• Host PC user (on Fedora) needs to be member of dialout and disk group to access serial port and be able to write to the USB drive. Or use sudo.
• Connect to the PC Engines APU's serial port.

  screen /dev/ttyUSB0 115200 # to select: boot from USB
  screen /dev/ttyUSB0 38400  # to continue Arch Linux installation

• Connect the APU to Ethernet / internet for updates and access to the repo's.

• Download the latest image from https://www.archlinux.org/download/.
• Verify the download:

  SHA1: 91a195bf1395694151fc3f7f766e9d1233e2aed9
  
  $ sha1sum archlinux-2017.05.01-x86_64.iso
  91a195bf1395694151fc3f7f766e9d1233e2aed9  archlinux-2017.05.01-x86_64.iso

• Copy image to USB:

  sudo dd bs=4M if=archlinux-2017.05.01-x86_64.iso of=/dev/sdx status=progress && sync

• Boot the APU en press F12, select USB boot.
• Switch console to 38400 baud. Press 'ctrl-l' to redraw the screen.
• Select the Boot Arch Linux option and press TAB.
• Add console=ttyS0,38400 to the kernel line and press enter
• Log in with user root (no password).
• If you connected the network cable after booting, request an IP-address

  # dhclient enp1s0

• Install and run SSHd to complete the installation over SSH:

  select nearby mirror in: /etc/pacman.d/mirrorlist
  
  # pacman -Sy
  # pacman -S openssh
  # passwd root
  # systemctl start sshd

The next steps will install Arch Linux on a encrypted root filesystem.

• Secure erase SSD
  • Check that device is not frozen:

    # hdparm -I /dev/sdX
    Security: 
    	Master password revision code = 65534
    		supported
    	not	enabled
    	not	locked
    	not	frozen
    	not	expired: security count
    		supported: enhanced erase
    	2min for SECURITY ERASE UNIT. 2min for ENHANCED SECURITY ERASE UNIT.

  • Set password, any password will do, it will be reset to NULL after erasing.

    # hdparm --user-master u --security-set-pass Meu3lieY43 /dev/sdX
    security_password: "Meu3lieY43"
    
    /dev/sda:
     Issuing SECURITY_SET_PASS command, password="Meu3lieY43", user=user, mode=high

  • Check that password is enabled:

    # hdparm -I /dev/sdX
    Security: 
    	Master password revision code = 65534
    		supported
    		enabled

  • Secure erase SSD:

    # hdparm --user-master u --security-erase Meu3lieY43 /dev/sdX
    security_password: "Meu3lieY43"
    
    /dev/sda:
     Issuing SECURITY_ERASE command, password="Meu3lieY43", user=user

  • Check that master password is supported, but not enabled:

    # hdparm -I /dev/sdX
    Security: 
    	Master password revision code = 65534
    		supported
    

• Partition the SSD:

  (
  echo o     # Create a new empty DOS partition table
  echo n     # Add a new partition
  echo p     # Primary partition
  echo 1     # Partition number
  echo       # First sector (Accept default: 1)
  echo +256M # Last sector (Accept default: varies)
  echo n     # Add a new partition
  echo p     # Primary partition
  echo 2     # Partition number
  echo       # First sector (Accept default)
  echo       # Last sector (Accept default, rest of the drive)
  echo w     # Write changes
  ) | sudo fdisk /dev/sdX

• You might reboot if you cannot use the new partitions yet:

  # partprobe /dev/sda                                                                                  :(
  Error: Partition(s) 2 on /dev/sda have been written, but we have been unable to inform the kernel of the change, probably because it/they are in use.  As a result, the old partition(s) will remain in use.  You should reboot now before making further changes.

• Create the /boot and root filesystems:

  
  # cryptsetup -y -v luksFormat /dev/sdX2
  # cryptsetup open /dev/sdX2 cryptroot
  # mkfs.ext4 /dev/mapper/cryptroot
  # mount /dev/mapper/cryptroot /mnt
  
  # mkfs.ext4 /dev/sdX1
  # mkdir /mnt/boot
  # mount /dev/sdX1 /mnt/boot

• Copy Arch Linux to the new filesystems:

  # pacstrap /mnt base

• Generate a fstab:

  # genfstab -L /mnt >> /mnt/etc/fstab

• Chroot into the new system:

  # arch-chroot /mnt

• Set root password:

  # passwd root

• Setup system clock:

  # ln -s /usr/share/zoneinfo/Europe/Stockholm /etc/localtime
  # hwclock --systohc --utc

• Set the hostname:

  # echo MYHOSTNAME > /etc/hostname

• Update locale:

  # vi /etc/locale.gen
  # locale-gen

• Add encryption hook:

  # vi /etc/mkinitcpio.conf 
  HOOKS="base udev autodetect modconf keyboard keymap block encrypt filesystems keyboard fsck"

• Generate new initramfs:

  # mkinitcpio -p linux

• Install bootloader:

  # pacman -S grub
  # grub-install /dev/sda
  # grub-mkconfig -o /boot/grub/grub.cfg

• Modify kernel options for decrypting the root filesystem:

  # vi /etc/default/grub
  GRUB_CMDLINE_LINUX="cryptdevice=UUID=<device-UUID>:cryptroot"
  

• Configure serial port:

  # vi /etc/default/grub   # add options below
  GRUB_CMDLINE_LINUX_DEFAULT="console=tty0 console=ttyS0,115200n8"

• Configure grub and serial:

  # vi /etc/default/grub   # add options below
  
  ## Serial console
  GRUB_TERMINAL=serial
  GRUB_SERIAL_COMMAND="serial --speed=115200 --unit=0 --word=8 --parity=no --stop=1"

• Make new grub config:

  # grub-mkconfig -o /boot/grub/grub.cfg

• Reboot and connect with 115200 baud.

• Configure network:

  # cp /etc/netctl/examples/ethernet-static /etc/netctl
  
  # vi /etc/netctl/ethernet-static
  
  # netctl list
  # netctl start ethernet-static
  # netctl enable ethernet-static

• Add users
• Enable SSH:

  # pacman -S openssh
  # systemctl enable sshd
  # systemctl start sshd

• Configure simple firewall:

  # pacman -S ufw
  # ufw default deny
  # ufw allow SSH
  # ufw enable

• Configure timekeeping:

  vi /etc/systemd/timesyncd.conf
  # timedatectl set-ntp true