How to Install Arch Linux with Full Disk Encryption using LUKS

This guide walks you through the process of installing Arch Linux with full disk encryption using LUKS, from booting into the ISO to the final reboot into your new system.
by İbrahim Korucuoğlu ( @siberoloji) |
Tags:
Categories:

  4 minute read  

Arch Linux is a lightweight and flexible Linux distribution that follows a rolling release model. It’s known for its simplicity, minimalism, and DIY philosophy—making it a favorite for power users who want complete control over their system. When combined with full disk encryption using LUKS (Linux Unified Key Setup), Arch Linux becomes not only powerful and customizable but also highly secure.

This guide will walk you through installing Arch Linux with full disk encryption using LUKS, setting up a Logical Volume Manager (LVM) on top of LUKS, and installing a bootloader to complete the process.

Prerequisites

Before you begin, make sure you have:

  • A backup of any data on the disk you plan to use.
  • A live Arch Linux USB or CD/DVD (you can create one using the ISO from archlinux.org).
  • An internet connection.
  • UEFI or BIOS mode correctly configured in your firmware (we’ll use UEFI in this guide).

Step 1: Boot from the Arch Linux Installation Medium

  1. Plug in your live Arch Linux USB.
  2. Boot into it via your system’s boot menu.
  3. Choose the option to boot Arch Linux.

After booting, you’ll be dropped into a root shell.

Step 2: Verify Internet Connection

ping archlinux.org

If this works, you’re connected. If not, set up Wi-Fi using:

iwctl

Inside iwctl:

station device scan
station device get-networks
station device connect your-ssid

Then exit:

exit

Step 3: Update the System Clock

timedatectl set-ntp true

Check the time sync status:

timedatectl status

Step 4: Disk Partitioning

Let’s assume your disk is /dev/sda or /dev/nvme0n1. Adjust commands accordingly.

Using fdisk or parted

cfdisk /dev/sda

Partition Layout (UEFI example)

  1. EFI System Partition (ESP): 512MB (Type: EFI System)
  2. Linux LUKS container: The rest of the disk (Type: Linux filesystem)

Example:

  • /dev/sda1 → EFI
  • /dev/sda2 → LUKS

Write and quit.

Step 5: Encrypt the Partition with LUKS

Now encrypt the second partition:

cryptsetup luksFormat /dev/sda2

Confirm with YES and enter a passphrase.

Open the encrypted container:

cryptsetup open /dev/sda2 cryptroot

Step 6: Set Up LVM on LUKS

Create a physical volume:

pvcreate /dev/mapper/cryptroot

Create a volume group:

vgcreate vg0 /dev/mapper/cryptroot

Create logical volumes:

lvcreate -L 16G vg0 -n swap
lvcreate -L 30G vg0 -n root
lvcreate -l 100%FREE vg0 -n home

Adjust sizes based on your preference.

Step 7: Create Filesystems

mkfs.fat -F32 /dev/sda1             # EFI
mkfs.ext4 /dev/vg0/root             # Root
mkfs.ext4 /dev/vg0/home             # Home
mkswap /dev/vg0/swap                # Swap

Step 8: Mount Partitions

mount /dev/vg0/root /mnt
mkdir /mnt/home
mount /dev/vg0/home /mnt/home

mkdir /mnt/boot
mount /dev/sda1 /mnt/boot

swapon /dev/vg0/swap

Step 9: Install Base System

pacstrap /mnt base linux linux-firmware lvm2

Optionally add:

pacstrap /mnt vim networkmanager grub efibootmgr dosfstools

Step 10: Generate fstab

genfstab -U /mnt >> /mnt/etc/fstab

Check the contents:

cat /mnt/etc/fstab

Step 11: Chroot into the System

arch-chroot /mnt

Step 12: Set Timezone and Locale

ln -sf /usr/share/zoneinfo/Region/City /etc/localtime
hwclock --systohc

Edit locale:

vim /etc/locale.gen

Uncomment your locale, e.g., en_US.UTF-8 UTF-8, then:

locale-gen

Create locale config:

echo "LANG=en_US.UTF-8" > /etc/locale.conf

Set hostname:

echo "arch-machine" > /etc/hostname

Step 13: Configure mkinitcpio for LUKS

Edit /etc/mkinitcpio.conf:

Find the HOOKS= line and change:

HOOKS=(base systemd autodetect keyboard sd-vconsole modconf block sd-encrypt lvm2 filesystems fsck)

Use encrypt instead of sd-encrypt if not using systemd initramfs.

Then rebuild initramfs:

mkinitcpio -P

Step 14: Set Root Password

passwd

Step 15: Install GRUB and Configure It for LUKS

Install GRUB:

grub-install --target=x86_64-efi --efi-directory=/boot --bootloader-id=GRUB

Edit /etc/default/grub, add or modify this line:

GRUB_CMDLINE_LINUX="cryptdevice=UUID=<UUID-of-/dev/sda2>:cryptroot root=/dev/vg0/root"

Get the UUID:

blkid /dev/sda2

Then generate GRUB config:

grub-mkconfig -o /boot/grub/grub.cfg

Step 16: Enable NetworkManager (Optional)

systemctl enable NetworkManager

Step 17: Exit and Reboot

Exit chroot:

exit

Unmount and swapoff:

umount -R /mnt
swapoff -a

Reboot:

reboot

Step 18: First Boot

Upon reboot, GRUB will prompt for your LUKS passphrase. After unlocking, the system will boot into your new Arch Linux installation.

Optional: Create a User and Enable Sudo

After logging in:

useradd -m -G wheel yourusername
passwd yourusername

Install sudo:

pacman -S sudo

Uncomment the %wheel ALL=(ALL:ALL) ALL line in /etc/sudoers using visudo.

Conclusion

Installing Arch Linux with full disk encryption using LUKS is a great way to combine control, performance, and security. While it involves more steps than traditional installers, the process provides deep insights into how your system works—from bootloaders to LVM to encrypted containers.

Once installed, you’ll have a highly secure system that protects your data in case of loss or theft, without sacrificing flexibility or performance. Arch’s rolling release model ensures you always have the latest software, and its wiki is one of the best documentation resources in the Linux world.


< How to Install Arch Linux with LVMHow to Install Arch Linux alongside Windows (Dual Boot) >