Skip to content

Instantly share code, notes, and snippets.

What would you like to do?
Minimal instructions for installing arch linux on an UEFI system with full system encryption using dm-crypt and luks

Install ARCH Linux with encrypted file-system and UEFI

This guide was originally taken from: and updated to markdown as well as adding desktop and wireless setup

Download the archiso image from Use etcher to create USB drive:

Boot from the usb. If the usb fails to boot, make sure that secure boot is disabled in the BIOS configuration.

# If wifi only system

Create partitions

cfdisk /dev/sdX
  1. 100MB EFI partition (type: EFI)
  2. 250MB Boot partition (type: Linux Filesystem)
  3. 100% size partiton (type: Linux Filesystem)
mkfs.vfat -F32 /dev/sdX1
mkfs.ext2 /dev/sdX2

Setup the encryption of the system

cryptsetup -c aes-xts-plain64 -y --use-random luksFormat /dev/sdX3
cryptsetup luksOpen /dev/sdX3 luks

# Create encrypted partitions
# This creates one partions for root, modify if /home or other partitions should be on separate partitions
pvcreate /dev/mapper/luks
vgcreate vg0 /dev/mapper/luks
lvcreate --size 8G vg0 --name swap
lvcreate -l +100%FREE vg0 --name root

# Create filesystems on encrypted partitions
mkfs.ext4 /dev/mapper/vg0-root
mkswap /dev/mapper/vg0-swap

# Mount the new system
mount /dev/mapper/vg0-root /mnt # /mnt is the installed system
swapon /dev/mapper/vg0-swap # Not needed but a good thing to test
mkdir /mnt/boot
mount /dev/sdX2 /mnt/boot
mkdir /mnt/boot/efi
mount /dev/sdX1 /mnt/boot/efi

Boostrap Arch Linux

# Install the system also includes stuff needed for starting wifi when first booting into the newly installed system
# Unless vim and zsh are desired these can be removed from the command
pacstrap /mnt base base-devel grub-efi-x86_64 zsh vim git efibootmgr dialog net-tools sudo wpa_supplicant

# 'install' fstab
genfstab -pU /mnt >> /mnt/etc/fstab
# Make /tmp a ramdisk (add the following line to /mnt/etc/fstab)
tmpfs	/tmp	tmpfs	defaults,noatime,mode=1777	0	0
# Change relatime on all non-boot partitions to noatime (reduces wear if using an SSD)

# Enter the new system
arch-chroot /mnt /bin/bash

# Setup system clock
ln -s /usr/share/zoneinfo/Europe/Stockholm /etc/localtime
hwclock --systohc --utc

# Set the hostname
echo MYHOSTNAME > /etc/hostname

# Update locale
echo LANG=en_US.UTF-8 >> /etc/locale.conf

# Set password for root

# Add real user remove -s flag if you don't whish to use zsh
useradd -m -g users -G wheel -s /bin/zsh MYUSERNAME

# Make sudo user
# Find section about %wheel and uncomment and save

# Configure mkinitcpio with modules needed for the initrd image
vim /etc/mkinitcpio.conf
# Add 'ext4' to MODULES
# Add 'encrypt' and 'lvm2' to HOOKS before filesystems

# Regenerate initrd image
mkinitcpio -p linux

# Setup grub
In /etc/default/grub edit the line 
GRUB_CMDLINE_LINUX="cryptdevice=/dev/sdX3:luks:allow-discards" then run:

grub-mkconfig -o /boot/grub/grub.cfg

# Exit new system and go into the cd shell

# Unmount all partitions
umount -R /mnt
swapoff -a

# Reboot into the new system, don't forget to remove the cd/usb

Install Desktop Environment (GNOME)

Install xorg & GNOME

sudo pacman -S xorg xorg-server gnome

Enable GNOME

sudo systemctl enable gdm.service
sudo reboot

Install Wireless Tools (Desktop)

sudo pacman -S wireless_tools networkmanager network-manager-applet gnome-keyring

Make networkmanager start on boot

sudo systemctl enable NetworkManager.service

Disable old services

sudo systemctl disable dhcpcd.service
sudo systemctl disable dhcpcd@.service
sudo systemctl stop dhcpcd.service
sudo systemctl stop dhcpcd@.service

Enable wireless

sudo systemctl enable wpa_supplicant.service

Add user to network group

sudo gpasswd -a USERNAME network


sudo reboot

Install Random Stuff

Install YAY (Sucessor to Yaourt)

# Install YAY
git clone
cd yay
makepkg -si

Now install all the random packages

sudo yay -S --noconfirm powerline-vim powerline-fonts powerline-common awesome-terminal-fonts \
    fish virtualbox docker byobu ttf-google-fonts-git chromium ranger go fasd
curl -L | fish
omf install bobthefish
omf install fasd

Enable Services

sudo systemctl start arpwatch.service
sudo systemctl start arpwatch@.service
sudo systemctl enable arpwatch@.service
sudo systemctl enable arpwatch.service
sudo systemctl start arpwatch.service
sudo systemctl start arpwatch@.service
sudo systemctl enable clamav-daemon.service
sudo systemctl start clamav-daemon.service
sudo systemctl enable ufw.service
sudo systemctl enable logrotate.service
sudo systemctl start logrotate.service
sudo systemctl enable ip6tables.service
sudo systemctl enable docker.service
sudo systemctl enable iptables6.service
sudo systemctl start iptables.service
sudo systemctl enable iptables.service
sudo systemctl start clamav-freshclam.service
sudo systemctl enable clamav-freshclam.service
sudo systemctl enable clamav-freshclam.sevice
sudo systemctl start clamav-freshclam.sevice
sudo systemctl start clamav-flashclam.sevice
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.