Arch Linux install guide
Guide to installing Arch Linux with full disk encryption for UEFI systems
2026-02-01 UTC
Introduction#
The goal of this guide is to set up a minimal installation of Arch Linux with full disk encryption on an UEFI system. This guide is meant to be read alongside the Arch wiki. It does not cover implementing Secure Boot
- I’ll skip the Arch ISO installation media preparation.
- I won’t prepare the system for secure boot because the procedure of custom key enrollment in the` BIOS
- I’ll use a wired connection, so no wireless configuration steps will be shown. If you want to connect to wifi, you can either use
iwctl(CLI) or install and launchimpala(TUI).
Preliminary steps#
Check that we are in UEFI mode#
If this command prints 64 or 32 then you are in UEFI
cat /sys/firmware/efi/fw_platform_sizeUpdate the system clock#
# Check if ntp is active and if the time is righttimedatectl
# In case it's not active you can dotimedatectl set-ntp truePartition the disk#
Throughout this guide nvme0n1 will be used as the target install drive.
The drive will be separated into two partitions:
| Number | Type | Size |
|---|---|---|
| 1 | EFI | 512 Mb |
| 2 | Linux Filesystem | All of the remaining space |
The following steps will wipe completely your nvme0n1 drive
- Run
gdisk
gdisk /dev/nvme0n1-
Press
xto enter expert mode. Then press z to zap our drive. Then hit y when prompted about wiping out GPT and blanking out MBR. -
Run
gdisk
gdisk /dev/nvme0n1- Delete any existing partitions. Repeat until none are left.
Command (m for help): d- Create a boot partition
Command (m for help): nPartition number (1-128, default 1):First sector (...):Last sector (...): +512MHex code or GUID (...): ef00- Create a root partition
Command (m for help): nPartition number (2-128, default 1):First sector (...):Last sector (...):Hex code or GUID (...): 8300- Write the changes
Command (m for help): wDo you want to proceed? (Y/N): y- Verify partitioning
lsblkIt should look something like this
NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINTSnvme0n1 259:0 0 465,8G 0 disk├─nvme0n1p1 259:1 0 512M 0 part└─nvme0n1p2 259:2 0 465,3G 0 partnvme0n1 is the main disk
nvme0n1p1 is the boot partition
nvme0n1p2 is the root partition
Encrypt root partition#
- Encrypt your root partition
Make sure to enter a secure passphrase and to write it down
cryptsetup luksFormat /dev/nvme0n1p2Are you sure (Type `yes` in capital letters): YES- Open the encrypted partition
cryptsetup open /dev/nvme0n1p2 rootCreate filesystems#
- Create the boot file system
mkfs.fat -F32 /dev/nvme0n1p1- Create the root file system
mkfs.ext4 /dev/mapper/rootMount file systems#
- Mount the root file system
mount /dev/mapper/root /mnt- Mount the boot file system
mount -m /dev/nvme0n1p1 /mnt/boot -o dmask=0077,fmask=0077- Verify mounting
lsblkIt should look something like this
NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINTSnvme0n1 259:0 0 465,8G 0 disk├─nvme0n1p1 259:1 0 512M 0 part /mnt/boot└─nvme0n1p2 259:2 0 465,3G 0 part └─root 254:0 0 465,2G 0 crypt /mntInstall essentials#
Install the base system, kernel, init system and other essential packages.
pacstrap /mnt base base-devel linux linux-firmware efibootmgr doas neovimInstall AMD or Intel microcode, depending on your system’s CPU
Microcode#
AMD CPU
pacstrap /mnt amd-ucodeIntel CPU
pacstrap /mnt intel-ucodeGenerate file system table#
genfstab -U /mnt >> /mnt/etc/fstabNow edit /mnt/etc/fstab and change fmask=0022,dmask=0022 to fmask=0077,dmask=0077.
Switch to new Installation#
arch-chroot /mntNetwork stack#
pacman -S networkmanager iwdsystemctl enable NetworkManager[device]wifi.backend=iwdLocalization#
Set the locale#
Feel free to change en_US.UTF-8 to your preferred locale such as en_GB.UTF-8.`
- Uncomment
en_US.UTF-8
#en_US.UTF-8 UTF-8en_US.UTF-8 UTF-8- Generate locales
echo 'LANG=en_US.UTF-8' > /etc/locale.conflocale-genSet the timezone#
ln -sf /usr/share/zoneinfo/Asia/Dubai /etc/localtime
ln -sf /usr/share/zoneinfo/YourRegion/YourCity /etc/localtimeSet hardware clock from system clock#
hwclock --systohcHostname#
Set your preferred hostname, I will be using MYHOSTNAME throughout this guide.
echo 'MYHOSTNAME' > /etc/hostname# Static table lookup for hostnames.# See hosts(5) for details.
127.0.0.1 localhost::1 localhost127.0.1.1 MYHOSTNAME.localdomain MYHOSTNAMEInitramfs#
In the HOOKS array, add encrypt between block and filesystems
HOOKS=(... block encrypt filesystems ...)Generate initramfs images
mkinitcpio -PAdd a user#
- Set the root password.
passwd- Create a user and set his password.
useradd -m MYUSERNAMEpasswd MYUSERNAMEConfigure doas#
- Create the config file and set the appropriate permissions
touch /etc/doas.confchown -c root:root /etc/doas.confchmod -c 0400 /etc/doas.conf- Add the following
permit MYUSERNAME as rootpermit nopass MYUSERNAME as root cmd pacmanBoot loader#
Use EFISTUB if you dont need to boot into multiple OS’s as it will boot you directly into Arch (very fast) and use systemd-boot if you need to boot into multiple OS’s.
Get the UUID of your root partition
blkid -s UUID -o value /dev/nvme0n1p2Replace xxxx with the UUID that you just obtained.
Replace amd-ucode.img with intel-ucode.img if you have an Intel CPU.
EFISTUB#
efibootmgr -c -d /dev/nvme0n1 -p 1 -l /vmlinuz-linux -L "Arch Linux" -u "cryptdevice=UUID=xxxx:root root=/dev/mapper/root rw initrd=\amd-ucode.img initrd=\initramfs-linux.img loglevel=3 quiet"Systemd-boot#
Initramfs#
Replace the HOOKS array with the following one
HOOKS=(base systemd autodetect microcode modconf kms keyboard sd-vconsole sd-encrypt block filesystems fsck)Regenerate initramfs images
mkinitcpio -PInstallation#
bootctl installtitle Arch Linuxlinux /vmlinuz-linuxinitrd /amd-ucode.imginitrd /initramfs-linux.imgoptions rd.luks.name=xxxx=root root=/dev/mapper/root rw loglevel=3 quiet#timeout 3timeout 3#console-mode keepReboot#
- You can now reboot and enter into your new installation
Unplug your flash drive after the screen turns black
exitumount -R /mntreboot nowPost install#
You will now be greeted with a similar screen as when you first booted from the flash drive.
Login using the credentials that you set, if you followed the example your username would be MYUSERNAME.
Swap#
doas fallocate -l 4G /swapfiledoas chmod 600 /swapfiledoas mkswap /swapfiledoas swapon /swapfiledoas cp /etc/fstab /etc/fstab.bakecho '/swapfile none swap sw 0 0' | doas tee -a /etc/fstabVideo drivers#
AMD#
doas pacman -S mesa linux-firmware-amdgpu vulkan-radeonIntel#
doas pacman -S mesa linux-firmware-intel vulkan-intelNvidia#
https://wiki.archlinux.org/title/NVIDIA
Sort for fastest mirrors#
doas pacman -Syu reflectordoas reflector --verbose -p https -l 30 -f 5 --sort rate --save /etc/pacman.d/mirrorlistAUR#
Add Chaotic-AUR#
doas pacman-key --recv-key 3056513887B78AEB --keyserver keyserver.ubuntu.comdoas pacman-key --lsign-key 3056513887B78AEBdoas pacman -U 'https://cdn-mirror.chaotic.cx/chaotic-aur/chaotic-keyring.pkg.tar.zst'doas pacman -U 'https://cdn-mirror.chaotic.cx/chaotic-aur/chaotic-mirrorlist.pkg.tar.zst'[chaotic-aur]Include = /etc/pacman.d/chaotic-mirrorlistInstall paru#
doas pacman -Syudoas pacman -S paruReplace sudo with doas#
doas pacman -Rdd sudodoas ln -s /usr/bin/doas /usr/bin/sudoLaptop power profiles#
Install and enable the powerprofiles daemon
pacman -S power-profiles-daemonsystemctl enable power-profiles-daemonsystemctl start power-profiles-daemon startMAC randomization#
MAC randomization can be used for increased privacy by not disclosing your real MAC address to the WiFi network.
[device-mac-randomization]wifi.scan-rand-mac-address=yes
[connection-mac-randomization]ethernet.cloned-mac-address=randomwifi.cloned-mac-address=random