Skip to main content
  1. Posts/

Arch Linux Full Encryption Installation Guide

·497 words·3 mins
Security Linux Arch Linux Linux Encryption
Nathan Higley
Nathan Higley
just a guy who likes cyber
Table of Contents

Arch Linux w/ Fully Encrypted Filesystem

This guide will show step by step how to create a clean Arch Linux install with a fully encrypted filesystem. This means that even the boot partition will be encrypted. The only unencrypted partition on the disk will be the EFI partition which could be configured later to use secure boot.

Assuming an EFI system with GPT disk.

Basic Install Stuff

Make sure you can hit the outside world:


If not run dhcpcd:


Set the time:

timedatectl set-ntp true

Setup the Disk (where the magic happens)

Create Partitions

Assuming /dev/sda is the device you want to install to.

parted /dev/sda

mklabel gpt

mkpart ESP fat32 1MiB 200MiB

set 1 boot on

name 1 efi

mkpart primary 800MiB 100%

set 2 lvm on

name 2 lvm


Setup LUKS

Encrypt the partition

cryptsetup luksFormat –type luks1 /dev/sda2

Open the partition

cryptsetup open /dev/sda2 encrypted-lvm

Setup LVM

Create a Physical Volume

pvcreate /dev/mapper/encrypted-lvm

Create a volume group

vgcreate arch /dev/mapper/encrypted-lvm

Create logical volumes in group

lvcreate -n home -L <SIZE>G arch

lvcreate -n root -L <SIZE>G arch

lvcreate -n boot -L 600M arch

lvcreate -n swap -L <SIZE> -C y arch

Format Partitions

Format the EFI partition

mkfs.fat -F32 /dev/sda1

Format the Volume Groups

mkfs.ext4 -L boot /dev/mapper/arch-boot

mkfs.btrfs -L root /dev/mapper/arch-root

mkfs.btrfs -L home /dev/mapper/arch-home

mkswap /dev/mapper/arch-swap

Mount Partitions

Configure Swap

swapon /dev/mapper/arch-swap swapon -a; swapon -s

Mount the filesystem

mount /dev/mapper/arch-root /mnt

mkdir -p /mnt/{home,boot}

mount /dev/mapper/boot /mnt/boot

mount /dev/mapper/arch-home /mnt/home

mkdir /mnt/boot/efi

mount /dev/sda1 /mnt/boot/efi

Check how everything is mounted

lsblk -f

Install the Base System

Install base packages

pacstrap /mnt base efibootmgr btrfs-progs grub linux-zen linux-firmware lvm2

Generate Fstab

genfstab -U -p /mnt > /mnt/etc/fstab

Chroot into new install

arch-chroot /mnt /bin/bash

Configure the Install

Normal Things

Set the time zone

ln -sf /usr/share/zoneinfo/Region/City /etc/localtime

hwclock –systohc

Localization Uncomment “en_US.UTF-8 UTF-8” from /etc/locale.gen


echo “LANG=en_US.UTF-8” > /etc/locale.conf

Set the hostname

echo “hostname” > /etc/hostname

Edit /etc/hosts to	localhost
::1	        localhost	hostname.localdomain	hostname

Encryption Unlock

Generate a keyfile for the root filesystem:

dd bs=512 count=4 if=/dev/random of=/root/encrypted-lvm.keyfile iflag=fullblock

chmod 000 /root/encrypt-lvm.keyfile

cryptsetup -v luksAddKey /dev/sda2 /root/encrypted-lvm.keyfile

Edit /etc/mkinitcpio.conf and add keyboard keymap encrypt lvm2 to hooks and add keyfile to files

HOOKS=(base udev autodetect keyboard keymap consolefont modconf block encrypt lvm2 filesystems fsck)

Then generate the initramfs image:

mkinitcpio -p linux-zen

Secure the embedded keyfile:

chmod 600 /boot/initramfs-linux*

Configure grub, edit /etc/default/grub:

GRUB_CMDLINE_LINUX="... cryptdevice=/dev/sda2:encrypted-lvm ... cryptkey=rootfs:/root/encrypted-lvm.keyfile"

Install grub:

grub-install –target=x86_64-efi –efi-directory=/boot/efi –bootloader-id=GRUB –recheck

grub-mkconfig -o /boot/grub/grub.cfg

Final Cleanup

Set a root password

passwd Add a normal user account if desired.

Reboot into New Install


umount -R /mnt


The system should be configured with full disk encryption and an encrypted boot partition.


  1. Installation guide - ArchWiki
  2. dm-crypt/Encrypting an entire system - ArchWiki
  3. Install Arch Linux with full hard drive encryption using luks encryption | ComputingForGeeks