June 1, 2020

Arch install with LUKS and systemd-boot

  • 2021-01-08 Updated with instructions on LTS kernel.


Recently made a fresh Arch Linux install.

The setup will looks like this. One HDD with 2 partitions. The first one is unencrypted and contains EFI and boot. Second contains the system and user home. This partition will be encrypted with LUKS and contain a EXT4 file system. For boot systemd-boot will be used.

The LUKS device contains a header with data about the device. If something would happen to the device this header data is crucial when restoring. So take a backup of that data.


  gdisk /dev/nvme0n1 # Disk for
  # Remove all partitions
  # Create two new partitions
  # +1GB           EF00   EFI and boot
  # rest of disk   8300   home and system

  mkfs.fat -F32 /dev/nvmw0n1p1

  # Create LUKS device
  # Check the results
  # Create header backup
  # Mount the device
  cryptsetup -v --use-random luksFormat /dev/nvmw0n1p2
  cryptsetup luksDump /dev/nvmw0n1p2
  cryptsetup luksHeaderBackup /dev/nvme0n1p2 --header-backup-file luks_header_backup_`date +%Y-%m-%d`
  cryptsetup luksOpen /dev/nvmw0n1p2 cryptroot

  # Create file system on luks device
  mkfs.ext4 /dev/mapper/cryptroot

  # Mount partitions
  mount /dev/mapper/cryptroot /mnt
  mkdir -p /mnt/boot
  mount /dev/nvmw0n1p1 /mnt/boot

  # Connect to wifi

  pacstrap /mnt base base-devel linux linux-lts linux-firmware intel-ucode git emacs sudo networkmanager bash-completion

  genfstab -pU /mnt >> /mnt/etc/fstab

  arch-chroot /mnt /bin/bash

  timedatectl set-timezone Europe/Stockholm

  hwclock --systohc --utc

  # Set host name
  echo arch > /etc/hostname

  emacs /etc/locale.gen
  # uncomment:
  # en_US.UTF-8 UTF-8


  echo LANG=en_US.UTF-8 > /etc/locale.conf
  echo LANGUAGE=en_US >> /etc/locale.conf
  echo LC_ALL=C >> /etc/locale.conf

  # Set root password

  # Create new user
  useradd -m -g users -G wheel,video john

  # Set user password
  passwd john

  EDITOR=emacs visudo
  # Uncomment line:
  # %wheel ALL=(ALL) ALL

  emacs /etc/mkinitcpio.conf
  # Open mkinitcpio.conf and add the following to each section:
  # MODULES=(ext4)
  # On 'HOOKS' add 'encrypt' before 'filesystem'
  # Something like this:
  # HOOKS=(base udev autodetect modconf block encrypt filesystems keyboard fsck)

  mkinitcpio -p linux

  bootctl --path=/boot install

  echo 'default arch' >> /boot/loader/loader.conf
  echo 'timeout 5' >> /boot/loader/loader.conf

  # Get the PARTUUID from the system partition into arch.conf
  blkid -s PARTUUID -o value /dev/nvme1n1p2 >> /boot/loader/entries/arch.conf

  emacs /boot/loader/entries/arch.conf
  # Add the following content to arch.conf
  # The partition <PARTUUID> is already in the file.
  title Arch Linux
  linux /vmlinuz-linux
  initrd /intel-ucode.img
  initrd /initramfs-linux.img
  options cryptdevice=PARTUUID=<PARTUUID>:cryptroot root=/dev/mapper/cryptroot rw

  # Exit new system and go into the cd shell

  # Unmount all
  umount -R /mnt

  # Reboot system
  shutdown -r now

Start NetworkManager and connect to a wifi in the new system.

systemctl start NetworkManager
systemctl enable NetworkManager
nmcli device wifi connect <SSID|BSSID> password <password>

LTS kernel

A LTS kernel is installed in the pacstrap process. I recommend to add that as a boot option to systemd-boot. File location is /boot/loader/entries/arch-lts.conf.

  title Arch Linux LTS
  linux /vmlinuz-linux-lts
  initrd /intel-ucode.img
  initrd /initramfs-linux-lts.img
  options cryptdevice=PARTUUID=<PARTUUID>:cryptroot root=/dev/mapper/cryptroot rw

When the system boots the default kernel with be the latest one, but you can choose to boot the LTS kernel if you want. This can be good if somethings is wrong with the latest kernel and the fallback is somehow unusable.


Small set of packages to get up and running with a desktop environment plus some good to have.


Powered by Hugo & Kiss.