Skip to content

Instantly share code, notes, and snippets.

@alanorth

alanorth/arch-install-encrypted.md

Last active January 14, 2026 12:38
Show Gist options

  • Select an option

    Learn more about clone URLs
  • Save alanorth/b1a4649f1f285cfa928c9fb5985118eb to your computer and use it in GitHub Desktop.

Select an option

Learn more about clone URLs
Save alanorth/b1a4649f1f285cfa928c9fb5985118eb to your computer and use it in GitHub Desktop.
Download ZIP
Installing Arch Linux on an SSD with plain boot but encrypted /, /home, etc.
Raw
arch-install-encrypted.md

Arch Linux on LUKS

Mostly follows the Arch Linux install guide, but with tips from these for the encryption setup:

Partitoning

Find the correct disk and clear all existing partitions with sgdisk:

# fdisk -l
# sgdisk --zap-all /dev/nvme0n1

Use gdisk to create a new GUID partition table (press "o") and two partitions (press "n"):

  • Partition 1: 512M (or more) for /efi with type "EF00"
  • Partition 2: the rest of the disk for with type "8300" (we will create root, home, etc here using Btrfs)
# gdisk /dev/nvme0n1

Format the boot partition with mkfs.fat:

# mkfs.fat -F32 /dev/nvme0n1p1

Create Encrypted LUKS Partition

Uses an unencrypted /efi with Btrfs on LUKS for / and /home because the NSA is not my adversary, but I don't want random people to be able to get my shit if I lose my laptop. Creates the encrypted device and then LVM inside it, for as many partitions as you want.

# cryptsetup luksFormat /dev/nvme0n1p2 # remember the password here, it will be required at boot
# cryptsetup open /dev/nvme0n1p2 luks

Create Btrfs subvolumes:

# mkfs.btrfs /dev/mapper/luks
# mount /dev/mapper/luks /mnt
# btrfs subvolume create /mnt/@root
# btrfs subvolume create /mnt/@home
# umount /mnt

We unmount after creating the subvolumes so that we can mount them at their correct locations for installation.

Normal Arch Installation

Follow the Arch Linux install guide here, as from now it's mostly the same.

Note: ESP is mounted to /efi and systemd-boot can only find kernels there, but Arch Linux installs them to /boot. The most simple solution is to bind mount a subdirectory of ESP to /boot so that kernels are seemlessly installed in the correct place. See: See: https://wiki.archlinux.org/title/EFI_system_partition#Alternative_mount_points

# mount -o compress=zstd,subvol=@root /dev/mapper/luks /mnt
# mkdir /mnt/{boot,efi,home}
# mount mount -o compress=zstd,subvol=@home /dev/mapper/luks /mnt/home
# mount /dev/nvme0n1p1 /mnt/efi
# mkdir -p /mnt/efi/EFI/arch
# mount --bind /mnt/efi/EFI/arch /mnt/boot
# pacstrap /mnt base base-devel linux linux-firmware-intel intel-ucode sof-firmware btrfs-progs iwd openssh vim
# genfstab -U /mnt >> /mnt/etc/fstab
# arch-chroot /mnt
...

Things to note around section 3.6 Initramfs of the Arch Linux installation guide:

Install systemd-boot bootloader to /efi (by default):

# bootctl install
  • When creating /efi/loader/entries/arch.conf, pay attention to the options for kernel command line
    • If using systemd initramfs (ie, systemd in HOOKS): rd.luks.name=0000-0000-0000-0000=archlinux root=/dev/mapper/archlinux where the UUID is that of the underlying encrypted block device

After Install

# useradd -m aorth
# passwd aorth
# pacman -S sway
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment