Arch Linux installation with full disk encryption using LVM, LUKS and GRUB2

This is gonna be a „quick“ walk-through on how to install Arch Linux with a nearly (/boot won’t be) fully encrypted HDD.
I have tested this guide with the archlinux-2012.09.07-dual.iso which uses systemV and archlinux-2012.10.06-dual.iso which was the first one using systemd, so this tutorial covers both init daemons.

Update: This article got translated to Swedish. Thx Sam!

The tutorials I found were all outdated or caused problems because of one of the following:

  • The former included Arch Linux Installation Framework (AIF) executed by /arch/setup is no longer included in the Arch Linux-isos, the command will only respond with: „no such file or directory“.
  • GRUB2 replaces GRUB legacy and needs to be configured differently.
  • The keyboard layout didn’t fit to mine so i got some problems entering my passphrase;)

Let’s start…

Arch Linux Logo

Arch Linux Logo from

Step 1: Prepare the Harddisk

Boot gparted from an usb-stick and configure your disk as follows:

1. Set your partition table to MBR

2. Create the fist partition (later used as /boot): 200 MB, set the bootable flag, filesystem: ext3

3. Create the second partition (later used with LVM, containing /, /swap and /home): use the remaining space, leave it unformatted, set the LVM flag

PS: For more information on partitioning have a look at the Arch Linux wiki. If you don’t want to use gparted you can just boot the Arch Linux Iso and use „parted“ or „fdisk“. It’s also possible to use GPT instead of MBR you will need a third partition with about 2MB, but I won’t describe this here – just come back when you figured it out. Using a UEFI setup you also have to search for an other source of information ;)

Step 2: Boot Arch Linux Iso from usb-stick

Search for your keyboard layout and activate it:


Establish WiFi-connection if you don’t have wired access to the Internet:



Step 3: Encrypt partition, configure LVM

Load the kernel module for encryption:

modprobe dm-crypt

Encrypt the big partition (sda2) with AES, 256 bit keylength (XTS splitts the keylenght). Have fun with the man and faq.

cryptsetup -c aes-xts-plain64 -y -s 512 luksFormat /dev/sda2

And open it, so it will be in /dev/mapper/lvm:

cryptsetup luksOpen /dev/sda2 lvm


Create a physical volume, volume group, logical volumes (details):

pvcreate /dev/mapper/lvm
vgcreate main /dev/mapper/lvm
lvcreate -L 20GB -n root main
lvcreate -L 8GB -n swap main
lvcreate -l 100%FREE -n home main

Now we need a filesystem on them:

mkswap /dev/mapper/main-swap
mkfs.ext4 /dev/mapper/main-root
mkfs.ext4 /dev/mapper/main-home


Step 4: Mount volumes, install Arch Linux

Mount the volumes into the running livesystem:

mount /dev/mapper/main-root /mnt
mkdir /mnt/boot
mount /dev/sda1 /mnt/boot
mkdir /mnt/home
mount /dev/mapper/main-home /mnt/home

Install the base and base-devel packets to /mnt (Internet-connection required):

pacstrap /mnt base base-devel

Install GRUB2 to /mnt (part 1):

pacstrap /mnt grub-bios

Generate fstab:

genfstab -p -U /mnt > /mnt/etc/fstab


Step 5: chroot and configure the system


arch-chroot /mnt

delete the # in front of your language of choise (e.g. de_DE.UTF-8 UTF-8) in locale.gen and generate the locale:

vi /etc/locale.gen
echo LANG=de_DE.UTF-8 > /etc/locale.conf
export LANG=de_DE.UTF-8

Generate /etc/vconsole.conf with the following 3 lines to bind your keys correctly:


Create a symbolic link /etc/localtime to your zone file /usr/share/zoneinfo/<Zone>/<SubZone>:

ln -s /usr/share/zoneinfo/Europe/Berlin /etc/localtime

Define yout hostename:

echo archserv > /etc/hostname


!Outdated: Edit /etc/rc.conf: delete the # and set USELVM=“yes“

!Update: If you’re using archlinux-2012.10.06-dual.iso or newer the default init-daemon is systemd and rc.conf won’t be used anymore. Use the following command to activate the the lvm service for systemd:

systemctl enable lvm.service

Edit /etc/mkinitcpio.conf: Put „keymap“, „encrypt“ and „lvm2“ (in that order!) before „filesystems“ in the HOOKS array.

Regenerate the ramdisk:

mkinitcpio -p linux


Now install GRUB (part 2), on a device not a partition or a volume:

grub-install /dev/sda

In /etc/default/grub edit the line GRUB_CMDLINE_LINUX=““ to GRUB_CMDLINE_LINUX=“cryptdevice=/dev/sda2:main“ then run:

grub-mkconfig -o /boot/grub/grub.cfg


set your root password:



Exit the chroot:




umount /mnt/boot
umount /mnt/home


Reboot into your new system.

Backup your luks cryptheader!

Have fun.

PS: If you want to open your LVM from within an other (live-)system this commands can come in handy:

cryptsetup luksOpen /dev/sd??
sudo pvscan
sudo vgscan
sudo lvscan
sudo vgchange -a y

17 Kommentare

  1. zes sagt:

    Hi, thanks for that fantastic & easy how-to.

    In my usb-install i prefer modify /etc/default/grub with /dev/disk/by-uuid/ instead of /de/sd#. Using blkid to discover UUID partitions.

    anyway, thanks again

  2. kxx sagt:

    Dosen’t work with archlinux_2013.07.01

  3. honkzongo sagt:

    !!! IT DOES WORK !!!

    I just set up a system with this guide,
    adding the changes provided here:

    Too bad Arch does not have an installer… could have saved a lot of time.

  4. bitnukl sagt:

    Thx for the guide, successful installed Arch 201310 from USB.

    When installed from USB you have to add „–target i386-pc“ to the „grub-install“ command, otherwise it will try to install efibootmgr.

  5. PukingMonkey sagt:

    Works flawlessly

  6. Philipp sagt:

    Hi everybody,

    thx for your comments!
    I’m happy to hear that my stuff is useful for some of you.

  7. sergkog sagt:

    nano /etc/default/grub
    # Fix broken grub.cfg gen

  8. ste sagt:

    Perfect, just tried it in Virtualbox before installing on real disk.

    Two things do not work:

    1) systemctl enable lvm-monitoring.service (lvm.service does not exist)

    2) cryptsetup luksOpen /dev/sd?? needs argument;
    cryptsetup luksOpen /dev/sd?? main

    II think you agree if I translate it in italian, with backlink of course, I do not see any license so I prefer to ask.

  9. zaz sagt:

    Excellent guide, works like a charm with no hassle. Thanks a lot !

  10. Sagar Behere sagt:

    Worked perfectly. Thanks. I messed about with my first arch installation by following the official install guide, but kept getting encryption related errors. Your guide ’simply worked‘ :)

  11. Thomas Könning sagt:

    Great Howto.
    Just one comment:
    cryptsetup luksFormat says, thet you have to enter an uppercase yes to start.
    It is easy, not to recognise the simple word uppercase.
    If you get an error saying: code 22: invalid argument, keep in meind, you have to enter „YES“ and not „yes“ to continue.

    It took me some time.

  12. Cesar sagt:

    Hi Philipp, nice guide and still worsks great!!, i followed your guide few times from 2012. Lately i didnt need to enable anything about lvm (no lvm.service, no lvm-monitoring. Both give me „not found“) Some error about lvm but still boot.

    I want to ask you if i can translate your guide to spanish (with mention and link to yours) because i want to add this quide to a special-portable-install-guide

    Thx again.

  13. Cesar sagt:

    Hi philipp

    I hope you do not mind. I translated to spanish and used this guide to complete a post. I introduced few changes to adapt it. Of course, link and mention to your blog were mandatory. Thanks for your great guide.

  14. Yon Cuadrado sagt:


    I have found this tutorial and I have been able to install archlinux with encrypted partitions. The only problem I have is that my keyboard is spanish and when I type the passphrase in grub, the keyboard I have is th e english us. How did you manage to have another keyboard in grub?


Schreibe einen Kommentar

Deine E-Mail-Adresse wird nicht veröffentlicht.