Let’s create an encrypted Arch Linux installation! You can follow this tutorial whether you plan to install Arch on an internal disk, a USB flash drive, an SD card, or an external drive. You will have to boot from either the official Arch ISO or an existing Arch Linux machine. This tutorial assumes that you’re working in a root-shell and that you’re already familiar with installing Linux distros and working on the command-line.

Partitioning

Feel free to come up with your own partitioning scheme and disk layout. In my case I will install everything on an internal drive, known to my system as /dev/sda. Make sure to replace every occurrence of sda with the correct device name on your own system. It most likely will be different! Be careful not to accidentally wipe any important data!

I’ve created three partitions on my drive:

1. A placeholder partition for a legacy boot record (/dev/sda1, size 1MB)
2. An EFI boot partition for UEFI systems (/dev/sda2, size 512MB, type ef00)
3. My encrypted LUKS/root partition (/dev/sda3, type 8309)

Installer scripts

Let’s install the official Arch Linux installer scripts, which we’ll need to bootstrap the new system in a moment: (you can skip this step if you are installing from the official Arch ISO)

pacman -S arch-install-scripts

Encryption setup

Before creating our actual data volumes we need to initialize cryptsetup:

cryptsetup luksFormat --type luks2 /dev/sda3
cryptsetup open /dev/sda3 cryptlvm

Instead of cryptlvm you can also use your own custom name, just make sure to replace every occurrence of cryptlvm in this tutorial with it.

LVM setup

Let’s create a new LVM inside the encrypted partition:

pvcreate /dev/mapper/cryptlvm
vgcreate cryptvg /dev/mapper/cryptlvm
lvcreate -l 100%FREE cryptvg -n root

You can use a custom name instead of cryptvg, just make sure to replace every occurrence of cryptvg in this tutorial with it.

Filesystems

To keep it simple, I’ll create a regular ext4 filesystem inside the logical volume we just created, as well as a FAT32 system for the EFI boot partition:

mkfs.ext4 /dev/cryptvg/root
mkfs.fat -F32 /dev/sda2

mount /dev/cryptvg/root /mnt
mkdir /mnt/boot
mount /dev/sda2 /mnt/boot

Bootstrap Arch Linux

Let’s bootstrap a basic Arch Linux installation on /mnt:

pacstrap /mnt base linux linux-firmware

Next we’ll need to generate /etc/fstab:

genfstab -U /mnt >> /mnt/etc/fstab

Now we got everything we need to use our fresh install as a self-contained chroot:

arch-chroot /mnt

Time for the basic system configuration:

ln -sf /usr/share/zoneinfo/Europe/Berlin /etc/localtime
hwclock --systohc

Edit /etc/locale.gen and enable your preferred system locale by uncommenting its line. Then generate the locales for the first time:

locale-gen

Edit /etc/locale.conf and set your preferred locale as your system’s default:

LANG=en_US.UTF-8

Set your system’s machine name in /etc/hostname and create a basic /etc/hosts:

127.0.0.1   localhost
::1         localhost
127.0.1.1   mymachine.localdomain mymachine

Next we’ll need to edit /etc/mkinitcpio.conf so we can generate an initramfs which lets us decrypt our root partition during start-up. Change the HOOKS definition to look like this:

HOOKS=(base systemd udev keyboard autodetect sd-vconsole modconf block sd-encrypt lvm2 filesystems fsck)

We have to create an /etc/crypttab.initramfs to identify our encrypted volume. Linux uses UUIDs to uniquely identify your data volumes, independent of the system they’re attached to. Let’s figure out the UUID of our encrypted partition:

ls -l /dev/disk/by-uuid | grep sda3

Copy the UUID and edit /etc/crypttab.initramfs:

cryptlvm UUID=<your UUID> none luks2,discard

We can edit /etc/vconsole.conf to define the keyboard layout used for entering our encryption passphrase during start-up:

KEYMAP=us

Let’s generate a new initramfs image that contains everything we need for decrypting our volume:

pacman -S lvm2
mkinitcpio -p linux

Time to set a root password:

passwd

Boot-loader

Installing an EFI boot loader with systemd-boot is rather straight forward:

bootctl install

We will have to tell the boot loader which root partition to boot from. Look at your /etc/fstab and copy the UUID of your root filesystem. Note that this is a different UUID than the one we used before!

Edit /boot/loader/entries/arch.conf and add the following lines:

title   Arch Linux
linux   /vmlinuz-linux
initrd  /initramfs-linux.img
options root=UUID=<your UUID> rw

Packages

Last but not least, let’s install a few basic packages we may need:

pacman -S net-tools openssh wget htop dialog wpa_supplicant

We’re done! Exit the chroot and unmount the filesystems:

exit
umount -R /mnt
sync

Hooray, you’ve just finished installing an encrypted Arch Linux system! Try to boot it up and see if everything is working as expected.