Installing Arch Linux with Full Disk Encryption

If you're aiming for a seamless Arch Linux installation in UEFI mode, follow along as this guide will walk you through the process step by step. We'll be using LUKS (Linux Unified Key Setup) and LVM (Logical Volume Manager) partitions on LUKS to achieve full disk encryption.

Note: I have updated this doc for UEFI mode. For those with BIOS/MBR systems, you can refer to the previous version, but keep in mind that it might be outdated and no longer accurate.

If you're only interested in installing Linux and not setting up dual boot with Windows, feel free to skip the Windows-related sections.

Prepare the System

Before we dive into the installation process, let's ensure that your system is ready:

Data Backup: Make sure you've backed up all your important data. We're about to make significant changes, and it's always wise to have a safety net.
UEFI Mode: In your system's BIOS settings, set the boot mode to UEFI.
Setup Mode: If you want to use Secure-Boot, enter your firmwares Setup-Mode
- Usually you can enter Setup-Mode by disabling Secure-Boot and clearing your Key-Store

Prepare the USB Drive

Ventoy Installation: Start by installing Ventoy on your USB drive. Ventoy is a versatile tool that allows you to easily create a multi-boot USB drive.
Download Arch ISO: Head to Arch Linux's official website and download the Arch ISO image. Copy it to your USB drive.
Optional Windows 11: If you plan to set up a dual boot with Windows 11, download the Windows 11 ISO image and also copy it to your USB drive.

Disk Partition Structure

Here is an example to give you a clear picture of what the final disk partition structure will look like. If you're not interested in installing Windows, you can simply ignore the green parts.

For better flexibility, I do not reuse the Windows EFI for Linux. Instead, I create a distinct EFI partition dedicated solely to Linux, resulting in the presence of two EFI partitions. I also use separate partitions for EFI and Boot.

In the context of this guide, I've designated the disk device and Linux partitions with names according to the table below. Please be aware that these names should be substituted with the actual device paths relevant to your system configuration:

Device	In this Doc	Examples
Disk Device	`/dev/<your-disk>`	`/dev/sda`, `/dev/nvme0n1`
EFI Partition	`/dev/<your-disk-efi>`	`/dev/sda5`, `/dev/nvme0n1p5`
Boot Partition	`/dev/<your-disk-boot>`	`/dev/sda6`, `/dev/nvme0n1p6`
LUKS Partition	`/dev/<your-disk-luks>`	`/dev/sda7`, `/dev/nvme0n1p7`

Install Windows (Optional)

Boot from the Windows 11 ISO and install Windows. If you want to use BitLocker for disk encryption, ensure that you install the Windows Pro version.
In Windows, open the start menu and search for "BitLocker". Open the BitLocker settings and enable BitLocker for the C drive.
Important: Store the BitLocker recovery key in a safe place. You will need it later.

Install Arch Linux

Connect the USB drive and boot from the Arch Linux ISO.
Make sure the system is booted in UEFI mode. The following command should display the directory contents without error.
```
ls /sys/firmware/efi/efivars
```
Connect to the internet. A wired connection is preferred since it's easier to connect. More info

Run fdisk to create Linux partitions.

fdisk /dev/<your-disk>

If you have installed Windows, you already have a GPT partition table. Otherwise, create an empty GPT partition table using the g command. (WARNING: This will erase the entire disk.)

# WARNING: This will erase the entire disk.

Command (m for help): g
Created a new GPT disklabel (GUID: ...).

Create the EFI partition (/dev/<your-disk-efi>):

Command (m for help): n
Partition number: <Press Enter>
First sector: <Press Enter>
Last sector, +/-sectors or +/-size{K,M,G,T,P}: +100M

Command (m for help): t
Partition type or alias (type L to list all): uefi

Create the Boot partition (/dev/<your-disk-boot>):

Command (m for help): n
Partition number: <Press Enter>
First sector: <Press Enter>
Last sector, +/-sectors or +/-size{K,M,G,T,P}: +512M

Command (m for help): t
Partition type or alias (type L to list all): linux

Create the LUKS partition (/dev/<your-disk-luks>):

Command (m for help): n
Partition number: <Press Enter>
First sector: <Press Enter>
Last sector, +/-sectors or +/-size{K,M,G,T,P}: <Press Enter>

Command (m for help): t
Partition type or alias (type L to list all): linux

Print the partition table using the p command and check that everything is OK:

Command (m for help): p

Write changes to the disk using the w command. (Make sure you know what you're doing before running this command).

Command (m for help): w

Format the EFI and Boot Partitions.

mkfs.fat -F 32 /dev/<your-disk-efi>
mkfs.ext4 /dev/<your-disk-boot>

Set up the encrypted partition. You can choose any other name instead of cryptlvm.

cryptsetup --use-random luksFormat /dev/<your-disk-luks>
cryptsetup luksOpen /dev/<your-disk-luks> cryptlvm

Create an LVM volume group. You can choose any other name instead of vg0.
```
pvcreate /dev/mapper/cryptlvm
vgcreate vg0 /dev/mapper/cryptlvm
```
Create LVM partitions (logical volumes).

(Update: I don't create swap volume on disk anymore. Instead, I create a zram device as swap space after finishing the installation process.)

We create logical volumes for swap, root (/), and home (/home). Leave 256MiB of free space in the volume group because the e2scrub command requires the LVM volume group to have at least 256MiB of unallocated space to dedicate to the snapshot.
```
lvcreate --size 8G vg0 --name swap
lvcreate --size 100G vg0 --name root
lvcreate -l +100%FREE vg0 --name home
lvreduce --size -256M vg0/home
```

Format logical volumes.

mkswap /dev/vg0/swap
mkfs.ext4 /dev/vg0/root
mkfs.ext4 /dev/vg0/home

Mount new filesystems.

mount /dev/vg0/root /mnt
mount --mkdir /dev/<your-disk-efi> /mnt/efi
mount --mkdir /dev/<your-disk-boot> /mnt/boot
mount --mkdir /dev/vg0/home /mnt/home
swapon /dev/vg0/swap

Install the base system. We also install some useful packages like git, vim, and sudo.
```
pacstrap -K /mnt base linux linux-firmware openssh git vim sudo
```
Generate /etc/fstab. This file can be used to define how disk partitions, various other block devices, or remote filesystems should be mounted into the filesystem.
```
genfstab -U /mnt >> /mnt/etc/fstab
```
Enter the new system.
```
arch-chroot /mnt /bin/bash
```

Set TimeZone.

# See available timezones:
ls /usr/share/zoneinfo/

# Set timezone:
ln -s /usr/share/zoneinfo/Asia/Tehran /etc/localtime

Run hwclock(8) to generate /etc/adjtime.
```
hwclock --systohc
```

Set Locale.

vim /etc/locale.gen (uncomment en_US.UTF-8 UTF-8)
locale-gen
echo LANG=en_US.UTF-8 > /etc/locale.conf

Set hostname.
```
echo yourhostname > /etc/hostname
```

Create a user.

useradd -m -G wheel --shell /bin/bash yourusername
passwd yourusername
visudo
# ---> Uncomment "%wheel ALL=(ALL) ALL"

Configure mkinitcpio with modules needed to create the initramfs image.

pacman -S lvm2
vim /etc/mkinitcpio.conf
# ---> Add 'encrypt' and 'lvm2' to HOOKS before 'filesystems'

# If you need another keyboard layout during luks-decrypt stage:
vim /etc/vconsole.conf
# ---> Change KEYMAP=... to the layout you want. Example for german: KEYMAP=de

Recreate the initramfs image:

mkinitcpio -P

Setup GRUB.

pacman -S grub efibootmgr

# Without Secure-Boot
grub-install --target=x86_64-efi --efi-directory=/efi --bootloader-id=GRUB

# With Secure-Boot
grub-install --target=x86_64-efi --efi-directory=/efi --bootloader-id=GRUB --modules="tpm" --disable-shim-lock

In /etc/default/grub edit the line GRUB_CMDLINE_LINUX as follows. Don't forget to replace /dev/<your-disk-luks> with the appropriate path.

GRUB_CMDLINE_LINUX="cryptdevice=/dev/<your-disk-luks>:cryptlvm root=/dev/vg0/root"

If you have installed Windows and want to add Windows to the GRUB menu, edit /etc/grub.d/40_custom:

#!/bin/sh
exec tail -n +3 $0
# This file provides an easy way to add custom menu entries.  Simply type the
# menu entries you want to add after this comment.  Be careful not to change
# the 'exec tail' line above.
if [ "${grub_platform}" == "efi" ]; then
  menuentry "Windows 11" {
    insmod part_gpt
    insmod fat
    insmod search_fs_uuid
    insmod chain

    # After --set=root, add the Windows EFI partition's UUID.
    # (can be found with "blkid" command)
    search --fs-uuid --set=root $FS_UUID
    chainloader /EFI/Boot/bootx64.efi
  }
fi

In the above script, replace $FS_UUID with Windows EFI partition UUID. You can find this UUID using lsblk command. It should be something like 8E12-69DD.

Now generate the main GRUB configuration file:

grub-mkconfig -o /boot/grub/grub.cfg

Sign Bootloader and Modules for Secure-Boot (Secure-Boot only)

pacman -S sbctl
# Verify Setup-Mode is enabled
sbctl status
sbctl create-keys
sbctl enroll-keys -m -f
sbctl sign -s /efi/EFI/GRUB/grubx64.efi
sbctl sign -s /boot/vmlinuz-linux
sbctl sign -s /boot/grub/x86_64-efi/grub.efi
sbctl sign -s /boot/grub/x86_64-efi/core.efi
# Verify all four files are signed
sbctl verify

Install networkmanager package and enable NetworkManager service to ensure you have Internet connectivity after rebooting.
```
pacman -S networkmanager
systemctl enable NetworkManager
```
Exit new system and unmount all filesystems.
```
exit
umount -R /mnt
swapoff -a
```
Arch is now installed 🎉. Reboot.
```
reboot
```
Open BIOS settings and set GRUB as first boot priority. Save and exit BIOS settings. After booting the system, you should see the GRUB menu.
If you have installed Windows, select "Windows 11" in GRUB menu. If you have previously enabled Bitlocker, BitLocker will ask for your recovery key when you try to boot Windows through GRUB for the first time. Enter your BitLocker recovery key.
Reboot again and log in to Arch linux with your username and password.
Check internet connectivity.
```
ping google.com
```
If you want to use Gnome desktop, install gnome and gdm packages:
```
sudo pacman -S gnome gdm
```
And enable gdm service:
```
sudo systemctl enable gdm
```
Reboot!

Notes

Backup LUKS Header

It is important to make a backup of LUKS header so that you can access your data in case of emergency (if your LUKS header somehow gets damaged).

Create a backup file:

sudo cryptsetup luksHeaderBackup /dev/<your-disk-luks> --header-backup-file luks-header-backup-$(date -I)

Store the backup file in a safe place, such as a USB drive. If something bad happens, you can restore the backup header:

sudo cryptsetup luksHeaderRestore /dev/<your-disk-luks> --header-backup-file /path/to/backup_header_file

Disable Windows Hibernate and Fast Startup

If you want to use the same NTFS drive in both Windows and Linux (for example an NTFS partition on your internal disk or external hard drive), consider disabling "Hibernate" and "Fast Startup" features in Windows.

You can check the current settings on Control Panel > Hardware and Sound > Power Options > System Setting > Choose what the power buttons do. The box Turn on fast startup should either be disabled or missing.

More info

Entering Your Password Only Once

After completing the above steps, you will need to enter two passwords at system startup: one to decrypt the LUKS volume and another to log into GNOME.

To enter only one password, you can enable Automatic Login in GNOME Settings under the Users section.

With this change, you no longer need to enter a password in GDM, but you will still need to enter the GNOME Keyring password after login. If the keyring password (which defaults to your Linux user password) matches the LUKS encryption passphrase, you can configure GDM to unlock the keyring automatically, eliminating the need to enter the password. To achieve this:

Switch to systemd-based initramfs.

Edit /etc/mkinitcpio.conf and replace busybox hooks with corresponding systemd hooks based on this table. Make sure systemd, keyboard, sd-vconsole and sd-encrypt hooks are enabled.

Example configuration:
```
HOOKS=(base systemd autodetect modconf kms keyboard sd-vconsole block sd-encrypt lvm2 filesystems fsck)
```
Recreate the initramfs after editing mkinitcpio.conf:
```
mkinitcpio -P
```
Configure the bootloader.

Edit /etc/default/grub and modify the GRUB_CMDLINE_LINUX line as follows. You can run blkid /dev/<your-disk-luks> to get your LUKS partition UUID.
```
GRUB_CMDLINE_LINUX="rd.luks.name=your-luks-partition-uuid=cryptlvm root=/dev/vg0/root"
```
Now generate the main GRUB configuration file:
```
grub-mkconfig -o /boot/grub/grub.cfg
```

For more information, see this Reddit post.

Re-enable Secure-Boot and verify

If you want to use Secure-Boot please enable it in the firmware after the installation.

Verify Secure-Boot is enabled
```
sudo sbctl status
```

References

Thanks for the quick response. I did check and nothing is even listed, the boot order is only "Enter Setup" which is BIOS. Secure boot has been off the whole time. I did partition using GPT and the EFI partition is sda1 out of sda1, sda2 (boot), and sda3 (the one with the encrypted volume) and However I think I may know why though it's it may be irrelevant to the disk. They all say that messing up /etc/default/grub can leave your system unbootable, and in the part where you mentioned editing /etc/default/grub, you mentioned the following:

In /etc/default/grub edit the line GRUB_CMDLINE_LINUX as follows. Don't forget to replace /dev/ with the appropriate path.

GRUB_CMDLINE_LINUX="cryptdevice=/dev/<your-disk-luks>:cryptlvm root=/dev/vg0/root" >

I was following another guide to install arch encrypted on youtube and both of you matched very well up to that part, where this guy did GRUB_CMDLINE_LINUX="cryptdevice=UUID=/dev/<your-disk-luks-UUID>:crypt<cryptlvm name> cryptlvm=/dev/mapper/cryptlvm. To be fair this was a setup WITHOUT lvm (sorry for the redundancy in naming it cryptlvm, it was for the sake of keeping it consistent with your guide when encrypting at cryptsetup luksOpen /dev/<your-disk-luks> cryptlvm), so maybe I do have to add on the root=/dev/vg0/root part too. Could that be it? I'll be testing both with and without the root=... part there soon

EDIT: for reference here's the link

PHPCore1/install-arch.md

Select an option

No results found

Select an option

No results found

Installing Arch Linux with Full Disk Encryption

Prepare the System

Prepare the USB Drive

Disk Partition Structure

Install Windows (Optional)

Install Arch Linux

Notes

Backup LUKS Header

Disable Windows Hibernate and Fast Startup

Entering Your Password Only Once

Re-enable Secure-Boot and verify

References

agustux commented Jul 9, 2025

Uh oh!

PHPCore1 commented Jul 10, 2025 •

edited

Loading

Uh oh!

agustux commented Jul 10, 2025 •

edited

Loading

Uh oh!

agustux commented Jul 10, 2025 •

edited

Loading

Uh oh!

PHPCore1/install-arch.md

Installing Arch Linux with Full Disk Encryption

Prepare the System

Prepare the USB Drive

Disk Partition Structure

Install Windows (Optional)

Install Arch Linux

Notes

Backup LUKS Header

Disable Windows Hibernate and Fast Startup

Entering Your Password Only Once

Re-enable Secure-Boot and verify

References

agustux commented Jul 9, 2025

Uh oh!

PHPCore1 commented Jul 10, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

agustux commented Jul 10, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

agustux commented Jul 10, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

PHPCore1 commented Jul 10, 2025 •

edited

Loading

agustux commented Jul 10, 2025 •

edited

Loading

agustux commented Jul 10, 2025 •

edited

Loading