NixOS Blog
  1. Home
    2.  » 
  2. Posts
    3.  » 

Arch_encrypted_install

Encrypted Arch Linux Installation w/ Encrypted Swap

The ultimate installation resource is always going to be the:

  1. Connect to Wi-Fi:
iwctl
[iwd]# device list
[iwd]# station wlan0 scan
[iwd]# station wlan0 connect NETGEAR80
# Enter your Password
# Check Connection
[iwd]# station wlan0 show
[iwd]# exit

ping -c 3 archlinux.org
  1. Update package databases:
pacman -Sy
  1. Set system clock:
timedatectl set-ntp true
  1. Partition your Disk:
  • Identify your target disk (eg. /dev/mmcblk0):
lsblk

❗ If you already have an EFI partition you do not have to create another one and doing so can cause issues. First check with fdisk -l, before creating a new one.

Check your partitions:

fdisk -l | less
Device            Size           Type
/dev/mmcblk0p1     1G            EFI System
/dev/mmcblk0p2     57.2G         Linux root (x86-64)

Since I already have an EFI partition, I can just mount it:

mkdir -p /mnt/boot
mount /dev/mmcblk0p1 /mnt/boot

If you don’t already have an EFI partition, create one here:

  1. Use fdisk, parted, or cfdisk to create partitions.
cfdisk /dev/mmcblk0

  • cfdisk(8) man page

  • 1G boot partition, press b to set boot flag

  • The rest of the Memory Primary /dev/mmcblk0p2 btrfs, press p to set primary flag.

  1. Format the EFI partition as FAT32:
mkfs.fat -F32 /dev/mmcblk0p1
  • Leave the root partition unformatted for the encryption step next.
  1. Encrypt the Root Partition and Open it:
cryptsetup luksFormat /dev/mmcblk0p2
cryptsetup open /dev/mmcblk0p2 cryptroot

Create a Filesystem with Compression

mkfs.btrfs /dev/mapper/cryptroot
mount /dev/mapper/cryptroot /mnt
  • Later, we will enable compression by mounting with options like compress=zstd in fstab or manually.
  1. Encrypted Swap
cfdisk /dev/mmcblk0

  • Select New -> Enter size (2x your RAM size) -> Set type to Linux swap

  • Select Write -> Type yes -> Select Quit

Verify the new partition (e.g., /dev/mmcblk0p3):

lsblk

Encrypt the swap partition with LUKS:

cryptsetup luksFormat /dev/mmcblk0p3
cryptsetup open /dev/mmcblk0p3 cryptswap

Format the decrypted swap partition:

mkswap /dev/mapper/cryptswap

Enable the swap:

swapon /dev/mapper/cryptswap

Add the swap to /mnt/etc/fstab (this will be updated later in the genfstab step, but you can manually ensure it):

echo '/dev/mapper/cryptswap none swap defaults 0 0' >> /mnt/etc/fstab

Add the swap partition to the LUKS configuration for automatic unlocking on boot:

echo 'cryptswap /dev/mmcblk0p3 none luks' >> /mnt/etc/crypttab

❗ Later, after arch-chroot, ensure the mkinitcpio.conf HOOKS include resume (after encrypt) if you plan on using hibernation. This will be covered in the initramfs step.

Continue with Arch Installation

Install the Base System and Essential Packages on /mnt with pacstrap

pacstrap -K /mnt base linux-zen linux-zen-headers linux-firmware networkmanager helix grub lightdm lightdm-gtk-greeter btrfs-progs cryptsetup sudo base-devel
  • Ensure /mnt/boot (EFI) is mounted as above. With mount | grep /mnt/boot

    • To list all mounts under /mnt: findmnt /mnt

    • I had to remount /mnt/boot in order for the fstab to pick it up with: mount /dev/mmcblk0p1 /mnt/boot

  1. Generate the Filesystem Table:
genfstab -U /mnt >> /mnt/etc/fstab
#
cat /mnt/etc/fstab
# Add compression
vim /mnt/etc/fstab
  • Important: It should list /dev/mapper/cryptroot mounted on / with Btrfs options, and /dev/mmcblk0p1 on /boot. If the fstab doesn’t show both, you need to regenerate it after mounting the missing partition.
  1. Add compression, Only for the Encrypted Partition:
# fstab
/dev/mapper/cryptroot    /    btrfs    rw,relatime,compress=zstd,ssd, #...snip

Remount root with compression without rebooting:

mount -o remount,compress=zstd /mnt
  1. Change Root into the New Installation
arch-chroot /mnt

Create a user:

useradd -m -G wheel -s /bin/bash yourusername
passwd yourusername

Enable sudo for wheel group:

EDITOR=vim visudo

If that doesn’t work, use vim /etc/sudoers and edit the file accordingly.

Uncomment the line:

%wheel ALL=(ALL) ALL
  1. Edit /etc/mkinitcpio.conf in your new system to add the encrypt hook before filesystems

  • Locate the HOOKS line (near the top)

  • Insert encrypt before filesystems

vim /etc/mkinitcpio.conf

❗ NOTE how I also added the resume after encrypt

# mkinitcpio.conf
# ... snip ...
HOOKS=(base udev autodetect microcode modconf kms keyboard keymap consolfont block encrypt resume filesystems fsck)
# ... snip ...
  1. Regenerate initramfs with:
mkinitcpio -p linux-zen
# Should output
Initcpio image generation successful
  1. Install Grub and EFI boot manager, (while still in chroot environment):
pacman -S grub efibootmgr

Install GRUB for UEFI Systems:

grub-install --target=x86_64-efi --efi-directory=/boot --bootloader-id=GRUB
# Should output
Installation finished. No error reported.

Configure GRUB to unlock LUKS root partition

  • Edit /etc/default/grub and modify the line starting with GRUB_CMDLINE_LINUX to add:
cryptdevice=/dev/mmcblk0p2:cryptroot root=/dev/mapper/cryptroot

Example:

GRUB_CMDLINE_LINUX="cryptdevice=/dev/mmcblk0p2:cryptroot root=/dev/mapper/cryptroot"

Generate GRUB configuration:

grub-mkconfig -o /boot/grub/grub.cfg
# Should output
Adding boot menu entry for UEFI Firmware Settings ...
done
  1. Enable LightDM and NetworkManager
systemctl enable lightdm
systemctl enable NetworkManager

Configure LightDM greeter:

  • Edit /etc/lightdm/lightdm.conf to add:
# lightdm.conf
[Seat:*]
greeter-session=lightdm-gtk-greeter

Exit arch-chroot with exit.

Unmount your partitions and reboot:

umount /mnt/boot
umount /mnt
cryptsetup close cryptroot
  1. Reboot

arch-chroot

Say you forgot something, like forgetting to add a user and password. You reboot and go to TTY into your system and are hit with a AHHH I can’t log in WTF!

Lol, don’t panic. It’s as easy as repeating some of the steps above. Reboot into the Live environment (like we just did for the install), remount your partitions and arch-chroot back in:

Open the encrypted root partition:

cryptsetup open /dev/mmcblk0p2 cryptroot

Mount the decrypted root:

mount /dev/mapper/cryptroot /mnt

Mount the EFI partition:

mount /dev/mmcblk0p1 /mnt/boot

Chroot into your installed system:

arch-chroot /mnt

useradd -m -G wheel -s /bin/bash yourusername
passwd yourusername
  • The -s /bin/bash option sets the user’s default shell to Bash, which is the standard command-line interface. You can use another shell like Zsh (/bin/zsh) if installed.

Uncomment the line %wheel ALL=(ALL:All) ALL in /etc/sudoers

Exit chroot:

exit

Unmount and close LUKS:

umount /mnt/boot
umount /mnt
cryptsetup close cryptroot
reboot

Resources