For some reason, it brings me great joy to reinstall fresh Linuxes on my non-Mac systems. I do that a lot. While my servers usually run Debian, my personal computers almost exclusively run Arch. Arch Linux is bleeding edge, rolling release and just awesome in general. The Arch Way requires you to do it all on your own, with the help of online resources to guide you along the way.
Having said that, this guide will lead you through the installation of Arch Linux. You will also encrypt your whole root volume so it’s safer in every day use. This kind of goes against the Arch Way because a step-by-step instruction makes it way too easy for you. Therefore, I suggest you follow all the links I provide as background information and really read up on the subject matter. If you have no interest in doing that, Arch is not for you. Please leave.
Needless to say, all of this can be done with the help of the wonderful Arch Linux wiki. It is a marvelous resource of Linux computing splendor. If you have a question, you will most likely find the answer there. I’m not kidding. It’s incredibly thorough.
Prepare an EFI USB drive with Arch Linux. If you need help creating such a contraption, go help yourself at Arch Wiki - USB flash installation media.
Booting into our installation environment
Boot it! This will be different on every system so it’s kind of
pointless to make a generic guide for that. Make sure that your system
is able to boot from USB. Bring up the boot menu. There should be
shortcuts displayed during boot-up, if not, try hitting
launch the UEFI boot loader it finds on the installation media you
If this is successful, you should end up with a command prompt similar to this:
Arch Linux 4.2.2-1-ARCH (tty1) archiso login: root (automatic login) root@archiso ~ #
Before we continue, we’re assuming a US keyboard layout for the installation. If you however wish to setup a different locale for this short part, you can do so!
/etc/locale.gen. Go through the file and uncomment the line
representing your chosen locale.
$ nano /etc/locale.gen
We shall generate the locale!
Now that we’re done with that, we just need to set the locale.
$ localectl set-locale LANG=en_US.UTF-8
You can read more on this here: Arch Wiki - Locale.
It is time to partition your drive. Like, the one your old stuff is on. I can’t stress this enough. This guide assumes you only want Arch Linux on your system and will most likely erase everything else you have. You will have to carefully adapt the workflows in here in order to install Arch Linux elsewhere and/or alongside other OSes. If you have old data you need, back it up!
We want to be modern and use GPT, so we’re using
gdisk for partitioning:
$ gdisk /dev/sda
gdisk is fun, if you want more information on what it does, type
We’re going for the most simple setup here. We want an EFI boot
partition and put all the rest in an LVM partition that will be
encrypted. I will assume an EFI partition of 512 MiB in size with the
second partition filling the rest of it. I will also assume you want to
do all this on the first internal drive there is, this should be
Here’s a fun list of steps:
[ENTER]to print all your current partitions. Does it look familiar, does it make sense? If so, good. We’re going to erase them all. THIS WILL DESTROY YOUR DATA ON THESE PARTITIONS!
[ENTER]to delete partitions, and type in a number to delete it. Do this until all are gone.
[ENTER]to create the EFI system partition now.
[ENTER]again to confirm the default next partition, which is 1. We have no other.
[ENTER]once more to confirm the default first sector.
[ENTER]to set the size for our partition.
- To make this an EFI system partition, enter
Same procedure for our LVM partition.
[ENTER], confirming the default.
[ENTER], confirming the default.
[ENTER], confirming the default of maximum size.
- For type we’re using
- To finalize our changes, hit
- Confirm with
You can check what you just did with
gdisk -l /dev/sda. It should
still make sense. If it doesn’t make sense anymore, stop now.
Creating the encrypted container
Now we’ll create and mount our encrypted container on the partition we created. The wiki has more information on Arch Wiki - Disk Encryption.
Read what’s on your screen in the following steps carefully! You will also have to pick a passphrase for your encrypted volume.
$ cryptsetup -y luksFormat /dev/sda2 $ cryptsetup luksOpen /dev/sda2 lvm
Creating logical volumes and filesystems
Let’s create some filesystems. The EFI boot partition will be a FAT partition.
$ mkfs.vfat /dev/sda1
Now we’ll do some logical volumes inside the encrypted container we just
made. I picked
16GB for the swap partition, you can decide
differently. Make sure not to mix up upper and lower case here.
$ pvcreate /dev/mapper/lvm $ vgcreate vg /dev/mapper/lvm $ lvcreate --name cryptswap -L 16GB vg $ lvcreate --name cryptroot -l 100%FREE vg
Let’s make a swap partition and an ext4 partition for the rest.
$ mkswap /dev/mapper/vg-cryptswap $ swapon /dev/mapper/vg-cryptswap $ mkfs.ext4 /dev/mapper/vg-cryptroot
Mount what we have
And mount it all.
$ mount /dev/mapper/vg-cryptroot /mnt $ mkdir /mnt/boot $ mount /dev/sda1 /mnt/boot
Finally, the installation
We’ll do a default Arch Linux installation on our new system now. If you need a wireless network connection supported by the current Linux kernel, you can simply connect to one with:
Remember that if you’re connected via Ethernet, you most likely already
have networking running. Try pinging something on the Internet with
If you rely on wireless networking, make sure to include necessary
wifi-menu that just worked so flawlessly will
otherwise not be there when you reboot. There is help for you at
Arch Wiki - Wireless network configuration.
$ pacstrap -i /mnt base base-devel $ genfstab -U -p /mnt >> /mnt/etc/fstab
Hooray! Let’s chroot into our new system.
$ arch-chroot /mnt /bin/bash
We’re at that point again where we want to setup our system-wide
locale(s). As before, we’re going to edit
/etc/locale.gen. Go through
the file and uncomment the locales you want.
$ nano /etc/locale.gen
Locales, but now persistently
We’re generating the locales again:
We could use the wonderful new
localectl to set our locale but since
we’re chrooted, we have no DBus and thus it doesn’t work. Bummer.
Let’s do it the old way (put your locale after LANG= accordingly):
$ echo LANG=en_US.UTF-8 > /etc/locale.conf $ export LANG=en_US.UTF-8
Once again, you can read more on this here on the Arch Wiki - Locale.
I expect systems to be running UTC, because time zones are bad
inventions of humankind. You can pick a default timezone that suits you
better of course. There’s lots to choose from in
/usr/share/zoneinfo/, just have a look around.
$ ln -s /usr/share/zoneinfo/UTC /etc/localtime $ hwclock --systohc --utc
Set your root password:
And a fun hostname:
$ echo "funhostname" > /etc/hostname
systemd comes with its own boot manager by default, which is based
on gummiboot. We don’t need to install it ourselves anymore, it’s just
there. For our configuration, it works perfectly.
All you do is:
$ bootctl install
For more information on systemd-boot, refer to the Arch Wiki - systemd-boot.
We need to find the UUID of
/dev/sda2, which is the partition hosting
our encrypted container. That is, if you followed the guide. If you made
modifications, partitioned things differently, you need to adapt this to
Just like gummiboot did before,
systemd-boot has its boot loader
/boot/loader/entries and that’s where we’re going to put
First, we’ll use
blkid to filter out our UUID and put it in the
arch.conf we want:
$ blkid -s UUID -o value /dev/sda2 > /boot/loader/entries/arch.conf
We should edit the boot entry now. Make sure the UUID wanders in place
title Arch Linux linux /vmlinuz-linux initrd /initramfs-linux.img options cryptdevice=UUID=putUUIDhere:lvm resume=/dev/mapper/vg-cryptswap root=/dev/mapper/vg-cryptroot quiet rw
Now we should update our
$ bootctl update
In order to boot with the necessary kernel modules loaded for decrypting our
fancy container, edit the
$ nano /etc/mkinitcpio.conf
Find the line starting with
HOOKS and edit it as follows:
HOOKS="base udev autodetect modconf block keymap encrypt lvm2 resume filesystems keyboard fsck"
mkinitcpio create its ramdisk environment again:
$ mkinitcpio -p linux
And that’s it! Reboot.
$ exit $ umount /mnt/boot $ umount /mnt $ shutdown -r now
This should be all. Enjoy your new encrypted system.
Note: Once you’re done, the
/boot partition will still not be
encrypted. There are ways around this, please consult the
Arch Wiki - dm-crypt/Specialties Securing the unencrypted boot partition.
If you go this far, also consider how you could make your system
tamper-evident—this means once you notice a tamper event, you can toss
the whole computer.