Arch Install Guide with BTRFS, Full Disk Encryption and Encrypted Swap Partition

Arch_Linux_Install_Guide.md

Arch Linux Installation Guide

---

Guide to install Arch Linux on an EFI System. Includes these features:

• Full Disk Encryption with LUKS
• BTRFS with @ and @home subvolumes
• Timeshift Backups
• Encrypted Swap Partition
• rEFInd bootloader
• SDDM display manager
• KDE Plasma desktop environment

Connect to WiFi and Time Sync

---

Enable Time Sync

timedatectl set-ntp true

Disk Partitioning

---

List your disks

lsblk

Format the disk you want to install arch on by using sgdisk. Typically most disks are labeled as /dev/sda , /dev/vda, or /dev/nvme0n1

sgdisk -Z /dev/sda

Once formatted use gdisk to begin to partition the drive

gdisk /dev/sda

EFI Partiton

Type n and hit enter to create a new partition. Hit enter to leave the defaults for the partition start. Type +512M and hit enter to create a 512MB size partition. Type ef00 and hit enter to choose EFI partition type.

Encrypted Swap Partition

Type n and hit enter to create a new partition. Hit enter to leave the defaults for the partition start. Type +16G and hit enter to create a 16G size partition. (Swap sizes can be larger or smaller but it is recommended to match your swap to the amount of ram within the system)
Type 8200 and hit enter to choose Linux Swap partition type.

Root Partition

Type n and hit enter to create a new partition. Hit enter to leave the defaults for the partition start. Hit enter to use the remainder of the disk. Hit enter to choose the default partition type.

Hit w to write the changes

Disk Formatting and LUKS Encryption

---

List out all the partitions. They are laid out as /dev/sda1, /dev/sda2 , /dev/sda3 or /dev/nvme0n1p1, /dev/nvme0n1p2, /dev/nvme0n1p3.

lsblk

Format EFI Partition as FAT32

mkfs.fat -F32 /dev/sda1

Temporary enable swap partition

mkswap /dev/sda2
swapon /dev/sda2

Enable the Encryption Modules

modprobe dm-crypt
modprobe dm-mod

Encrypt the root partition

cryptsetup luksFormat -v -s 512 -h sha512 /dev/sda3

Type out "YES" in call caps and create a secure passphrase for the partition (Recommended to use 25 - 30 characters). Verify the passphrase.

Unlock the newly encrypted drive

cryptsetup luksOpen /dev/sda3 archlinux

Enter the passphrase

Format the root partition

mkfs.btrfs /dev/mapper/archlinux

Creating and Mounting BTRFS Subvolumes

---

Mount the archlinux partition

mount /dev/mapper/archlinux /mnt 

Move into the /mnt directory

cd /mnt

Create the @ and @home BTRFS Subvolumes

btrfs subvolume create @
btrfs subvolume create @home

Unmount archlinux partition

cd 
umount /mnt 

Mount newly created subvolumes and EFI

mount -o noatime,compress=zstd:1,space_cache=v2,discard=async,subvol=@ /dev/mapper/archlinux /mnt

# create a mount point for the home directory 
mkdir /mnt/home

mount -o noatime,compress=zstd:1,space_cache=v2,discard=async,subvol=@home /dev/mapper/archlinux /mnt/home

# create a mount point for the EFI partiton
mkdir /mnt/boot

mount /dev/sda1 /mnt/boot

Installing Base Packages

---

Use pacstrap to install the base packages.

If you have an INTEL CPU

pacstrap /mnt base linux linux-firmware sudo vim intel-ucode btrfs-progs

If you have an AMD CPU

pacstrap /mnt base linux linux-firmware sudo vim amd-ucode btrfs-progs

Generate fstab

genfstab -U /mnt >> /mnt/etc/fstab

Enter Arch Linux on the /mnt directory

arch-chroot /mnt

Edit the file system table and remove the subvolid from the @ and @home entries

vim /etc/fstab

-rw,noatime,compress=zstd:1,ssd,space_cache=v2,subvolid=261,subvol=/@
+rw,noatime,compress=zstd:1,ssd,space_cache=v2,subvol=/@
-rw,noatime,compress=zstd:1,ssd,space_cache=v2,subvolid=261subvol=/@home
+rw,noatime,compress=zstd:1,ssd,space_cache=v2,subvol=/@

Configuring Locales

---

Enable Time Sync

timedatectl set-ntp true

Set your timezone. For this example the timezone is The United States East Coast

timedatectl set-timezone America/New_York

Sync the hardware clock

hwclock --systohc

Edit the locale gen to enable United States English UTF-8

vim /etc/locale.gen

-#en_US.UTF-8 UTF-8
+en_US.UTF-8 UTF-8

Regenerate locale file

locale-gen

Set the locale language, time, and keyboard

localectl set-locale LANG="en_US.UTF-8"
localectl set-locale LC_TIME="en_US.UTF-8"
localectl set-keymap us

Set the hostname

vim /etc/hostname

+arch

Set the host. Change arch to whatever the hostname is

vim /etc/hosts

+ 127.0.0.1   localhost
+ ::1         localhost
+ 127.0.1.1   arch.localdomain   arch

Installing Arch

---

Install Packages

Edit the pacman configuration to enable parallel downloads and color

vim /etc/pacman.conf

- #ParallelDownloads = 5
- #Color
+ ParallelDownloads = 5
+ Color

Sync to the Arch servers and update packages

pacman -Syu

Install Arch Packages

Intel

pacman -S refind base base-devel linux linux-headers bash-completion efibootmgr sddm plasma iwd man intel-ucode kde-applications firewalld

AMD

pacman -S refind base base-devel linux linux-headers bash-completion efibootmgr sddm plasma iwd man amd-ucode kde-applications firewalld

Install Video Drivers

Intel

pacman -S xf86-video-intel mesa vulkan-intel

AMD

pacman -S xf86-video-amdgpu mesa vulkan-radeon

Nvidia

pacman -S nvidia nvidia-utils

Enable Services

Enable the services on system startup

systemctl enable NetworkManager
systemctl enable avahi-daemon
systemctl enable sddm

Setting Up mkinitcpio

Edit mkinitcpio.conf and enable BTRFS

vim /etc/mkinitcpio.conf

- MODULES=()
+ MODULES=(btrfs)

Add the encryption hook

- HOOKS=(base udev autodetect modconf block filesystems keyboard fsck)
+ HOOKS=(base udev autodetect modconf block encrypt filesystems keyboard fsck) 

Regenerate the ramdisk init environment

mkinitcpio -p linux

Installing rEFInd

---

Enter the command to install rEFInd

refind-install

List out all devices on the device and note down the UUID of the encrypted partiton

blkid

# /dev/sda3: UUID="83da0c42-4b61-498d-bebc-68b65dc1704f" TYPE="crypto_LUKS" PARTLABEL="Linux filesystem" PARTUUID="923b9107-492d-447f-9e86-18e496a9a0f7"

#Note the UUID (UUID="83da0c42-4b61-498d-bebc-68b65dc1704f")

Edit the rEFInd configuration file

vim /boot/refind_linux.conf

Add the cryptdevice flag to “Boot with Standard Options”

- "Boot with standard options"  "loglevel=3 quiet"
+ "Boot with standard options"  "loglevel=3 quiet cryptdevice=UUID=83da0c42-4b61-498d-bebc-68b65dc1704f:archlinux root=/dev/mapper/archlinux rootflags=subvol=@ rw"

Reinstall rEFInd

refind-install

Creating User

---

Create and user account and password. Replace user with the username

useradd -mG wheel user
passwd user

Edit the sudoers to enable sudo access for the user

EDITOR=vim visudo

- #%wheel ALL=(ALL) ALL
+ %wheel ALL=(ALL) ALL

Sync the system and reboot

sync
exit
umount -a
reboot -n

Encrypted Swap

---

Create a Swap Offset

su
swapoff /dev/sda2
mkfs.ext2 -L cryptswap /dev/sda2 1M
#Press y when prompted

Open Cryptab

vim /etc/crypttab

Uncomment the swap

- #swap      /dev/sd_X#_    /dev/urandom   swap,cipher=aes-cbc-essiv:sha256,size=256
+  swap   LABEL=cryptswap    /dev/urandom   swap,offset=2048,cipher=aes-xts-plain64,size=512

Edit swap entry in fstab

- UUID=ad1cdf6d-010f-43ae-8b64-7b9d54367dda    none      swap    defaults 0    0 
+ /dev/mapper/swap    none      swap    defaults 0    0

Reboot the system and enjoy your completed system :)

exit
sudo reboot -n

AMD

pacman -S refind base base-devel linux linux-headers bash-completion efibootmgr sddm plasma iwd man intel-ucode kde-applications firewalld
intel-ucode shouldn’t be there

Thanks for the catch, updated the gist.

Whoa you’re so quick! BTW in the refind.conf kernel parameters you could just set cryptdevice=PARTLABEL=/dev/xxx right?

As far as I can tell cryptdevice needs dmname to mount to /dev/mapper/dmname
https://wiki.archlinux.org/title/Dm-crypt/System_configuration#cryptdevice

but I will update the .conf file name from refind_linux.conf to refind.conf

AMD

pacman -S refind base base-devel linux linux-headers bash-completion efibootmgr sddm plasma iwd man intel-ucode kde-applications firewalld
intel-ucode shouldn’t be there

Thanks for the catch, updated the gist.

Whoa you’re so quick! BTW in the refind.conf kernel parameters you could just set cryptdevice=PARTLABEL=/dev/xxx right?

As far as I can tell cryptdevice needs dmname to mount to /dev/mapper/dmname https://wiki.archlinux.org/title/Dm-crypt/System_configuration#cryptdevice

but I will update the .conf file name from refind_linux.conf to refind.conf

I think it’s supposed to be refind_linux.conf because refind.conf is a different file

AMD

pacman -S refind base base-devel linux linux-headers bash-completion efibootmgr sddm plasma iwd man intel-ucode kde-applications firewalld
intel-ucode shouldn’t be there

Thanks for the catch, updated the gist.

Whoa you’re so quick! BTW in the refind.conf kernel parameters you could just set cryptdevice=PARTLABEL=/dev/xxx right?

As far as I can tell cryptdevice needs dmname to mount to /dev/mapper/dmname https://wiki.archlinux.org/title/Dm-crypt/System_configuration#cryptdevice
but I will update the .conf file name from refind_linux.conf to refind.conf

I think it’s supposed to be refind_linux.conf because refind.conf is a different file

yeah, you are right. Just double checked. Will re-fix.
https://wiki.archlinux.org/title/REFInd#Installation_with_refind-install_script

AMD

pacman -S refind base base-devel linux linux-headers bash-completion efibootmgr sddm plasma iwd man intel-ucode kde-applications firewalld
intel-ucode shouldn’t be there

Thanks for the catch, updated the gist.

Whoa you’re so quick! BTW in the refind.conf kernel parameters you could just set cryptdevice=PARTLABEL=/dev/xxx right?

As far as I can tell cryptdevice needs dmname to mount to /dev/mapper/dmname https://wiki.archlinux.org/title/Dm-crypt/System_configuration#cryptdevice
but I will update the .conf file name from refind_linux.conf to refind.conf

I think it’s supposed to be refind_linux.conf because refind.conf is a different file

yeah, you are right. Just double checked. Will re-fix. https://wiki.archlinux.org/title/REFInd#Installation_with_refind-install_script

And you should suggest people to do mkrlconf before editing the configs because my config file directory may be different from yours so show them as esp_dir/EFI/refind_linux.conf
I use /boot/efi BTW

AMD

pacman -S refind base base-devel linux linux-headers bash-completion efibootmgr sddm plasma iwd man intel-ucode kde-applications firewalld
intel-ucode shouldn’t be there

Thanks for the catch, updated the gist.

Whoa you’re so quick! BTW in the refind.conf kernel parameters you could just set cryptdevice=PARTLABEL=/dev/xxx right?

As far as I can tell cryptdevice needs dmname to mount to /dev/mapper/dmname https://wiki.archlinux.org/title/Dm-crypt/System_configuration#cryptdevice
but I will update the .conf file name from refind_linux.conf to refind.conf

I think it’s supposed to be refind_linux.conf because refind.conf is a different file

yeah, you are right. Just double checked. Will re-fix. https://wiki.archlinux.org/title/REFInd#Installation_with_refind-install_script

And you should suggest people to do mkrlconf before editing the configs because my config file directory may be different from yours so show them as esp_dir/EFI/refind_linux.conf I use /boot/efi BTW

I didn't know that was a thing. I will update the guide once I get the chance as I think this will require me to do some research.

And I suggest using the -K flag in pacstrap to automatically initialize the key certs
To maximize the download speed I suggest parallel downloads to 50 and use reflector to have your mirrorlist ready(pacstrap grabs it to your new system)

I didn't know that was a thing. I will update the guide once I get the chance as I think this will require me to do some research.

That command sets up the configs for you and you would just need to change the stuff inside the quote

And you should probably show how to chroot via usb into the encrypted system.
I’ve tested for you you would just:

cryptsetup luksOpen /dev/xxx archlinux
mount -o subvol=@ /dev/mapper/archlinux /mnt
mount -o subvol=@home /dev/mapper/archlinux /mnt/home

And why do we need to create a swap offset?
And why is this ext2? Is there a reason not to use mkfs.ext4?
mkfs.ext2 -L cryptswap /dev/sda2 1M

The refind boot menu doesn’t show my arch! What do I do?

Are you using timeshift, timeshift-autosnap, refind-btrfs? And are the btrfs snapshots showing up in refind? I'm having trouble refind finding my snapshots. grub,grub-btrfs works fine.

I can't see any info about this in this guide.