Installing Arch Linux in an encrypted medium (USB 3.0 Pendrive)

Here we are gonna see how to install Arch Linux in an encrypted medium. For this blog I'm gonna use an USB 3.0 32GB Pendrive. This blog is also applicable for the native HDD or SSD installations too. So now lets discuss about some why's.

Why encryption? There are two usuall reasons for it. The first is that you don't want others to mess up with your personal data basically your privacy and the second is the confidentiallity of the data (CLASSIFIED/TOP-SECRET). If you want to be more protected or really protected give a password of minimum length of about 10-20 characters which should contains alphabets (both small case and upper case), numbers and some specail characters. Try to be more random.

Why in a pendrive? The simple answer is its portability and the other answer is a well personalized and secured operating system in your pocket or wallet. Use any computer hardware in your ownway. Without encryption don't go for a pendrive because easily we may miss it. From my personal experience USB 2.0 is not that fast. So go for USB 3.0.

To whom this article is for? For the intermediate and advanced GNU/Linux user.

Lets Begin the installation: Before proceeding to the installation note that you will lost your data please do a backup.

Step 1: First you have to download the ArchLinux live iso from here and write into a pendrive or CD/DVD. Here my choice is Pendrive.

For writing the iso in the pendrive(sdc) do the following in the terminal.

sudo dd if=~/Downloads/arch-linux.iso of=/dev/sdc status=progress

Once it is done you are ready to go. Reboot your system and boot from your pendrive.

You are automatically logged in as root.

Step 2: Here the actual Installation begins. Make sure that you are connected to the internet. First you have to set the date and time in your live system.

timedatectl set-ntp true

Step 3: Partitioning your pendrive for the installation. I'm going to use DOS partitioning table.

Here I'm gonna use only two partitions.

  1. Boot partition (Mount point - /boot).
  2. Root Partition (Mount point - /) which is going to be encrypted.

You may use any tool that you prefer for partitioning. I'm using fdisk.

To find your drive name do the following

# this will list the drives connected to your system My pendrive is at /dev/sdc

sda               8:0    0 465.8G  0 disk  
├─sda1            8:1    0   200M  0 part  
├─sda2            8:2    0     1G  0 part  
└─sda3            8:3    0 464.6G  0 part  
  ├─fedora-root 254:1    0    50G  0 lvm   
  ├─fedora-home 254:2    0 410.7G  0 lvm   
  └─fedora-swap 254:3    0   3.9G  0 lvm   
sdc               8:16   1  28.9G  0 disk  
├─sdc1            8:17   1  28.9G  0 part

#To Partition
fdisk /dev/sdc

Welcome to fdisk (util-linux 2.31).
Changes will remain in memory only, until you decide to write them.
Be careful before using the write command.

# enter o to create DOS Partitioning table
Command (m for help): o

# Enter n to create new partion (/boot)
Command (m for help): n
# Now press p and then enter
# Now press 1 and then enter
# Now just press enter
# Now type +512M and the enter
# You are done in creating a partition for /boot

# Enter n to create new partion (/)
Command (m for help): n
# Now press e and then enter
# Now press 2 and then enter
# Now just press enter 
# Again enter
# You are done in creating a partition for /

#Set the boot flag for the /boot partition 
Command (m for help): a
# Now press 1 and then enter

So we are done with the partitioning.

Step 3: Lets encrypt the root partition

cryptsetup luksFormat /dev/sdc2

This will prompt for the password to enrypt. Don't forget the thing that said in the begining, a strong password.

The encryption is done here. In order to use the use this partition you have to decrypt.

cryptsetup luksOpen /dev/sdc2 ROOT

This will open the partion to use and create the device mapping at /dev/mapper/ROOT.

Step 3: Creating the file systems for both / and /boot

#for the /boot partition
mkfs.ext4 /dev/sdc1

#for the / partition
mkfs.ext4 /dev/mapper/ROOT

Step 4: Mounting the partitions. For working with the partitions we have to mount it in an appropriate folder.

mount /dev/mapper/ROOT /mnt
#create a folder boot to mount the boot partition
mkdir /mnt/boot
mount /dev/sdc1 /mnt/boot

Step 5: Installing the base system

pacstrap /mnt base base-devel vim grub

This will install the basic system and also some extra package vim and grub.

Step 6: Now we have to update the Filesystem Table where you have partitions and its mount point.

genfstab -U /mnt >> /mnt/etc/fstab
# here U stands for UUID

Step 7: Login(chroot) to the new system that we have created.

arch-chroot /mnt

Step 8: Setting up the timezone, the language, the keyboard layout and the hostname.


#to list the timezones
ls /usr/share/zoneinfo/
#here my timezone is Asia/Kolkata for that
ln -sf /usr/share/zoneinfo/Asia/Kolkata /etc/localtime


echo "en_US.UTF-8 UTF-8" >> /etc/locale.gen
echo "LANG=en_US.UTF-8" > /etc/locale.conf

Keyboard Layout

#replace us with your keyboard layout
echo "KEYMAP=us" > /etc/vconsole.conf

Hostname Replace armour with your favourite name

echo "armour" > /etc/hostname

Add the below line to the file /etc/hosts. I'm using vim for editing files.   armour.armour   armour

Thats all you are done with your local settings.

Step 9: We have to start some modules before booting to the Operating System in order to decrypt the encrypted ROOT partition. For that you have to edit the file /etc/mkinitcpio.conf.

In HOOKS add keyboard before block and add encrypt after block. The HOOKS may looks like below

HOOKS=(base udev autodetect modconf keyboard block encrypt filesystems fsck)

Add xhci-hcd to MODULES.


Save and close the file. Now you have to generate the images for booting. For that do the following.

mkinitcpio -p linux

Step 10: Installing GRUB and setting up to decrypt the drive at the startup.

grub-install --target=i386-pc /dev/sdc

Edit the file /etc/default/grub. Replace xxxxxxxxxx with the UUID of the encrypted partition.

GRUB_CMDLINE_LINUX="cryptdevice=UUID=xxxxxxxxxx:ROOT earlymodules=xhci-hcd modules=xhci-hcd"

To get the UUID of the encrypted partition

blkid /dev/sdc2

Now have to make the configuration of the grub.

grub-mkconfig -o /boot/grub/grub.cfg

Almost done with the installation but we need more to make this Graphical Friendly.

Step 11: Udating the root password


Creating the New User.

# replace xxx with your desired username
useradd -G wheel -md /home/xxx xxx
# set the password for the user
passwd xxx

Edit the visudo file for that do the following.

#giving permission for the user group to execute all the commands

Here uncoment %wheel ALL=ALL(ALL) and save.

Step 12: Installing the softwares that are needed to make this backbone more functional.

Touchpad drivers:

pacman -S xf86-input-synaptics

Video Drivers:

pacman -S xf86-video-vesa xf86-video-ati xf86-video-intel xf86-video-nouveau 

Desktop Environments: Choose your desktop environments from here. I have chosen lxde. For installing the other desktop environments go through the ArchWiki.

To install LXDE

pacman -S lxde

To start lxde at the startup

systemctl enable lxdm

We have to add dhcp at the startup too.

systemctl enable dhcpcd

Step 13:

Installing other basic needed softwares (for me). This list may vary up to you.

pacman -Sy chromium w3m terminator scite zim sylpheed openvpn dia keepassx2 profanity git python2-setuptools sudo python-setuptools python2-virtualenv firefox tigervnc openssh libreoffice wpa_supplicant wifi-menu dialog python-virtualenv gimp inkscape

Hurrah! We are done with the Installation. Just give a reboot.