Installing Arch Linux with Btrfs and Encryption (2023)

For those looking to install Arch Linux, it is my hope that this guide will prove useful. Most of the information here is from The advantage of this guide is all the information being available on one opinionated page. This guide assumes that we know how to download an Arch Linux image and boot into it, along with the system booting into UEFI mode. We will be messing with our systems so I strongly recommend to read this guide carefully. With that out of the way let's begin.

Change console keymap

Those using a different keyboard layout may want to change the console keymap. To change to dvorak, run:

loadkeys dvorak


Next we will want to connect to the internet. If your device is plugged in via Ethernet cable then you should be good to go. Otherwise, we can connect to a Wi-Fi network using iwctl:


Find out the name of your wireless device:

device list

Scan for networks:

station <device name> scan

List network SSID:

station <device name> get-networks

Connect to network:

station <device-name> connect <SSID>

Leave iwctl by sending a SIGINT signal with Ctrl+c.
Test connection:


If we get a response then we can stop pinging using Ctrl+c.

Update system clock

With connectivity taken care of let's enable and start network time synchronisation:

timedatectl set-ntp true


Now we start the process for partitioning the disks. First we will identify disks in /proc/partitions:

fdisk -l

Installing Arch Linux with Btrfs and Encryption (1)

We are looking for a drive we want to install Arch on. The section labeled Disk model should help us identify what drive we want. In the image above, if we wanted to install on the SanDisk, the location of the block device would be /dev/sda.

Since we are going to encrypt our root directory, let's securely erase the drive. First, create a container called to_be_wiped:

cryptsetup open --type plain -d /dev/urandom /dev/<block-device> to_be_wiped

Next we will zero out the container:

dd bs=1M if=/dev/zero of=/dev/mapper/to_be_wiped status=progress

Then we close the container:

cryptsetup close to_be_wiped

With the drive erased, we will now use fdisk to partition the disk. fdisk is interactive and we will walk through the process together. First lets manipulate the drive we want to partition:

We can enter m to see the available commands. The first thing we want to do is create a new partition table. We can do that by entering g.
We need two partitions: An EFI system partition to boot and a root directory / partition to hold our data. Let's create them now with n.
We will be prompted to assign a partition number, leave it at the default by hitting enter. Similarly, leave the first sector at the default and hit enter. Our first partition will be 512M so for the last sector enter +512M.
Change the partition type with t then 1 for EFI.
Next we create another partition with n and leave everything at their default values.
If we enter p fdisk will print out our partition table and we should see something like this:

Installing Arch Linux with Btrfs and Encryption (2)

Finally, we write the partition table to disk with w.

Format partitions

We can now format the partitions. First we will format the boot partition, we are looking for the device with the type EFI System. Partition it to FAT32 and label it ESP with:

mkfs.fat -F32 -n ESP /dev/<boot-partition>

In order to encrypt our data, we will need to create a Linux Unified Key Setup (LUKS) partition. Look for the device with the type Linux filesystem. Format and label it ARCH_LUKS with:

cryptsetup luksFormat --label ARCH_LUKS /dev/<linux-partition>

After setting a password, let's open the LUKS partition and map it to the device name of cryptroot. If using a SSD, we can disable internal read and write workqueue for increased performance with encryption using cryptsetup --perf-no_read_workqueue --perf-no_write_workqueue --persistent open /dev/<luks-partition> cryptroot. Otherwise:

cryptsetup open /dev/<luks-partition> cryptroot

Our LUKS partition is now mapped to /dev/mapper/cryptroot. Next we'll finally format cryptroot to Btrfs and label it ARCH:

mkfs.btrfs -L ARCH /dev/mapper/cryptroot

List block devices and view filesystem info with lsblk:

lsblk -f


We will first mount our Btrfs filesystem cryptroot. To improve performance we will disable access time metadata updates. We will also use ZSTD compression with a level of 1 to prioritise performance:

mount -o noatime,compress=zstd:1 /dev/mapper/cryptroot /mnt

Now that we have mounted cryptroot we will create subvolumes. Create root and home with:

btrfs subvolume create /mnt/rootbtrfs subvolume create /mnt/home

Unmount cryptroot:

umount /mnt

We will now mount the subvolumes root and home at the appropriate locations instead of the toplevel subvolume. This is done to simplify the creation of snapshots:

mount -o noatime,compress=zstd:1,subvol=root /dev/mapper/cryptroot /mntmount --mkdir -o noatime,compress=zstd:1,subvol=home /dev/mapper/cryptroot /mnt/home

Finally mount the boot partition we previously created:

mount --mkdir /dev/<boot-partition> /mnt/boot

Install essential packages

Use pacstrap to install some packages so we can start using our system:

pacstrap /mnt base linux linux-firmware btrfs-progs networkmanager vim man-db man-pages


Use genfstab to create a fstab file:

genfstab -L /mnt >> /mnt/etc/fstab


chroot into our new system:

arch-chroot /mnt

Congratulations! We are now in our now system.

Time zone

Set the time zone, we can use tab completion to view possible options:

ln -sf /usr/share/zoneinfo/<region>/<city> /etc/localtime

Set the Hardware Clock:

hwclock --systohc


We will use vim as our text editor to uncomment locales in /etc/locale.gen, we should at least uncomment en_US.UTF-8 UTF-8. Afterwards generate locales with:


create locale.conf and set the LANG variable:
vim /etc/locale.conf


If we previously changed the console keymap then make it persist with:
vim /etc/vconsole.conf


Network configuration

Create the hostname file and set the hostname as you wish, for example arch:
vim /etc/hostname


Enable networkmanager so we will have connectivity once we leave the live environment:

systemctl enable NetworkManager


Since we are using encryption, we will need to edit mkinitcpio, the script used to create the initial ramdisk. Edit the file /etc/mkinitcpio.conf. Go to the HOOKS line that isn't commented out and replace udev with systemd, and add sd-vconsole (if we changed the keymap) and sd-encrypt hooks after keyboard. Then recreate initramfs:

mkinitcpio -P

Root password

Set the root password:


Boot loader

Next install GRUB bootloader and microcode updates. If using Intel processor, replace amd-ucode with intel-ucode:

pacman -S grub efibootmgr amd-ucode

We will now install the GRUB EFI application and its modules and name the bootloader GRUB using:

grub-install --target=x86_64-efi --efi-directory=/boot --bootloader-id=GRUB

Let's edit our kernel parameters file. We previously labeled everything but unfortunately need the UUID of our ARCH_LUKS partition. Find the UUID with lsblk -f then edit /etc/default/grub:
All the following parameters need to be appended to GRUB_CMDLINE_LINUX_DEFAULT.
Unlock our device in initramfs by appending<UUID>=cryptroot.
Enable TRIM support, append rd.luks.options=discard.
Disable and blacklist watchdog module, append nowatchdog module_blacklist=iTCO_wdt.

Installing Arch Linux with Btrfs and Encryption (3)

Regenerate grub.cfg

grub-mkconfig -o /boot/grub/grub.cfg

Our work in chroot is done, exit out with exit or Ctrl+d and reboot.


After rebooting and decrypting our drive, we should be greeted with a login screen. The only user we have right now is root so enter that as our login username and supply the appropriate password.


If we need to connect to Wi-Fi, use nmcli:

nmcli device wifi listnmcli device wifi connect <SSID> password <PASSWORD>

Package management

Arch usespacman as its package manager. Enable color output and parallel downloads by editing /etc/pacman.conf and uncommenting Color along with ParallelDownloads and changing the value from 5 to 10. We can also an arguably nicer progress bar by adding ILoveCandy right after ParallelDownloads.

Remaining packages

The choice of desktop environment if any at all is entirely up to the user. For the purposes of this guide we will be using GNOME.
The packages required for display drivers varies based on hardware. I will link the appropriate wiki pages where we can find the correct packages to install:
An example for AMD would be:

pacman -S sudo pacman-contrib archlinux-contrib reflector mesa vulkan-radeon libva-mesa-driver gnome gnome-tweaks pipewire pipewire-alsa pipewire-pulse pipewire-jack wireplumber firewalld $(pacman -Ssq noto-fonts)

The display driver packages are mesa vulkan-radeon libva-mesa-driver. mesa provides 3D acceleration, vulkan-radeon provides vulkan support, and accelerated video decoding is provided by libva-mesa-driver.

Users and groups

Let's create an unprivileged user and add it to the wheel group:

useradd -m -G wheel <user>passwd <user>

Privilege elevation

We will use sudo to allow the user to run privileged commands. Since we have already added our user to the wheel group, we just need to uncomment %wheel ALL=(ALL) ALL:

EDITOR=vim visudo

We will use reflector to keep our mirrors up to date. To choose mirrors based in our country, and sort them by download rate. Edit /etc/xdg/reflector/reflector.conf, uncomment and update country and sort age to sort rate.

Let's enable some timers and services:

systemctl enable fstrim.timer paccache.timer reflector.timer gdm firewalld bluetooth

Finally reboot and login using our newly created user.

Finishing touches

After decrypting our drive and logging in we should now be inside the GNOME desktop environment. If we changed our keymap, then the GNOME login will unfortunately be in qwerty, we will fix that now.

Go to Settings->Keyboard and add in the desired keyboard layout. Next open terminal and enter (replacing us and dvorak with the appropriate text:

localectl set-x11-keymap us dvoraklocalectl set-keymap dvorak

If you are the only user and don't wish to enter a password to login after decrypting our drive, we can go to Settings->Users click unlock and check Automatic Login. Since we are no longer root we need to use sudo to install packages. For tracking unowned files, zsh, firefox, and gvim we will install the following packages:

sudo pacman -S pacutils zsh grml-zsh-config firefox gvim

gvim will conflict with vim-minimal that we installed earlier. Enter y to remove vim-minimal.

Start and configure zsh:


Change zsh to our default shell:

chsh -s $(which zsh)

Make vim our default editor and enable wayland for Firefox by setting some environmental variables:

mkdir .config/environment.d

Create .config/environment.d/envvars.conf and have the following as the contents:


Source the environmental variables by restarting gdm:

systemctl restart gdm

With that we are finally done! I hope this guide was helpful and we learned some things along the way.


Does Btrfs support encryption? ›

Btrfs has no built-in encryption support, but this may come in the future. Users can encrypt the partition before running mkfs. btrfs . See dm-crypt/Encrypting an entire system#Btrfs subvolumes with swap.

How to install ArchLinux with btrfs? ›

  1. Mount the file systems.
  2. We need to mount our created partitions into our linux hierarchy. ...
  3. mount /dev/sda3 /mnt btrfs su cr /mnt/@ btrfs su cr /mnt/@home btrfs su cr /mnt/@root btrfs su cr /mnt/@srv btrfs su cr /mnt/@log btrfs su cr /mnt/@cache btrfs su cr /mnt/@tmp btrfs su li /mnt.

How to encrypt Arch Linux install? ›

Step 2.1 - Configuring The Disk
  1. "Drives" option. Choose the disk for partitioning. ...
  2. "Disk layout" option. Select the second option which erases and partitions the disk according to the default layout preferred by Arch Linux. ...
  3. Choose the "Encryption password" option and provide a password to encrypt the disk.
Mar 8, 2023

How to encrypt boot partition Linux? ›

Creating Encrypted Boot Partition
  1. Step 1: Create a LUKS2 formatted device with the PBKDF2 algorithm. ...
  2. Step 2: Format and mount the new LUKS2 device. ...
  3. Note: If you wish to change the passphrase for the boot partition in the future then you'll need to pass the same arguments to cryptsetup as when you created it.

Is Btrfs stable 2023? ›

As a single-disk filesystem, Btrfs is stable and performs well, but if users go deeper into its newer features, the ground gets shakier.

Should I use btrfs or Ext4? ›

Ext4 is a reliable and stable filesystem that keeps our data safe in most unwanted events like power loss. It has been used for a long time hence testing and bug fixes have improved it a lot. Ext4 transfers file faster than Btrfs hence it is a good choice for users.

Is btrfs any good? ›

Good features BUT Complex, wastes time, not KISS, does not play well. I have used BTRFS for the first time since March 2023 on my internal archives directory. Using multiple drives of varying sizes created a luks1 encrypted 'single' data and dup meta volume.

How to easily install Arch Linux? ›

How to Install Arch Linux [Step by Step Guide]
  1. Step 1: Download the Arch Linux ISO.
  2. Step 2: Create a live USB of Arch Linux.
  3. Step 3: Boot from the live USB. Not using US keyboard? ...
  4. Step 4: Partition the disks. ...
  5. Step 4: Create filesystem. ...
  6. Step 5: Connect to WiFi.
  7. Step 6: Select an appropriate mirror.
  8. Step 7: Install Arch Linux.

Can I install Arch Linux with secure boot? ›

Boot the live environment

Note: Arch Linux installation images do not support Secure Boot. You will need to disable Secure Boot to boot the installation medium. If desired, Secure Boot can be set up after completing the installation. Point the current boot device to the one which has the Arch Linux installation medium.

Is Luks considered full disk encryption? ›

In this article we have explored LUKS, a valid frontend for full disk encryption. It is important to ensure that your LUKS configuration is secure (strong ciphers); if you do not need the explicit features of the first version of LUKS, use LUKS2.

Should I encrypt my Linux partition? ›

You don't want to risk personal data and potentially access to emails and cloud accounts, if your device is stolen. Encrypting your hard disk will block access to these items. Whether files, partitions, or the full disk is encrypted, the contents will be meaningless to anyone without the encryption key.

Should you encrypt the boot partition? ›

It is not suggested to encrypt the boot partition in Red Hat Enterprise Linux.

What is the difference between Ext4 and Btrfs encryption? ›

Ext4 supports some features that btrfs does not have, such as online defragmentation, quota management, or journaling. However, ext4 does not support many of the features that btrfs has, such as snapshots, compression, encryption, deduplication, RAID, subvolumes, or checksums.

Which file system supports data encryption? ›

EFS is a functionality of New Technology File System (NTFS) and is built into a device via the OS. It facilitates file or directory encryption and decryption with the help of complex cryptographic algorithms.

Is Btrfs more reliable than Ext4? ›

Btrfs uses a checksum to ensure that the data doesn't corrupt, on the other hand, Ext4 doesn't ensure data integrity. Btrfs come with compression algorithms present in the filesystem, allowing data to be compressed at the filesystem level right when written to the system.No such built-in compression support is in Ext4.

Why should I use Btrfs over Ext4? ›

Features: Btrfs has more advanced features, such as snapshots, data integrity checks, and built-in RAID support. Ext4 focuses on providing a reliable and stable file system with good performance.

Top Articles
Latest Posts
Article information

Author: Ray Christiansen

Last Updated: 06/11/2023

Views: 5523

Rating: 4.9 / 5 (69 voted)

Reviews: 84% of readers found this page helpful

Author information

Name: Ray Christiansen

Birthday: 1998-05-04

Address: Apt. 814 34339 Sauer Islands, Hirtheville, GA 02446-8771

Phone: +337636892828

Job: Lead Hospitality Designer

Hobby: Urban exploration, Tai chi, Lockpicking, Fashion, Gunsmithing, Pottery, Geocaching

Introduction: My name is Ray Christiansen, I am a fair, good, cute, gentle, vast, glamorous, excited person who loves writing and wants to share my knowledge and understanding with you.