Encrypted Arch Linux Install Guide

Arch Linux Logo

There are the steps I use to install Arch Linux on my laptop (a Thinkpad T480).

Official installation guide is available here.

This guide is based on this excellent gist by mattiaslundberg.


I use colemak.

loadkeys colemak

We can use `iwctl` to connect to a wifi network.


station wlan0 scan
station wlan0 get-networks
station wlan0 connect [SSID]

Then connect to your network.


cgdisk /dev/nvmeXn1

Create 3 partitions:

  1. 100MB EFI partition. Hex code ef00
  2. 250MB Boot partition. Hex code 8300
  3. 100% size partiton. Hex code 8300

Exit cgdisk. Now we format boot and EFI the partitions.

mkfs.vfat -F32 /dev/nvmeXn1p1
mkfs.ext2 /dev/nvmeXn1p2


cryptsetup -c aes-xts-plain64 -y --use-random luksFormat /dev/nvmeXn1p3
cryptsetup luksOpen /dev/nvmeXn1p3 luks

Now we create the virtual groups for the encrypted partitions. Adjust the swap size to your liking.

pvcreate /dev/mapper/luks
vgcreate vg0 /dev/mapper/luks
lvcreate --size 8G vg0 --name swap
lvcreate -l +100%FREE vg0 --name root

Finally, we format the encrypted partitions.

mkfs.ext4 /dev/mapper/vg0-root
mkswap /dev/mapper/vg0-swap

Mounting the system

mount /dev/mapper/vg0-root /mnt
mkdir /mnt/boot
mount /dev/nvmeXn1p2 /mnt/boot
mkdir /mnt/boot/efi
mount /dev/nvmeXn1p1 /mnt/boot/efi

Installing the system

Now we install the system itself, as well as a few packages that will be useful later on.

pacstrap /mnt linux linux-firmware base grub-efi-x86_64 zsh neovim git efibootmgr lvm2 iwd


genfstab -pU /mnt >> /mnt/etc/fstab

Next, add the following line to /mnt/etc/fstab.

tmpfs   /tmp    tmpfs   defaults,noatime,mode=1777  0   0

You may also want to replace relatime with noatime in all non-boot partitions. This supposedly reduces wear on the SSD.


arch-chroot /mnt /bin/bash

Setup system clock

ln -s /usr/share/zoneinfo/<YOUR REGION HERE> /etc/localtime
hwclock --systohc --utc

Setting up hostname

echo MYHOSTNAME > /etc/hostname

Setting up the locale

Edit /etc/locale.gen and uncomment en_US.UTF-8 UTF-8. Then run


Now run the following to setup some locale variables.

echo LANG=en_US.UTF-8 >> /etc/locale.conf
echo LANGUAGE=en_US >> /etc/locale.conf
echo LC_ALL=C >> /etc/locale.conf

If you use colemak, you can set it as default for the console with the following commmand:

echo KEYMAP="colemak" >> /etc/vconsole.conf

Setting up the root password and adding your user

Setup the root password.


Add a new user.

useradd -m -g users -G wheel -s /bin/zsh MYUSERNAME

Setup mkinitcpio

We now edit mkinitcpio.conf to make sure the system will recognize the encrypted partitions on boot.

vim /etc/mkinitcpio.conf

Add ext4 and i915 to MODULES.

Also add encrypt and lvm2 to HOOKS before filesystems.

Finally, generate the initrd image.

mkinitcpio -p linux

Setup grub


Next, we edit the grub file to make sure we boot from the encrypted partition. In /etc/default/grub, edit the line GRUB_CMDLINE_LINUX to


then run

grub-mkconfig -o /boot/grub/grub.cfg


Exit chroot.


Unmount all partitions

umount -R /mnt

Reboot into the new system.