Encrypted Arch GNU/Linux installation

17th September 2022

Arch Linux is a simple, lightweight, flexible and minimal Linux distribution which you can customize to your liking. There are many ways you can customize Arch during the installation process so it suits you.
I would like to show you how I install my Arch Linux systems with LUKS encrypted root partition.

Notice! This guide has been ported from my old site style, this might not be all correctly done because i was in a hurry.

# Getting the Arch iso

First off you need to acquire the Arch liveboot ISO image from the official Arch Linux website. Simply select the mirror that is closest to you and download the archlinux-[DATE]-x86_64.iso. You can do some signature verification of the file if you want to..

Flashing the ISO


Flash the Arch ISO file onto a USB flash drive or DVD disc using Balena Etcher or your other favorite image flashing software.


Since GNU/Linux and *BSD are superior platforms, they have built-in utilities that you can flash the ISO with. Plug in your flash drive, open up a terminal and discover the drive code. You can easily find it by its size.

$ lsblk -d -o NAME,SIZE

Now flash the arch image to your flashdrive:

dd if=/location/of/archlinux-[DATE]-x86_64.iso of=/dev/sdX status=progress

Booting into installation enviroment

Plug in the USB Drive with the Arch Linux iso image, go to boot menu and select the USB drive. Before that make sure you disable Secure Boot in the UEFI settings, Secure Boot is often located in the security tab.

# Installing Arch GNU/Linux

Now let's get to the fun part! Set up your network and keyboard layout with the help of Arch Wiki!

Prepare your disk using gdisk program.
To create the partition press the n key, it will ask you to input partition number, just press the spacekey and it will automaticall asign the number to the partition. Space trough the first sector, it is useless for us. When it will ask you for the last sector size, input the partition size, don't forget to add + in front of the number and the proper letter after the number, M for Megabytes and G for gigabytes. It should look like this: +8G

Run the command:

$ gdisk /dev/sdX
Name Disk Size Code
BOOT /dev/sdX1 550 MiB ef00
SWAP /dev/sdX2 8 GiB 8200
ROOT /dev/sdX3 Remainder 8300

To set the remainder of the root partition just press space and it will automatically assign the remainder of the disk to the partition.

After you are done with the changes, press the w key and save the changes. If you think you made some mistakes, press the d key and delete the wrong partition, then correct the mistake.

Preparing LUKS partition

Before you format your partitions and install Arch on them, you first need to create a LUKS container where your root partition data will be stored at. You will need to use the cryptsetup command. After running the command you will need to input "YES" as verification pharse to start creating the LUKS container. After this you will need to input the encrypted container password and input it again to verify it. Make sure to create the container at /dev/sdX3.

$ cryptsetup -yv luksFormat /dev/sdX3

After successful creation of the LUKS container you will need to open it. The partition that is stored in the LUKS container can be found at /dev/mapper/root after running this command:

$ cryptsetup open /dev/sdX3 root

Formatting the partitions

You will need to format the partitions after completing the previous steps..

$ mkfs.ext4 /dev/mapper/root
$ mkfs.vfat /dev/sdX1
$ mkswap /dev/sdX2

Mounting the partitions

Mount the root and boot partitions to the /mnt directory so you can later proceed to install Arch Linux on these partitions. After mounting the root partition create a boot direcotry /mnt/boot/ and mount the boot partition there.

$ mount /dev/mapper/root /mnt
$ mkdir /mnt/boot
$ mount /dev/sdX1 /mnt/boot
$ swapon /dev/sdX2

Installing Linux on the mounted partitions

Install the linux kernel and some important packages.

$ pacstrap /mnt base linux linux-firmware vim sudo

Generating the Fstab

Don't forget to generate the fstab configuration!

$ genfstab -U /mnt >> /mnt/etc/fstab

# Configuring Arch

Now after you have installed Arch Linux on your disk, you need to chroot into it and configure it.

$ arch-chroot /mnt

Selecting your locale

You will need to set your keyboard layout, timezone and language of the system. First edit the /etc/locale.gen and comment out your language. After that run this command:

$ locale-gen

Configuring time

To change your timezone, replace the continent and city with your continent and city and run this command.

$ ln -sf /usr/share/zoneinfo/Europe/Bratislava /etc/localtime

After running this command, make sure that the change has been done and that your time is correct. This is how to check the time on your system and how the output should look like:

$ timedatectl status

Configuring your hostname

Set your hostname by editing the /etc/hostname file, this will give a name ti your computer. My system's name is "woof" so I will echo that into the file.

$ echo "woof" > /etc/hostname

Now set your local host name resolution by editing the /etc/hosts. In this example of the file is my username "woof". Don't forget to replace it with your own hostname!!

# Static table lookup for hostnames.
# See hosts(5) for details.       localhost
::1             localhost       woof.localdomain        woof

Configuring users

Now change your root password, this will be your administrator password, keep in mind that because of security reasons you SHOULD NOT use root user as your daily user.

$ swapon /dev/sdX2
$ passwd

After this create an user that will be used by you. Give it a wheel user group so you can use the sudo to run programs that require root priviledges.

$ useradd -mG wheel [your_username]

At last, change the user's password.

$ passwd [your_username]

Installing the bootloader

There are a lot of different bootloaders to choose from for linux. For the sake of simplicity, only instructions for GNU grub will be shown.

From this point some parts get very complicated, so be very careful! look at what you write, small mistakes like one wrong letter in the wrong place can make your system useless. However you can fix that later in the liveboot...


You can check wether you have UEFI or legacy by executing this command:

$ ls /sys/firmware/efi

if the directory doesn't exist, that means you're using legacy boot.


$ pacman -S grub

After installing this package, install the grub bootloader using this command:

$ grub-install /dev/sdX


Install following packages:

$ pacman -S efibootmgr grub linux-headers

After installing these packages, install the grub bootloader using this command:

$ grub-install --target=x86_64-efi --efi-directory=/boot --bootloader-id=GRUB


If you want to get rid of the boot menu at startup, you can set GRUB_TIMEOUT=0 in /etc/default/grub before applying the config.

Generate the grub config.

$ grub-mkconfig -o /boot/grub/grub.cfg

Run the blkid command and get the UUID of the /dev/sdX3. To obtain it more easily, output the command into some file and then go to the file with vim and copy the UUID.

$ blkid >> file


If you don't know how to copy in vim.. With your cursor in visual mode, go to the start of the UUID and press v. It should highlight the area you are selecting. Now move with hjkl or arrow keys to the and of the UUID while it is getting highlighted and press y to copy the selected text.

Now go to the /etc/default/grub file and put the UUID inside of GRUB_CMDLINE_LINUX. Don't forget to add the :root after the UUID! This is how it should look like:

After that, regenerate the grub config.

$ grub-mkconfig -o /boot/grub/grub.cfg

Configuring mkinitcpio

Don't forget to edit the /etc/mkinitcpio.conf. You need to edit the HOOKS in that file.. After the autodetect add keyboard and keymap. And after block add encrypt parameters.
It should look like this:

HOOKS=(base udev autodetect modconf block encrypt filesystems keyboard fsck)

After you have saved the changes, rebuild the mkinitcpio.

$ mkinitcpio -p linux

Configuring Bluetooth and Internet

You need to activate two services to use the internet and bluetooth after you boot to your system for the first time. Simply install thes packages:

$ pacman -S networkmanager bluez bluez-utils pulseaudio-bluetooth

After installing these packages, enable them with systemctl (yes SystemD is stinky and bad.)

$ systemctl enable NetworkManager
$ systemctl enable bluetooth

Configuring Sudo

To you can properly use sudo with root priviledges, you need to uncomment a line with %wheel in the /etc/sudoers.

Configuring pacman

You will probably want to install application such as steam or discord, for that you will need to enable multilib. You need to edit /etc/pacman.conf and uncomment the multilib repository lines. I recommend you to uncomment the color parameter, it looks a lot nicer that way.

After that run this command to refresh the pacman.

$ pacman -Syy

Leaving chroot

After you made all the changes needed. Leave the chroot.

$ exit

Now unmount all the drives.

$ umount -a

And now finally reboot...

# Post-installation

After you have finished all the previous steps, your base Arch Linux installation should be complete! Now the only things to do are configuring the DEs or WMs and some other stuff... Have fun.