root, you probably want to install also btrfs-progs.

Wireless tools installation

If your wireless network is WPA protected, you'll need wpa_supplicant to connect to it:

pacstrap /mnt iw iproute2 wpa_supplicant

System configuration

Generate an fstab

Generate a fstab with the following command (if you prefer to use UUIDs or labels, add the -U or -L option, respectively):

genfstab -p /mnt >> /mnt/etc/fstab
If you prefer to use UUIDs or labels, add the -U or -L flag, respectively, for example:
genfstab -U -p /mnt >> /mnt/etc/fstab

Chroot and configure the base system

Next, chroot into our newly installed system:

arch-chroot /mnt


Usually it’s best, for privacy and security reasons to set your hostname to localhost, but here will use hyperpc as an example.

Set hostname, by editing /etc/hostname file:

echo hyperpc > /etc/hostname

Add the same hostname, i.e. hyperpc, to /etc/hosts.


nano /etc/hosts
# <ip-address> <> <hostname>                localhost.localdomain     localhost hyperpc
::1                             localhost.localdomain     localhost hyperpc

Setting up Locale

edit locale in /etc/locale.gen:

nano /etc/locale.gen

By uncomment the selected language locale, For color #620BB9/#EEDDFF>us</color>, English, it should look like this:

#en_SG ISO-8859-1
en_US.UTF-8 UTF-8
#en_US ISO-8859-1
All locales are commented out (preceded by #) by default. to uncomment (remove the #) for your chosen locale.

After you’ve uncommented your language, generate the locale by runnning:


Then set locale preferences in /etc/locale.conf:

echo LANG=en_US.UTF-8 > /etc/locale.conf 
echo LANGUAGE=en_US >> /etc/locale.conf
echo LC_TIME=en_US.UTF-8 >> /etc/locale.conf

Then export your chosen locale

export LANG=en_US.UTF-8


Setup the console keymap and font preferences, by configure and changing the file /etc/conf.d/keymaps:

nano /etc/conf.d/keymaps

If you have an advanced usage of your keymap, you can watch the other functionalities, documented in the comments. You can find all the available keymaps in /usr/share/kbd/keymaps. Then run:

rc-update add keymaps default
This only applies for TTY, if you are using X11, this won't affect your graphical environment.

Time zone

Set localtime, by creating a symbolic link /etc/localtime to your subzone file /usr/share/zoneinfo/Zone/SubZone:

ln -s /usr/share/zoneinfo/Zone/SubZone /etc/localtime

For example, here replace Zone and Subzone to Europe and Athens, respectively:

ln -s /usr/share/zoneinfo/Europe/Athens /etc/localtime
If you get ln: failed to create symbolic link ’/etc/localtime’: File exists, then run:
ln -s -f /usr/share/zoneinfo/Zone/SubZone /etc/localtime

Hardware clock

Set the hardware clock to UTC (Optional):

hwclock --systohc --utc

Root password

Set root user, password with passwd:

Remember when you’re typing in your root password (as any password) into the terminal, it won’t show. Just carefully type in your chosen root password and repeat it when asked to.

Add a user

lets add a normal user:

we choose the name `freedom` but you can change to whatever you prefer and add it to basic groups

useradd -m -G audio,disk,games,http,input,lp,network,optical,power,scanner,storage,sys,video,wheel -g users -s /bin/bash freedom

Assign password

passwd freedom

Bootloader installation and configuration


  • If you want to install GRUB for the (U)EFI mode, you will need to make sure that:
  • The computer booted in (U)EFI mode (if /sys/firmware/efi exist, then it booted in (U)EFI mode)
  • The efivars module is loaded. (modprobe efivars will load it)

Finally follow these steps:

pacman -S grub
grub-install /dev/sdX

Create grub.cfg file

grub-mkconfig -o /boot/grub/grub.cfg
Add “cryptdevice=/dev/sda2:matrix” between “root=…” and “rw” in the line that starts with linux. This needs to be done for “linux-libre” and “linux-libre-fallback”.
nano /boot/grub/grub.cfg


See Syslinux for further details.

Setting up the kernel modules

Before we do that we need to install cryptsetup

pacman -S crypsetup

Now we need to make sure that the kernel has all the modules that it needs to boot the operating system. To do this, we need to edit a file called mkinitcpio.conf.

nano /etc/mkinitcpio.conf

There are several modifications that we need to make to the file:

  1. Change the value of the uncommented MODULES line to i915.
    • This forces the driver to load earlier, so that the console font you selected earlier isn’t wiped out after getting to login.
    • Be aware, when you add i915 into the uncommented modules line, that you remove these “ “
    • If you are using a Macbook 2,1 you will also need to add hid-generic, hid, and hid-apple inside the quotation marks, in order to have a working keyboard when asked to enter the LUKS password. Make sure to separate each module by one space.
  2. Change the value of the uncommented HOOKS line to the following:
    nano /etc/mkinitcpio.conf
    "base udev autodetect modconf block keyboard keymap consolefont encrypt lvm2 filesystems fsck shutdown"

    Here’s what each module does:

    • keymap adds to initramfs the keymap that you specified in /etc/conf.d/keymaps
    • consolefont adds to initramfs the font that you specified in /etc/conf.d/keymaps
    • lvm2 adds LVM support to the initramfs - needed to mount the LVM partitions at boot time
    • shutdown is needed for unmounting devices (such as LUKS/LVM) during shutdown

After modifying the file and saving it, we need to update the kernel(s) with the new settings.

Then, we update both kernels like this, using the mkinitcpio command:

mkinitcpio -p linux-libre-lts

Configure Wireless


- Configure wpa_supplicant

nano -w /etc/wpa_supplicant/wpa_supplicant.conf


        network = {

Add to service by default

rc-update add wpa_supplicant default


Add to service by default

rc-update add dhcpcd default
For further details on how to configure the network, for newly installed environment. See Wireless Setup.

BASE graphical interface

Install video package (depending on the brand of your video card)

Check video brand:

lspci | grep -e VGA

Install one, depending of brand:


pacman -S xenocara-video-ati


pacman -S xenocara-video-intel


pacman -S xorg-video-nouveau

Vesa (generic)

pacman -S xenocara-video-vesa

Xenocara components

# pacman -S xenocara-server xenocara-xinit

Setting in keyboard language for Xenocara

Here's an example:

nano ~/.xinitrc

and inside write:

setxkbmap gr


pacman -S ttf-liberation ttf-dejavu

Audio support

Install the required packages for audio to work:

pacman -S sndio alsa-utils

Add audio services to default

rc-update add alsasound default
rc-update add sndiod default

Officially supported desktop environments

Lumina Desktop

Lumina is a lightweight desktop environment, free of D-Bus and *kit, designed to have as few system dependencies and requirements as possible. Check this Wikipedia article, and the official handbook.


To install Lumina desktop, run:

pacman -S lumina lumina-extra
This packages groups lumina includes both lumina-core and lumina-core-utils, and lumina-extra includes own implementations: archiver, fileinfo, fm, mediaplayer, photo, screenshot, textedit, respectively


A configuration file is installed in /etc/luminaDesktop.conf . Lumina also has a bunch of own configuration tools.


Lumina provides its own replacement for startx to be started from console.


Alternatively it can be added to the ~/.xinitrc file for being started via startx or a display manager

nano ~/.xinitrc

and inside write:

exec start-lumina-desktop

How to start Xenocara?

Write a `~/.xinitrc` file

Uncomment your installed desktop or window manager, example file `~/.xinitrc`:

        # ~/.xinitrc
        # Executed by startx (run your window manager from here)
        # exec enlightenment_start
        # exec i3
        # exec awesome
        # exec bspwm
        # exec startfluxbox
        # exec openbox-session
        # exec pekwm
        # exec dwm
        # exec icewm-session
        # exec jwm
        # exec notion
        # exec evilwm

Then from a tty, you can run `startx` and your desktop will start.

Install login manager (option 2)

Example: `slim`

pacman -S slim-theme-hyperbola
Our official theme is including all needed dependencies so you won't need to install install slim as seperate package.

Add to service default

rc-update add slim default



pacman -S udevil

Add to service default

rc-update add devmon default


dhcpcd-ui for IP management

pacman -S dhcpcd-ui

wpa-gui to connect to wifi

pacman -S wpa_supplicant_gui

Volume applet

Volume icon

pacman -S volumeicon

Synchronize Local Time

Install NTP

pacman -S ntp

Synchronize Time

ntpdate -u

Add to service default

rc-update add ntpd default

File compressors

Normally we come across files compressed in ZIP, RAR and/or another format that are usually exchanged on the Internet. To improve functionality of these file compressors, we will add support for 7Z, RAR, ZIP and others.

GZip (known with extension ".tar.gz")

pacman -S zlib


pacman -S bzip2


pacman -S unar


pacman -S p7zip lrzip


pacman -S zip libzip unzip

Reading and writing NTFS file systems

pacman -S ntfs-3g

Reading and writing XFS file systems

pacman -S xfsprogs

Multimedia support

To play multimedia files, you need to be able to have the codecs and player. To do this, we will proceed to install ffmpeg and gstreamer codecs, in addition to players. Here I suggest some players that you may find useful.


pacman -S ffmpeg gstreamer gst-libav gst-plugins-bad gst-plugins-good gst-plugins-ugly gst-plugins-base gst-transcoder x264 libvorbis libvpx libtheora opus vorbis-tools

Audacious player

pacman -S audacious


pacman -S smplayer smplayer-themes smplayer-skins

VLC player

pacman -S vlc

MPV player

pacman -S mpv

Lightweight image viewer

pacman -S viewnior

PDF viewer

pacman -S mupdf

UXP Applications

Thanks to the developers, in Hyperbola we have a web browser called iceweasel-uxp internet suite and a email-manager called iceape-uxp a mail and news reader called icedove-uxp


pacman -S iceweasel-uxp


pacman -S iceape-uxp


pacman -S icedove-uxp


In general, when using an Operating System, at least you have an office suite. In GNU/Linux, it's customary to have one. Fortunately in Hyperbola, Libreoffice is presented in its stable version. For install, run:


pacman -S libreoffice

Spell check

To check spelling you will need hunspell

pacman -S hunspell

Hyphenation and justification

To have provide rules you also need `hyphen` + a set of rules (hyphen-en)

pacman -S hyphen hyphen-en


For Synonyms option you will need `mythes` + a mythes synonym library (mythes-en)

pacman -S libmythes mythes-en


Security is important when browsing the Internet, that's why Hyperbola provides a tool called firejail in combination with a graphical interface called firetools

pacman -S firejail firetools

install the firewall nftables it comes configured to protect your system

pacman -S nftables

now add it to service default

rc-update add nftables default


Hyperbola have programs for communication:



pacman -S qtox



pacman -S toxic

Enable the necessary services before leaving chroot

rc-update add lvm boot
rc-update add dmcrypt boot
rc-update add udev default
rc-update add lm_sensors default

Unmount and reboot

you are still in the chroot environment type exit or press Ctrl+D in order to exit.


Earlier we mounted the partitions under /mnt. In this step we will unmount them:

umount -R /mnt
swapoff -a
lvchange -an /dev/matrix/root
lvchange -an /dev/matrix/home
lvchange -an /dev/matrix/swap
cryptsetup close lvm

Now reboot and then login into the new system.

Remember to remove your installation medium (your USB stick) before you reboot into your system. To log in, you type your user name and your password.

Service management

Since Hyperbola removed entire systemd support, we suggest you read about Openrc which is our main default init system.

See Also


Your new Hyperbola GNU/Linux-libre base system is now a functional GNU/Linux environment.


This wiki article is based on ParabolaWiki. We may have removed non-FSDG bits from it.