Skip to content

Instantly share code, notes, and snippets.

Last active February 20, 2025 19:54
Show Gist options
  • Save mihirchanduka/a9ba1c6edbfa068d2fbc2acb614c80e8 to your computer and use it in GitHub Desktop.
Save mihirchanduka/a9ba1c6edbfa068d2fbc2acb614c80e8 to your computer and use it in GitHub Desktop.
Arch Install Guide with BTRFS, Full Disk Encryption and Encrypted Swap Partition

Arch Linux Installation Guide

Guide to install Arch Linux on an EFI System. Includes these features:

  • Full Disk Encryption with LUKS
  • BTRFS with @ and @home subvolumes
  • Timeshift Backups
  • Encrypted Swap Partition
  • rEFInd bootloader
  • SDDM display manager
  • KDE Plasma desktop environment

Connect to WiFi and Time Sync

Enable Time Sync

timedatectl set-ntp true

Disk Partitioning

List your disks


Format the disk you want to install arch on by using sgdisk. Typically most disks are labeled as /dev/sda , /dev/vda, or /dev/nvme0n1

sgdisk -Z /dev/sda

Once formatted use gdisk to begin to partition the drive

gdisk /dev/sda

EFI Partiton

Type n and hit enter to create a new partition. Hit enter to leave the defaults for the partition start. Type +512M and hit enter to create a 512MB size partition. Type ef00 and hit enter to choose EFI partition type.

Encrypted Swap Partition

Type n and hit enter to create a new partition. Hit enter to leave the defaults for the partition start. Type +16G and hit enter to create a 16G size partition. (Swap sizes can be larger or smaller but it is recommended to match your swap to the amount of ram within the system)
Type 8200 and hit enter to choose Linux Swap partition type.

Root Partition

Type n and hit enter to create a new partition. Hit enter to leave the defaults for the partition start. Hit enter to use the remainder of the disk. Hit enter to choose the default partition type.

Hit w to write the changes

Disk Formatting and LUKS Encryption

List out all the partitions. They are laid out as /dev/sda1, /dev/sda2 , /dev/sda3 or /dev/nvme0n1p1, /dev/nvme0n1p2, /dev/nvme0n1p3.


Format EFI Partition as FAT32

mkfs.fat -F32 /dev/sda1

Temporary enable swap partition

mkswap /dev/sda2
swapon /dev/sda2

Enable the Encryption Modules

modprobe dm-crypt
modprobe dm-mod

Encrypt the root partition

cryptsetup luksFormat -v -s 512 -h sha512 /dev/sda3

Type out "YES" in call caps and create a secure passphrase for the partition (Recommended to use 25 - 30 characters). Verify the passphrase.

Unlock the newly encrypted drive

cryptsetup luksOpen /dev/sda3 archlinux

Enter the passphrase

Format the root partition

mkfs.btrfs /dev/mapper/archlinux

Creating and Mounting BTRFS Subvolumes

Mount the archlinux partition

mount /dev/mapper/archlinux /mnt 

Move into the /mnt directory

cd /mnt

Create the @ and @home BTRFS Subvolumes

btrfs subvolume create @
btrfs subvolume create @home

Unmount archlinux partition

umount /mnt 

Mount newly created subvolumes and EFI

mount -o noatime,compress=zstd:1,space_cache=v2,discard=async,subvol=@ /dev/mapper/archlinux /mnt

# create a mount point for the home directory 
mkdir /mnt/home

mount -o noatime,compress=zstd:1,space_cache=v2,discard=async,subvol=@home /dev/mapper/archlinux /mnt/home

# create a mount point for the EFI partiton
mkdir /mnt/boot

mount /dev/sda1 /mnt/boot

Installing Base Packages

Use pacstrap to install the base packages.

If you have an INTEL CPU

pacstrap /mnt base linux linux-firmware sudo vim intel-ucode btrfs-progs

If you have an AMD CPU

pacstrap /mnt base linux linux-firmware sudo vim amd-ucode btrfs-progs

Generate fstab

genfstab -U /mnt >> /mnt/etc/fstab

Enter Arch Linux on the /mnt directory

arch-chroot /mnt

Edit the file system table and remove the subvolid from the @ and @home entries

vim /etc/fstab

Configuring Locales

Enable Time Sync

timedatectl set-ntp true

Set your timezone. For this example the timezone is The United States East Coast

timedatectl set-timezone America/New_York

Sync the hardware clock

hwclock --systohc

Edit the locale gen to enable United States English UTF-8

vim /etc/locale.gen
-#en_US.UTF-8 UTF-8
+en_US.UTF-8 UTF-8

Regenerate locale file


Set the locale language, time, and keyboard

localectl set-locale LANG="en_US.UTF-8"
localectl set-locale LC_TIME="en_US.UTF-8"
localectl set-keymap us

Set the hostname

vim /etc/hostname

Set the host. Change arch to whatever the hostname is

vim /etc/hosts
+   localhost
+ ::1         localhost
+   arch.localdomain   arch

Installing Arch

Install Packages

Edit the pacman configuration to enable parallel downloads and color

vim /etc/pacman.conf
- #ParallelDownloads = 5
- #Color
+ ParallelDownloads = 5
+ Color

Sync to the Arch servers and update packages

pacman -Syu

Install Arch Packages


pacman -S refind base base-devel linux linux-headers bash-completion efibootmgr sddm plasma iwd man intel-ucode kde-applications firewalld


pacman -S refind base base-devel linux linux-headers bash-completion efibootmgr sddm plasma iwd man amd-ucode kde-applications firewalld

Install Video Drivers


pacman -S xf86-video-intel mesa vulkan-intel


pacman -S xf86-video-amdgpu mesa vulkan-radeon


pacman -S nvidia nvidia-utils

Enable Services

Enable the services on system startup

systemctl enable NetworkManager
systemctl enable avahi-daemon
systemctl enable sddm

Setting Up mkinitcpio

Edit mkinitcpio.conf and enable BTRFS

vim /etc/mkinitcpio.conf
+ MODULES=(btrfs)

Add the encryption hook

- HOOKS=(base udev autodetect modconf block filesystems keyboard fsck)
+ HOOKS=(base udev autodetect modconf block encrypt filesystems keyboard fsck) 

Regenerate the ramdisk init environment

mkinitcpio -p linux

Installing rEFInd

Enter the command to install rEFInd


List out all devices on the device and note down the UUID of the encrypted partiton


# /dev/sda3: UUID="83da0c42-4b61-498d-bebc-68b65dc1704f" TYPE="crypto_LUKS" PARTLABEL="Linux filesystem" PARTUUID="923b9107-492d-447f-9e86-18e496a9a0f7"

#Note the UUID (UUID="83da0c42-4b61-498d-bebc-68b65dc1704f")

Edit the rEFInd configuration file

vim /boot/refind_linux.conf

Add the cryptdevice flag to “Boot with Standard Options”

- "Boot with standard options"  "loglevel=3 quiet"
+ "Boot with standard options"  "loglevel=3 quiet cryptdevice=UUID=83da0c42-4b61-498d-bebc-68b65dc1704f:archlinux root=/dev/mapper/archlinux rootflags=subvol=@ rw"

Reinstall rEFInd


Creating User

Create and user account and password. Replace user with the username

useradd -mG wheel user
passwd user

Edit the sudoers to enable sudo access for the user

EDITOR=vim visudo
- #%wheel ALL=(ALL) ALL
+ %wheel ALL=(ALL) ALL

Sync the system and reboot

umount -a
reboot -n

Create a Swap Offset

swapoff /dev/sda2
mkfs.ext2 -L cryptswap /dev/sda2 1M
#Press y when prompted

Open Cryptab

vim /etc/crypttab

Uncomment the swap

- #swap      /dev/sd_X#_    /dev/urandom   swap,cipher=aes-cbc-essiv:sha256,size=256
+  swap   LABEL=cryptswap    /dev/urandom   swap,offset=2048,cipher=aes-xts-plain64,size=512

Edit swap entry in fstab

- UUID=ad1cdf6d-010f-43ae-8b64-7b9d54367dda    none      swap    defaults 0    0 
+ /dev/mapper/swap    none      swap    defaults 0    0

Reboot the system and enjoy your completed system :)

sudo reboot -n
Copy link

ScubyG commented Sep 8, 2022

I've not been able to get this to work, lots of errors such as btrfs not being the correct format

btrfs subvolume create @
btrfs subvolume create @home

This should be:
btrfs subvolume create /mnt/@
btrfs subvolume create /mnt/@home

There was also issues with other parts of the code unless it is something I am doing wrong?

Copy link

@ScubyG I will take a look over the weekend and I'll try to resolve any issue with the install guide.

Copy link

ScubyG commented Sep 11, 2022

@ScubyG I will take a look over the weekend and I'll try to resolve any issue with the install guide.

Thank you, I shall give it another try when you have been able to take a look

Copy link

@ScubyG I will take a look over the weekend and I'll try to resolve any issue with the install guide.

Thank you, I shall give it another try when you have been able to take a look

Can you describe the other issues you were facing besides the creating the btrfs subvolumes

Copy link


pacman -S refind base base-devel linux linux-headers bash-completion efibootmgr sddm plasma iwd man intel-ucode kde-applications firewalld

intel-ucode shouldn’t be there

Copy link


pacman -S refind base base-devel linux linux-headers bash-completion efibootmgr sddm plasma iwd man intel-ucode kde-applications firewalld

intel-ucode shouldn’t be there

Thanks for the catch, updated the gist.

Copy link


pacman -S refind base base-devel linux linux-headers bash-completion efibootmgr sddm plasma iwd man intel-ucode kde-applications firewalld
intel-ucode shouldn’t be there

Thanks for the catch, updated the gist.

Whoa you’re so quick!
BTW in the refind.conf kernel parameters you could just set cryptdevice=PARTLABEL=/dev/xxx right?

Copy link


pacman -S refind base base-devel linux linux-headers bash-completion efibootmgr sddm plasma iwd man intel-ucode kde-applications firewalld
intel-ucode shouldn’t be there

Thanks for the catch, updated the gist.

Whoa you’re so quick! BTW in the refind.conf kernel parameters you could just set cryptdevice=PARTLABEL=/dev/xxx right?

As far as I can tell cryptdevice needs dmname to mount to /dev/mapper/dmname

but I will update the .conf file name from refind_linux.conf to refind.conf

Copy link


pacman -S refind base base-devel linux linux-headers bash-completion efibootmgr sddm plasma iwd man intel-ucode kde-applications firewalld
intel-ucode shouldn’t be there

Thanks for the catch, updated the gist.

Whoa you’re so quick! BTW in the refind.conf kernel parameters you could just set cryptdevice=PARTLABEL=/dev/xxx right?

As far as I can tell cryptdevice needs dmname to mount to /dev/mapper/dmname

but I will update the .conf file name from refind_linux.conf to refind.conf

I think it’s supposed to be refind_linux.conf because refind.conf is a different file

Copy link


pacman -S refind base base-devel linux linux-headers bash-completion efibootmgr sddm plasma iwd man intel-ucode kde-applications firewalld
intel-ucode shouldn’t be there

Thanks for the catch, updated the gist.

Whoa you’re so quick! BTW in the refind.conf kernel parameters you could just set cryptdevice=PARTLABEL=/dev/xxx right?

As far as I can tell cryptdevice needs dmname to mount to /dev/mapper/dmname
but I will update the .conf file name from refind_linux.conf to refind.conf

I think it’s supposed to be refind_linux.conf because refind.conf is a different file

yeah, you are right. Just double checked. Will re-fix.

Copy link


pacman -S refind base base-devel linux linux-headers bash-completion efibootmgr sddm plasma iwd man intel-ucode kde-applications firewalld
intel-ucode shouldn’t be there

Thanks for the catch, updated the gist.

Whoa you’re so quick! BTW in the refind.conf kernel parameters you could just set cryptdevice=PARTLABEL=/dev/xxx right?

As far as I can tell cryptdevice needs dmname to mount to /dev/mapper/dmname
but I will update the .conf file name from refind_linux.conf to refind.conf

I think it’s supposed to be refind_linux.conf because refind.conf is a different file

yeah, you are right. Just double checked. Will re-fix.

And you should suggest people to do mkrlconf before editing the configs because my config file directory may be different from yours so show them as esp_dir/EFI/refind_linux.conf
I use /boot/efi BTW

Copy link


pacman -S refind base base-devel linux linux-headers bash-completion efibootmgr sddm plasma iwd man intel-ucode kde-applications firewalld
intel-ucode shouldn’t be there

Thanks for the catch, updated the gist.

Whoa you’re so quick! BTW in the refind.conf kernel parameters you could just set cryptdevice=PARTLABEL=/dev/xxx right?

As far as I can tell cryptdevice needs dmname to mount to /dev/mapper/dmname
but I will update the .conf file name from refind_linux.conf to refind.conf

I think it’s supposed to be refind_linux.conf because refind.conf is a different file

yeah, you are right. Just double checked. Will re-fix.

And you should suggest people to do mkrlconf before editing the configs because my config file directory may be different from yours so show them as esp_dir/EFI/refind_linux.conf I use /boot/efi BTW

I didn't know that was a thing. I will update the guide once I get the chance as I think this will require me to do some research.

Copy link

And I suggest using the -K flag in pacstrap to automatically initialize the key certs
To maximize the download speed I suggest parallel downloads to 50 and use reflector to have your mirrorlist ready(pacstrap grabs it to your new system)

Copy link

olivertzeng commented Nov 23, 2023

I didn't know that was a thing. I will update the guide once I get the chance as I think this will require me to do some research.

That command sets up the configs for you and you would just need to change the stuff inside the quote

Copy link

And you should probably show how to chroot via usb into the encrypted system.
I’ve tested for you you would just:

cryptsetup luksOpen /dev/xxx archlinux
mount -o subvol=@ /dev/mapper/archlinux /mnt
mount -o subvol=@home /dev/mapper/archlinux /mnt/home

Copy link

And why do we need to create a swap offset?
And why is this ext2? Is there a reason not to use mkfs.ext4?
mkfs.ext2 -L cryptswap /dev/sda2 1M

Copy link

The refind boot menu doesn’t show my arch! What do I do?

Copy link

Are you using timeshift, timeshift-autosnap, refind-btrfs? And are the btrfs snapshots showing up in refind? I'm having trouble refind finding my snapshots. grub,grub-btrfs works fine.

I can't see any info about this in this guide.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment