Skip to main content

Archlinux installation with encrypted Btrfs


# Boot archlinux iso



export DISK=/dev/vda

# clear partition table
sgdisk --zap-all $DISK

# partition 1 - EFI
sgdisk -n 1:2048:+1024M -t 1:EF00 $DISK
# partition 2 - Linux LUKS
sgdisk -n 2:0:0 -t 2:8309 $DISK


mkfs.fat -F 32 -n EFI ${DISK}1


cryptsetup -y -v luksFormat --label Archlinux ${DISK}2

# Open LUKS container
cryptsetup open ${DISK}2 cryptroot

# Create BTRFS filesystem
mkfs.btrfs /dev/mapper/cryptroot


# mount root BTRFS filesystem
mount /dev/mapper/cryptroot /mnt


# create subvolumes
btrfs subvolume create /mnt/@
btrfs subvolume create /mnt/@home
btrfs subvolume create /mnt/@snapshots
btrfs subvolume create /mnt/@swap


# unmount root BTRFS filesystem
# We will mount subvolumes instead in the next step
umount /mnt

# mount root subvolume
mount -o noatime,compress=zstd:1,subvol=@ /dev/mapper/cryptroot /mnt

# create directories for other subvolumes
mkdir -p /mnt/{boot,home,.snapshots}

# mount other subvolumes
mount -o noatime,compress=zstd:1,subvol=@home /dev/mapper/cryptroot /mnt/home
mount -o noatime,compress=zstd:1,subvol=@snapshots /dev/mapper/cryptroot /mnt/.snapshots

# mount EFI partition
mkdir /mnt/boot/efi
mount ${DISK}1 /mnt/boot


# create and use swapfile
mkdir -p /mnt/swap
mount -o subvol=@swap /dev/mapper/cryptroot /mnt/swap
RAM=$(free -m | grep Mem | awk '{print $2}')
btrfs filesystem mkswapfile --size ${RAM}M /mnt/swap/swapfile
swapon /mnt/swap/swapfile


# bootstrap archlinux system
pacstrap -K /mnt base linux linux-firmware btrfs-progs

# generate fstab
genfstab -U /mnt >> /mnt/etc/fstab

# chroot into new system
arch-chroot /mnt

# timezone
ln -sf /usr/share/zoneinfo/Europe/Prague /etc/localtime


# select locale
sed -i '/#en_US.UTF-8/s/^#//' /etc/locale.gen
locale-gen
echo "LANG=en_US.UTF-8" > /etc/locale.conf

# set hostname
echo "archlinux" > /etc/hostname


Use only one of the follwing network configurations. I usually use NetworkManager on laptop and systemd-netowrkd on desktop or server.

## Using NetworkManager

pacman -S networkmanager
systemct enable NetworkManager
## systemd-networkd

systemctl enable systemd-networkd
systemctl enable systemd-resolved
ln -sf /run/systemd/resolve/stub-resolv.conf /etc/resolv.conf


cat << EOF > /etc/systemd/network/20-wired.network
[Match]
Name=enp1s0

[Network]
DHCP=yes
EOF

continue with the setup

# configure mkinitcpio
sed -i '/BINARIES=(/s/)/ btrfs)/' /etc/mkinitcpio.conf
sed -i '/MODULES=(/s/)/ btrfs)/' /etc/mkinitcpio.conf
sed -i '/HOOKS=/s/\(block\)/\1 encrypt btrfs/' filename

mkinitcpio -P


# systemd-boot (works only with uefi)
bootctl install


ROOT_UUID=$(findmnt  -n -o UUID -T /)
CRYPT_UUID=$(blkid -s UUID -o value ${DISK}2)

cat << EOF > /boot/loader/entries/arch.conf
title   Arch Linux
linux   /vmlinuz-linux
initrd  /initramfs-linux.img
options root=UUID=${ROOT_UUID} rw rootflags=subvol=/@ cryptdevice=UUID=${CRYPT_UUID}:cryptroot
EOF


passwd

exit

reboot