Installing Arch Linux with Btrfs and Encryption (2023)

For those looking to install Arch Linux, it is my hope that this guide will prove useful. Most of the information here is from The advantage of this guide is all the information being available on one opinionated page. This guide assumes that we know how to download an Arch Linux image and boot into it, along with the system booting into UEFI mode. We will be messing with our systems so I strongly recommend to read this guide carefully. With that out of the way let's begin.

Change console keymap

Those using a different keyboard layout may want to change the console keymap. To change to dvorak, run:

loadkeys dvorak


Next we will want to connect to the internet. If your device is plugged in via Ethernet cable then you should be good to go. Otherwise, we can connect to a Wi-Fi network using iwctl:


Find out the name of your wireless device:

device list

Scan for networks:

station <device name> scan

List network SSID:

station <device name> get-networks

Connect to network:

station <device-name> connect <SSID>

Leave iwctl by sending a SIGINT signal with Ctrl+c.
Test connection:


If we get a response then we can stop pinging using Ctrl+c.

Update system clock

With connectivity taken care of let's enable and start network time synchronisation:

timedatectl set-ntp true


Now we start the process for partitioning the disks. First we will identify disks in /proc/partitions:

fdisk -l

Installing Arch Linux with Btrfs and Encryption (1)

We are looking for a drive we want to install Arch on. The section labeled Disk model should help us identify what drive we want. In the image above, if we wanted to install on the SanDisk, the location of the block device would be /dev/sda.

Since we are going to encrypt our root directory, let's securely erase the drive. First, create a container called to_be_wiped:

cryptsetup open --type plain -d /dev/urandom /dev/<block-device> to_be_wiped

Next we will zero out the container:

dd bs=1M if=/dev/zero of=/dev/mapper/to_be_wiped status=progress

Then we close the container:

cryptsetup close to_be_wiped

With the drive erased, we will now use fdisk to partition the disk. fdisk is interactive and we will walk through the process together. First lets manipulate the drive we want to partition:

We can enter m to see the available commands. The first thing we want to do is create a new partition table. We can do that by entering g.
We need two partitions: An EFI system partition to boot and a root directory / partition to hold our data. Let's create them now with n.
We will be prompted to assign a partition number, leave it at the default by hitting enter. Similarly, leave the first sector at the default and hit enter. Our first partition will be 512M so for the last sector enter +512M.
Change the partition type with t then 1 for EFI.
Next we create another partition with n and leave everything at their default values.
If we enter p fdisk will print out our partition table and we should see something like this:

Installing Arch Linux with Btrfs and Encryption (2)

Finally, we write the partition table to disk with w.

Format partitions

We can now format the partitions. First we will format the boot partition, we are looking for the device with the type EFI System. Partition it to FAT32 and label it ESP with:

mkfs.fat -F32 -n ESP /dev/<boot-partition>

In order to encrypt our data, we will need to create a Linux Unified Key Setup (LUKS) partition. Look for the device with the type Linux filesystem. Format and label it ARCH_LUKS with:

cryptsetup luksFormat --label ARCH_LUKS /dev/<linux-partition>

After setting a password, let's open the LUKS partition and map it to the device name of cryptroot. If using a SSD, we can disable internal read and write workqueue for increased performance with encryption using cryptsetup --perf-no_read_workqueue --perf-no_write_workqueue --persistent open /dev/<luks-partition> cryptroot. Otherwise:

cryptsetup open /dev/<luks-partition> cryptroot

Our LUKS partition is now mapped to /dev/mapper/cryptroot. Next we'll finally format cryptroot to Btrfs and label it ARCH:

mkfs.btrfs -L ARCH /dev/mapper/cryptroot

List block devices and view filesystem info with lsblk:

lsblk -f


We will first mount our Btrfs filesystem cryptroot. To improve performance we will disable access time metadata updates. We will also use ZSTD compression with a level of 1 to prioritise performance:

mount -o noatime,compress=zstd:1 /dev/mapper/cryptroot /mnt

Now that we have mounted cryptroot we will create subvolumes. Create root and home with:

btrfs subvolume create /mnt/rootbtrfs subvolume create /mnt/home

Unmount cryptroot:

umount /mnt

We will now mount the subvolumes root and home at the appropriate locations instead of the toplevel subvolume. This is done to simplify the creation of snapshots:

mount -o noatime,compress=zstd:1,subvol=root /dev/mapper/cryptroot /mntmount --mkdir -o noatime,compress=zstd:1,subvol=home /dev/mapper/cryptroot /mnt/home

Finally mount the boot partition we previously created:

mount --mkdir /dev/<boot-partition> /mnt/boot

Install essential packages

Use pacstrap to install some packages so we can start using our system:

pacstrap /mnt base linux linux-firmware btrfs-progs networkmanager vim man-db man-pages


Use genfstab to create a fstab file:

genfstab -L /mnt >> /mnt/etc/fstab


chroot into our new system:

arch-chroot /mnt

Congratulations! We are now in our now system.

Time zone

Set the time zone, we can use tab completion to view possible options:

ln -sf /usr/share/zoneinfo/<region>/<city> /etc/localtime

Set the Hardware Clock:

hwclock --systohc


We will use vim as our text editor to uncomment locales in /etc/locale.gen, we should at least uncomment en_US.UTF-8 UTF-8. Afterwards generate locales with:


create locale.conf and set the LANG variable:
vim /etc/locale.conf


If we previously changed the console keymap then make it persist with:
vim /etc/vconsole.conf


Network configuration

Create the hostname file and set the hostname as you wish, for example arch:
vim /etc/hostname


Enable networkmanager so we will have connectivity once we leave the live environment:

systemctl enable NetworkManager


Since we are using encryption, we will need to edit mkinitcpio, the script used to create the initial ramdisk. Edit the file /etc/mkinitcpio.conf. Go to the HOOKS line that isn't commented out and replace udev with systemd, and add sd-vconsole (if we changed the keymap) and sd-encrypt hooks after keyboard. Then recreate initramfs:

mkinitcpio -P

Root password

Set the root password:


Boot loader

Next install GRUB bootloader and microcode updates. If using Intel processor, replace amd-ucode with intel-ucode:

pacman -S grub efibootmgr amd-ucode

We will now install the GRUB EFI application and its modules and name the bootloader GRUB using:

grub-install --target=x86_64-efi --efi-directory=/boot --bootloader-id=GRUB

Let's edit our kernel parameters file. We previously labeled everything but unfortunately need the UUID of our ARCH_LUKS partition. Find the UUID with lsblk -f then edit /etc/default/grub:
All the following parameters need to be appended to GRUB_CMDLINE_LINUX_DEFAULT.
Unlock our device in initramfs by appending<UUID>=cryptroot.
Enable TRIM support, append rd.luks.options=discard.
Disable and blacklist watchdog module, append nowatchdog module_blacklist=iTCO_wdt.

Installing Arch Linux with Btrfs and Encryption (3)

Regenerate grub.cfg

grub-mkconfig -o /boot/grub/grub.cfg

Our work in chroot is done, exit out with exit or Ctrl+d and reboot.


After rebooting and decrypting our drive, we should be greeted with a login screen. The only user we have right now is root so enter that as our login username and supply the appropriate password.


If we need to connect to Wi-Fi, use nmcli:

nmcli device wifi listnmcli device wifi connect <SSID> password <PASSWORD>

Package management

Arch usespacman as its package manager. Enable color output and parallel downloads by editing /etc/pacman.conf and uncommenting Color along with ParallelDownloads and changing the value from 5 to 10. We can also an arguably nicer progress bar by adding ILoveCandy right after ParallelDownloads.

Remaining packages

The choice of desktop environment if any at all is entirely up to the user. For the purposes of this guide we will be using GNOME.
The packages required for display drivers varies based on hardware. I will link the appropriate wiki pages where we can find the correct packages to install:
An example for AMD would be:

pacman -S sudo pacman-contrib archlinux-contrib reflector mesa vulkan-radeon libva-mesa-driver gnome gnome-tweaks pipewire pipewire-alsa pipewire-pulse pipewire-jack wireplumber firewalld $(pacman -Ssq noto-fonts)

The display driver packages are mesa vulkan-radeon libva-mesa-driver. mesa provides 3D acceleration, vulkan-radeon provides vulkan support, and accelerated video decoding is provided by libva-mesa-driver.

Users and groups

Let's create an unprivileged user and add it to the wheel group:

useradd -m -G wheel <user>passwd <user>

Privilege elevation

We will use sudo to allow the user to run privileged commands. Since we have already added our user to the wheel group, we just need to uncomment %wheel ALL=(ALL) ALL:

EDITOR=vim visudo

We will use reflector to keep our mirrors up to date. To choose mirrors based in our country, and sort them by download rate. Edit /etc/xdg/reflector/reflector.conf, uncomment and update country and sort age to sort rate.

Let's enable some timers and services:

systemctl enable fstrim.timer paccache.timer reflector.timer gdm firewalld bluetooth

Finally reboot and login using our newly created user.

Finishing touches

After decrypting our drive and logging in we should now be inside the GNOME desktop environment. If we changed our keymap, then the GNOME login will unfortunately be in qwerty, we will fix that now.

Go to Settings->Keyboard and add in the desired keyboard layout. Next open terminal and enter (replacing us and dvorak with the appropriate text:

localectl set-x11-keymap us dvoraklocalectl set-keymap dvorak

If you are the only user and don't wish to enter a password to login after decrypting our drive, we can go to Settings->Users click unlock and check Automatic Login. Since we are no longer root we need to use sudo to install packages. For tracking unowned files, zsh, firefox, and gvim we will install the following packages:

sudo pacman -S pacutils zsh grml-zsh-config firefox gvim

gvim will conflict with vim-minimal that we installed earlier. Enter y to remove vim-minimal.

Start and configure zsh:


Change zsh to our default shell:

chsh -s $(which zsh)

Make vim our default editor and enable wayland for Firefox by setting some environmental variables:

mkdir .config/environment.d

Create .config/environment.d/envvars.conf and have the following as the contents:


Source the environmental variables by restarting gdm:

systemctl restart gdm

With that we are finally done! I hope this guide was helpful and we learned some things along the way.


Installing Arch Linux with Btrfs and Encryption? ›

Btrfs has no built-in encryption support, but this may come in the future. Users can encrypt the partition before running mkfs. btrfs . See dm-crypt/Encrypting an entire system.

Does Btrfs support encryption? ›

Btrfs has no built-in encryption support, but this may come in the future. Users can encrypt the partition before running mkfs. btrfs . See dm-crypt/Encrypting an entire system.

How to encrypt Arch Linux install? ›

Step 2.1 - Configuring The Disk
  1. "Drives" option. Choose the disk for partitioning. ...
  2. "Disk layout" option. Select the second option which erases and partitions the disk according to the default layout preferred by Arch Linux. ...
  3. Choose the "Encryption password" option and provide a password to encrypt the disk.
Mar 8, 2023

How to install Arch Linux with Btrfs? ›

  1. Mount the file systems.
  2. We need to mount our created partitions into our linux hierarchy. ...
  3. mount /dev/sda3 /mnt btrfs su cr /mnt/@ btrfs su cr /mnt/@home btrfs su cr /mnt/@root btrfs su cr /mnt/@srv btrfs su cr /mnt/@log btrfs su cr /mnt/@cache btrfs su cr /mnt/@tmp btrfs su li /mnt.

Should I use Btrfs or Ext4 Arch? ›

Btrfs uses a checksum to ensure that the data doesn't corrupt, on the other hand, Ext4 doesn't ensure data integrity. Btrfs come with compression algorithms present in the filesystem, allowing data to be compressed at the filesystem level right when written to the system.No such built-in compression support is in Ext4.

What is the downside of Btrfs? ›

Despite its many features and advantages, btrfs also has some drawbacks that you should be aware of. One of the drawbacks is its complexity and instability, as btrfs is still under development and may contain bugs or errors that can cause data loss or corruption.

What is the disadvantage of Btrfs? ›

Among the main disadvantages of the Btrfs file system is a high level of fragmentation, little documentation, constant changes that can affect applications that use the functionality of the file system.

Should you encrypt your boot partition? ›

It is not suggested to encrypt the boot partition in Red Hat Enterprise Linux.

Can I install Arch Linux with secure boot? ›

All pre-installed Windows 8/8.1, 10 and 11 systems by default boot in UEFI/GPT mode and have UEFI Secure Boot enabled by default. This is mandated by Microsoft for all OEM pre-installed systems. Arch Linux install media does not support Secure Boot yet.

Is Luks considered full disk encryption? ›

In this article we have explored LUKS, a valid frontend for full disk encryption. It is important to ensure that your LUKS configuration is secure (strong ciphers); if you do not need the explicit features of the first version of LUKS, use LUKS2.

Is btrfs better than ext4? ›

Btrfs Features

It has features that can scale better than ext4 and is even preferred over ZFS by some users. Worthy mentions on the functionality front include: Copy-on-write: Btrfs uses copy-on-write to create system snapshots without duplicating data and wasting space.

Is btrfs stable? ›

As a single-disk filesystem, Btrfs is stable and performs well, but if users go deeper into its newer features, the ground gets shakier.

Can you install Linux on btrfs? ›

All it takes is to install Kali Linux version 2022.1 or newer with btrfs as file system and to enable snapshotting after installation.

What is the downside of Arch Linux? ›

Possible Instability: Due to the rolling release principle, problems can occur again and again, since not every package is always tested down to the last detail. Overall, Arch Linux is a very stable system, but problems can still occur with the latest version, at least for a short time.

What is the difference between Ext4 and Btrfs encryption? ›

File System Encryption: Ext4 has experimental support for file system-level encryption, while Btrfs does not have any support for file system-level encryption. Space Usage: Btrfs allows you to take snapshots, but these snapshots take space. Initially, the snapshot takes little space.

What is the difference between Ext4 and btrfs encryption? ›

File System Encryption: Ext4 has experimental support for file system-level encryption, while Btrfs does not have any support for file system-level encryption. Space Usage: Btrfs allows you to take snapshots, but these snapshots take space. Initially, the snapshot takes little space.

Which file system supports data encryption? ›

EFS is a functionality of New Technology File System (NTFS) and is built into a device via the OS. It facilitates file or directory encryption and decryption with the help of complex cryptographic algorithms.

Why should I use btrfs over Ext4? ›

Features: Btrfs has more advanced features, such as snapshots, data integrity checks, and built-in RAID support. Ext4 focuses on providing a reliable and stable file system with good performance.

Is btrfs still unstable? ›

As a single-disk filesystem, Btrfs is stable and performs well, but if users go deeper into its newer features, the ground gets shakier.

Top Articles
Latest Posts
Article information

Author: Horacio Brakus JD

Last Updated: 27/09/2023

Views: 5527

Rating: 4 / 5 (71 voted)

Reviews: 86% of readers found this page helpful

Author information

Name: Horacio Brakus JD

Birthday: 1999-08-21

Address: Apt. 524 43384 Minnie Prairie, South Edda, MA 62804

Phone: +5931039998219

Job: Sales Strategist

Hobby: Sculling, Kitesurfing, Orienteering, Painting, Computer programming, Creative writing, Scuba diving

Introduction: My name is Horacio Brakus JD, I am a lively, splendid, jolly, vivacious, vast, cheerful, agreeable person who loves writing and wants to share my knowledge and understanding with you.