Installing Arch Linux on a UEFI system using btrfs and full disk encryption can enhance your system's security.

In this guide, l'll cover how to configure your hard drive, create necessary partitions and subvolumes, install the base system, set up encryption, and finally, install the GRUB bootloader.

The Archinstall script can achieve a similar result with much less effort but this detailed procedure is helpful to understand how things work and to set up the correct and customized parameters.

Pre-requisites

Before you begin read carefully the following points:

1. Live USB: Prepare an Arch Linux installation USB drive. You can use tools like Rufus or Etcher to write the Arch Linux ISO file to your USB drive.

   
   

2. Internet Access: Ensure your system can connect to the internet, as the installation requires downloading packages.

   
   

3. Backup Data: If you're installing Arch Linux on an existing machine, make sure to backup any important data, as this process will overwrite the existing data on your disk.

   
   

4. Basic Linux Knowledge: Familiarity with the Linux command line will help you navigate the installation process.

   
   
   
   

Step 1: Boot from the Installation Media

Insert your Live USB into the computer and boot from it. You might need to adjust your UEFI settings to enable USB booting. Look for "Boot Options" during startup.

Once booted you are in the installation media's tty.

Choosing the keyboard layout

The Archlinux installation environment is using the US American keyboard layout.

If you need to swtich to a different layout type:

localectl list-keymaps

This will list all the available keyboard layouts

To switch to a different layout type the command 'loadkeys' followed by the layout name.

I.e. if you need to switch to a german layout type:

loadkeys de-latin1

And press ENTER.

Step 2: Prepare the disk

Warning:

Please keep in mind in this guide I’ll be showing a completely fresh install, wiping everything, as this is the safest approach.

Choosing the disk device (sdX, nvme0nXpY)

The very first crucial step you need to do is to identify the device (physical disk) where you want to install Archlinux on.

Type:

lsblk

The output is something like this, but it depends on how many disks you have installed in your system.

NAME          MAJ:MIN RM   SIZE RO TYPE  MOUNTPOINTS
sda             8:0    0 233.8G  0 disk  
├─sda1          8:1    0   200M  0 part  
├─sda2          8:2    0   512M  0 part  
└─sda3          8:3    0 233.1G  0 part  

If you have a SATA device your disk may be identified with /dev/sdXY where:

X is the letter identifying the disk.

The first disk would be identified with a, the second with b, etc...

Y the partition number of the disk.

The first partition will be identified with 1, the second with 2, etc...

If you have a M.2 SSD, your disk may be identified with /dev/nvme0nXpY

X is the number identifying the disk.

The first disk would be identified with 1, the second with 2, etc...

Y the partition number of the disk.

The first partition will be identified with 1, the second with 2, etc...

In this guide I will assume you have a SATA disk so I will use a device named /dev/sda.

Replace /dev/sda with the device you would like to erase and partition.

Once you have identified the disk, make sure it does not contain anything you need, because we are going to erase ALL the content in the next step

Step 2.1: Partition layout

Next, create the necessary partitions. For full disk encryption, you'll generally want at least two partitions:

1. An EFI System Partition (ESP): For UEFI boot

2. A LUKS encrypted partition: For the root btrfs filesystem with all the subvolumes.

   
   

3. To create your partitions type :

gdisk /dev/sda

Where /dev/sda is the disk where Archlinux will be installed.

If the disk naming is different, change it to /dev/sdb or whatever you want to install arch on before proceeding

A prompt will appear on screen

Step 2.2: Create Partitions in gdisk

You can use other tools to create partitions, as long as you are familiar with them.

Use cfdisk, fdisk or whatever you prefer

# Create a new partition with:

n

# Insert the partition number and press ENTER

1 

# When asked about (first sector) and press ENTER

# You will be asked about the (last sector), type:

+512M 

# and press ENTER

# You will be asked by partition type.
# enter the following code and press ENTER

EF00 

# Create a new partition with:

n

# press ENTER

# Insert the partition number and press ENTER

2

# When asked about (first sector) and press ENTER

# You will be asked about the (last sector), press ENTER to use
# the remaining free space of the disk

# You will be asked by partition type.
# enter the following code and press ENTER

8300

# Type:

w

# to write the changes and quit of out gdisk

Step 3: Set Up Full Disk Encryption with LUKS

Next, we will set up LUKS encryption on the second partition.

Run the following command to format it with LUKS:

cryptsetup luksFormat /dev/sda2

You will be prompted to enter and confirm a passphrase. Ensure you choose a strong passphrase that you can remember.

This password will be asked during the system boot.

Next, open the encrypted partition:

cryptsetup open /dev/sda2 cryptroot

The above command will unlock the encrypted partition and allow the device-mapper to read the partition-

It will be identified as:

/dev/mapper/cryptroot

Step 4: Set Up the btrfs Filesystem

Now that you have your encrypted partition opened, format it to btrfs:

mkfs.btrfs /dev/mapper/cryptroot

Once formatted, mount the btrfs filesystem on /mnt:

mount /dev/mapper/cryptroot /mnt

Step 5: Create Subvolumes

The subvolumes are used to better organize the btrfs partition and it is good practice to create them.

btrfs su cr /mnt/@

btrfs su cr /mnt/@root

btrfs su cr /mnt/@home

btrfs su cr /mnt/@srv

btrfs su cr /mnt/@log

btrfs su cr /mnt/@cache

btrfs su cr /mnt/@tmp

btrfs su cr /mnt/@snapshots

After creating subvolumes, unmount the btrfs filesystem and proceed with Step 6

umount /mnt

Step 6: Mounting the partitions

mount -o subvol=@,noatime,space_cache=v2,compress=zstd /dev/mapper/cryptroot /mnt

Then create the necessary directories for mounting other subvolumes:

mkdir -p /mnt/{boot,root,home,srv,var/log,var/cache,var/tmp,.snapshots}

Now, mount the other subvolumes:

BTRFS_OPTS="noatime,space_cache=v2,compress=zstd"

mount -o subvol=@root,$BTRFS_OPTS /dev/mapper/cryptroot /mnt/root

mount -o subvol=@home,$BTRFS_OPTS /dev/mapper/cryptroot /mnt/home

mount -o subvol=@srv,$BTRFS_OPTS /dev/mapper/cryptroot /mnt/srv

mount -o subvol=@cache,$BTRFS_OPTS /dev/mapper/cryptroot /mnt/var/cache

mount -o subvol=@log,$BTRFS_OPTS /dev/mapper/cryptroot /mnt/var/log

mount -o subvol=@tmp,$BTRFS_OPTS /dev/mapper/cryptroot /mnt/var/tmp

mount -o subvol=@snapshots,$BTRFS_OPTS /dev/mapper/cryptroot /mnt/.snapshots

Mount the EFI partition to the appropriate directory:

  mount /dev/sda1 /mnt/boot

Step 7: Install the Arch Linux Base System

Now, it's time to install the base system. First, ensure your system is connected to the internet:

ping -c 3 archlinux.org

If you receive replies, you are connected. Next, use the `pacstrap` command to install base packages and a text editor (in this case I chose nano for simplicity):

pacstrap -K /mnt base linux linux-firmware btrfs-progs efivars grub nano networkmanager

Step 8: Generate fstab

The fstab file lists all the available partitions that should be mounted at boot in the system.

Generate an `fstab` file using the `genfstab` command:

genfstab -U /mnt >> /mnt/etc/fstab

Step 9: Chroot into the New System

To perform the next steps in your new Arch installation, we need to chroot into it.

Chrooting will allow you to enter into the newly installed system

arch-chroot /mnt

Step 10: Configure the System

Set Time Zone

Set your timezone with ln -sf`:

ln -sf /usr/share/zoneinfo/Europe/Berlin /etc/localtime

The above command will set the timezone of Europe/Berlin

Other continents and time-zones are available in /usr/share/zoneinfo-

Set your hardware clock

hwclock --systohc

Localization

This will set the base system language and regional formats (date, time etc)

Edit `/etc/locale.gen` and uncomment your locale, by removing the #.

en_US.UTF-8 corresponds to the English language and formats.

Then, run:

locale-gen

Set the `LANG` variable in locale.conf

echo "LANG=en_US.UTF-8" > /etc/locale.conf

Configure the console (TTY) keyboard layout by creating the vconsole.conf

Use the correct keyboard layout

echo "KEYMAP=de" > /etc/locale.conf

This will set the keyboard layout to German.

Hostname

The hostname is the name of your PC and how it will be identified on the network current domain.

Set your hostname by typing:

echo "myhostname" > /etc/hostname

Where "myhostname" is the name you choose for your host

Setup and create initramfs

The initramfs module takes care of loading all the files to required to initialize the system into RAM.

To start an encypted filesystem we need to modify the configuration of the initramfs

Modifying initramfs

Open the `/etc/mkinitcpio.conf` file and add btrfs and encrypt modules in the `HOOKS` section, after block as follows.

The order is important.

HOOKS=(base udev autodetect modconf block encrypt btrfs filesystems keyboard fsck)

Save and exit the file.

Regenerating the initramfs

After changing the module configuration (see previous step), it is mandatory to regenerate the initramfs using the following command.

mkinitcpio -P

Set Root Password

This is the password to be used to access the root account.

Set the root password with the following command:

passwd

Step 11: Configure the GRUB Bootloader

Grub is the system bootloader. (GRand Unified Bootloader).

This program loads the Linux Kernel into RAM for booting the system

Configuring Grub.

Grub settings must be adjusted to boot an ancrypted btrfs filesystem.

11.1 Find the UUID of the encrypted partition

Find the UUID of the encrypted disk device by running.

blkid /dev/sda2

In this guide /dev/sda2 is the encrypted partition we created with cryptsetup

If your encrypted partition is not /dev/sda2 , replace it with the correct device name

The command above will output a series of strings.

What you need to copy or write somewhere is the UUID string without quotes "" or spaces.

It should be an alphanumeric string with the following format.

UUID=XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX

11.2 Modifying the grub configuration file

Now we need to enter the string we got in 11.1, in the '/etc/default/grub' file.

Open the file with your default text editor

nano /etc/default/grub

Check the line starting with GRUB_CMDLINE_LINUX DEFAULT

Modify the line as follows:

GRUB_CMDLINE_LINUX DEFAULT="MYUUID:cryptdisk  root=/dev/mapper/cryptdisk rootflags=subvol=@ rootfstype=btrfs quiet”

where MYUUID is the string we got in point 11.1 without quotes or spaces.

11.3 Install the grub bootloader in the EFI partition

Next, install GRUB to the EFI partition by typing:

grub-install --target=x86_64-efi --efi-directory=/boot --bootloader-id=GRUB

Make sure there are no error messages after the execution of this command.

11.3 Crete the "grub.cfg" file.

Then create the grub configuration file, by typing:

grub-mkconfig -o /boot/grub/grub.cfg

This command will also transform into binary all the parameters added in /etc/default/grub

Step 12: Enable the NetworkManager service

Network Manager takes care of connecting your system to the internet.

The service is maanaged by systemd and should be enabled at boot.

Type the below command to enable the service after the next reboot:

systemctl enable NetworkManager

Upper and lower-case letters must be typed exactly as shown above.

Step 13: Exit and Reboot

Exit the chroot environment and unmount the filesystems by typing the following commands:

exit

umount -R /mnt

Finally, reboot the system by typing:

reboot

Remove the installation media.

If everything works fine you will be asked to enter the password to unlock the encrypted partition and boot the system.

Conclusion

In the next post I will explain how to create a user, set up a firewall and install a desktop environment.