Arch Linux ciphered install

In my opinion, Arch Linux is the greatest rolling release distribution. The thing that pushes me to say this is that if you want to make a totally custom distribution, it’s possible (and it’s made for). Let’s drive right in.

Information and requirements

These elements are to be taken in consideration to follow this article:

Prepare the USB key

Download the image

Download the latest image here.

Check the file integrity

At the moment of writing this article, it is the August release (2022.08.05). The SHA-256 digest is is 187cf50f8f0619426e98835fdeaa4f3b3dd6a3471b2efc496f50d25ffe0e19db.

[adrien@laptop ~]$ curl -LOsSf
[adrien@laptop ~]$ sha256sum archlinux-2022.08.05-x86_64.iso
187cf50f8f0619426e98835fdeaa4f3b3dd6a3471b2efc496f50d25ffe0e19db  archlinux-2022.08.05-x86_64.iso

The file is good. Let’s continue.

Write the image

Plug your USB key and locate it. Mine is /dev/sda (use sudo fdisk -l).

[adrien@laptop ~]$ sudo dd if=archlinux-2022.08.05-x86_64.iso of=/dev/sda status=progress

Wait until the end. When it’s done, plug your USB to your computer or laptop and boot from the USB key.


Once the boot process is done, you are directly connected as root. The installation can begin.

Keyboard mapping

I have a French keyboard, let’s change it.

root@archiso ~ # loadkeys fr

Synchronize packages

root@archiso ~ # pacman -Syyy

Rank mirrors for speed download

Mirrors are servers from where you download package, if you rank them by the country where you are, you’ll download packages faster.

root@archiso ~ # reflector -c France -a 6 -p https --sort rate --save /etc/pacman.d/mirrorlist

Modify your country in accordance with your location.

Synchronize packages again.

root@archiso ~ # pacman -Syyy

Disk modification

List disk’s details.

root@archiso ~ # fdisk -l

My disk is located at /dev/nvme0n1, yours can be at /dev/sda if you have a SSD. Once you’ve executed the first statement, fdisk acts like a prompt, send to it the commands (except ones surrounded with <>, where you have to press the key specified). Do not write the elements in parenthesis, it’s just a brief explanation for you.

root@archiso ~ # fdisk /dev/nvme0n1
p (show partitions)
g (use GPT partitioning style)
n (create the EFI partition)
<ENTER> (it takes the space available)
30 (set partition type to Linux LVM)
w (write changes)

Format the new partitions

The partition /dev/nvme0n1p1 is the EFI partition, format it in FAT32.

root@archiso ~ # mkfs.fat -F32 /dev/nvme0n1p1

The partition /dev/nvmen1p2 is the Linux filesystem, format it in Ext4.

root@archiso ~ # mkfs.ext4 /dev/nvme0n1p2

Setup the disk encryption

We are going to use LUKS (Linux Unified Key Setup) because it’s a great disk encryption specification.

root@archiso ~ # cryptsetup luksFormat --use-random /dev/nvme0n1p3
cryptsetup open --type=luks /dev/nvme0n1p3 lvm

Initialize physical volumes and volume group

Because we use LVM (Logical Volume Manager), we have to set up a physical volume.

root@archiso ~ # pvcreate --dataalignment 1m /dev/mapper/lvm
root@archiso ~ # vgcreate volgroup /dev/mapper/lvm
root@archiso ~ # lvcreate -L 100GB volgroup -n lv_root
root@archiso ~ # lvcreate -l 100%FREE volgroup -n lv_home

Our volume group (to manipulate our logical volumes) is called volgroup (but you can call it whatever you want). We have two logical volumes, lv_root for the root filesystem and lv_home for the home filesystem. Obviously, you can give the names you want.

Format the new logical volumes

root@archiso ~ # mkfs.ext4 /dev/volgroup/lv_root
root@archiso ~ # mkfs.ext4 /dev/volgroup/lv_home

Mount the devices

root@archiso ~ # mount /dev/volgroup/lv_root /mnt
root@archiso ~ # mkdir /mnt/home
root@archiso ~ # mount /dev/volgroup/lv_home /mnt/home
root@archiso ~ # mkdir /mnt/boot
root@archiso ~ # mount /dev/nvme0n1p2 /mnt/boot
root@archiso ~ # mkdir /mnt/etc

Generate the filesystem hierarchy

root@archiso ~ # genfstab -U -p /mnt >> /mnt/etc/fstab

Install essential packages

Use the pacstrap script to install the base package, Linux kernel and firmware for common hardware.

root@archiso ~ # pacstrap -i /mnt base base-devel


Change root in the new filesystem.

root@archiso ~ # arch-chroot /mnt/

Install the kernel

root@archiso ~ # pacman -S linux linux-headers linux-firmware

Install usefull packages

root@archiso ~ # pacman -S wpa_supplicant wireless_tools netctl dialog lvm2 dhcpcd git vim

Modify the initramfs configuration

Because our filesystem is encrypted, we have to modify the hooks. Add encrypt lvm2 in the HOOKS section of the /etc/mkinitcpio.conf file. The line concerned should look like the following statement.

root@archiso ~ # grep HOOKS /etc/mkinitcpio.conf | tail -1
HOOKS=(base udev autodetect modconf block encrypt lvm2 filesystems keyboard fsck)

Create the initramfs

Initramfs is a scheme for loading a temporary root filesystem into memory, which may be used as part of the Linux startup process.

root@archiso ~ # mkinitcpio -p linux

Modify and generate the locale

I want to define my locale to en_US.UTF-8. If you don’t know which locale to use, I advise you to open the file and find the one that fits to you. Don’t use sed if you don’t know what you do to avoid file destructuring).

root@archiso ~ # sed -i "s/#en_US.UTF-8 UTF-8/en_US.UTF-8 UTF-8/" /etc/locale.gen
root@archiso ~ # locale-gen

Modify the root password

root@archiso ~ # passwd

Add your user

Choose your own username at the end of the following statement.

root@archiso ~ # useradd -m -g users -G wheel <username>

Then, define your password.

root@archiso ~ # passwd <username>

Give you sudo access

If you want to be able to install packages, connect to a Wi-Fi newtork and much more, I advise you to uncomment the line starting with %wheel. By doing this, you allow users in group wheel (we do this earlier with -G wheel) to execute the sudo command.

root@archiso ~ # visudo
%wheel ALL=(ALL) ALL

The visudo command locks the sudoers file against multiple simultaneous edits, provides basic sanity checks, and checks for parse errors. If the sudoers file is currently being edited you will receive a message to try again later.

GRUB is going to be our bootloader.

root@archiso ~ # pacman -S grub efibootmgr dosfstools os-prober mtools

Edit the GRUB configuration

In the same way that we have edited hooks for the initramfs, we have to edit the bootloader configuration to tell to GRUB that we have an encrypted filesystem. Add cryptdevice=/dev/nvme0n1p3:volgroup:allow-discards in the GRUB_CMDLINE_LINUX_DEFAULT section. Make sure that you write the exact sentence, otherwise your system won’t boot.

root@archiso ~ # grep "GRUB_CMDLINE_LINUX_DEFAULT" /etc/default/grub
GRUB_CMDLINE_LINUX_DEFAULT="loglevel=3 cryptdevice=/dev/nvme0n1p3:volgroup:allow-discards quiet"

Uncomment GRUB_ENABLE_CRYPTODISK=y in /etc/default/grub file. The line concerned should look like the following statement.

root@archiso ~ # grep "GRUB_ENABLE_CRYPTODISK" /etc/default/grub

If set to y, grub-mkconfig and grub-install will check for encrypted disks and generate additional commands needed to access them during boot. Note that in this case unattended boot is not possible because GRUB will wait for passphrase to unlock encrypted container.

Prepare the bootloader installation

root@archiso ~ # mkdir /boot/EFI
root@archiso ~ # mount /dev/nvme0n1p1 /boot/EFI
root@archiso ~ # grub-install --target=x86_64-efi --bootloader-id="Arch Linux" --recheck

The --bootloader-id flag defines the bootloader identifier. A directory of that name will be created in /boot/EFI/ to store the EFI binary and it is the name that will appear in the UEFI boot menu to identify the GRUB boot entry.

Copy the English GRUB messages

root@archiso ~ # cp /usr/share/locale/en\@quot/LC_MESSAGES/ /boot/grub/locale/

Generate the configuration

root@archiso ~ # grub-mkconfig -o /boot/grub/grub.cfg

Install processor microcode and video driver

Processor manufacturers release stability and security updates to the processor microcode. These updates provide bug fixes that can be critical to your system’s stability. Without them, you may experience spurious crashes or unexpected system halts that can be difficult to track down.

For an Intel based CPU and GPU, install the following package.

root@archiso ~ # pacman -S intel-ucode mesa

For an AMD based processor, install this one.

root@archiso ~ # pacman -S amd-ucode mesa

For a nVidia based GPU, install this one.

root@archiso ~ # pacman -S nvidia nvidia-utils

Exit and unmount our brand new filesystem

root@archiso ~ # exit
root@archiso ~ # umount -R /mnt
root@archiso ~ # reboot

At this point, your system reboots. GRUB should appears and ask you which operating system he has to execute. We have only one OS, so choose Arch Linux. The second screen requires the passphrase to unlock your filesystem. The last screen asks you to login. I advise you to login with your user and not as root for two reasons: first, it’s not a good idea to execute things as superuser and then we have created a user so, use it.


Once connected with your user, you may want to use yay (the tools to install community packages). If you have a French keyboard, don’t forget to execute sudo loadkeys fr to avoid typing crazy things.

Install yay

adrien@archiso ~ $ git clone
adrien@archiso yay $ cd yay/
adrien@archiso yay $ makepkg -si
adrien@archiso yay $ cd
adrien@archiso ~ $ rm -rf yay/

Miscellaneous configurations

Add some fancy to pacman and yay.

adrien@archiso ~ $ sudo sed -i "s/#Color/Color/" /etc/pacman.conf

Control how much disk space the journal may use up at most.

adrien@archiso ~ $ sudo sed -i "s/#SystemMaxUse=/SystemMaxUse=50M/" /etc/systemd/journald.conf

Great, you have now a fresh encryted Arch Linux installed on your computer or laptop. In this article, we will setup Spectrwm: a small dynamic tiling window manager for X11. Yes, currently our brand new Arch Linux is not very ergonomic, pretty rustic and not easy to use. Indeed, all GUI (Graphical User Interface) can’t spawn without a windowing system.