Encrypted Arch Linux Installation w/ Encrypted Swap
The ultimate installation resource is always going to be the:
-
Verify PGP Signatures, the ISO directory is just the same directory where your Arch Linux ISO file is stored.
✔️ Verifying Arch Linux ISO on Other Distributions
❗ NOTE: If you only want to verify the ISO once, you can temporarily import the public key, verify the signature, and then you don’t need to keep the key permanently in your keyring or sign it locally. This example is from the last release, but the process is the same.
For example, if you have a folder named archISO where you keep the ISO file
archlinux-2025-09.01-x86_64.iso, you should also download the PGP signature
file archlinux-2025.09.01-x86_64.iso.sig to the same folder.
With sequoia(a separate app), you can get the Arch release signing key with:
sq network wkd search pierre@archlinux.org --output release-key.pgp
Export the chosen key to a .pgp file:
sq cert export --keyring=release-key.pgp --cert=3E80CA1A8B89F69CBA57D98A76A5EF9054449A5C > pierre-archlinux.pgp
Import into your keychain:
gpg --import pierre-archlinux.pgp
gpg: key 0x76A5EF9054449A5C: 9 signatures not checked due to missing keys
gpg: key 0x76A5EF9054449A5C: public key "Pierre Schmitz <pierre@archlinux.org>" imported
gpg: Total number processed: 1
gpg: imported: 1
gpg: marginals needed: 3 completes needed: 1 trust model: pgp
gpg: depth: 0 valid: 3 signed: 0 trust: 0-, 0q, 0n, 0m, 0f, 3u
gpg: next trustdb check due at 2026-08-23
- Now, you should see
<pierre@archlinux.org>and his keys when you rungpg --list-keys
Finally, verify the signature:
sq verify --signer-file release-key.pgp --signature-file archlinux-2025.08.01-x86_64.iso.sig archlinux-2025.08.01-x86_64.iso
Authenticated signature made by 3E80CA1A8B89F69CBA57D98A76A5EF9054449A5C (Pierre Schmitz <pierre@archlinux.org>)
1 authenticated signature.
❗ To ensure the key is authentic and not spoofed, verify that the key fingerprint matches the official Arch Linux signing key fingerprint, which can is linked below and on the Arch website.
This shows that the signature was made by the key with the ID
3E80CA1A8B89F69CBA57D98A76A5EF9054449A5C (Pierre Schmitz).
You can check the keys fingerprint with:
gpg --fingerprint 3E80CA1A8B89F69CBA57D98A76A5EF9054449A5C
Verify it against the Arch Linux master-keys
With the sq verify command GPG authenticated that the signature is valid and
that the key used to sign is trusted in our keyring.
1 authenticated signature confirms the files integrity and authenticity.
We have successfully verified that the file was signed by Pierr's official Arch Linux key and has not been tampered with.
The following is only if you currently already have keys on your gpg keyring.
☑️ Click to expand Key Signing and Publishing Example
List your keys to get the arch keyID:
gpg --list-keys
# ... snip ...
pub ed25519/0x76A5EF9054449A5C 2022-10-31 [SC] [expires: 2037-10-27]
Key fingerprint = 3E80 CA1A 8B89 F69C BA57 D98A 76A5 EF90 5444 9A5C
uid [ full ] Pierre Schmitz <pierre@archlinux.org>
uid [ full ] Pierre Schmitz <pierre@archlinux.de>
sub ed25519/0xD6D13C45BFCFBAFD 2022-10-31 [A] [expires: 2037-10-27]
sub cv25519/0x7F56ADE50CA3D899 2022-10-31 [E] [expires: 2037-10-27]
Sign the key:
gpg --sign-key 0x76A5EF9054449A5C
Now you can Export and publish the new public key and send it to a keyserver:
gpg --export --armor 0x76A5EF9054449A5C > archlinux-signed.asc
gpg --send-keys 0x76A5EF9054449A5C
The more people that verify, sign, and re-export and publish their keys the better for the web of trust that gpg uses making the network more secure for everyone.
- Connect to Wi-Fi:
iwctl
[iwd]# device list
[iwd]# station wlan0 scan
[iwd]# station wlan0 connect NETGEAR80
# Enter your Password
# Check Connection
[iwd]# station wlan0 show
[iwd]# exit
ping -c 3 archlinux.org
- Update package databases:
pacman -Sy
- Set system clock:
timedatectl set-ntp true
- Partition your Disk:
- Identify your target disk (eg.
/dev/mmcblk0):
lsblk
❗ If you already have an EFI partition you do not have to create another one and doing so can cause issues. First check with
fdisk -l, before creating a new one.
Check your partitions:
fdisk -l | less
Device Size Type
/dev/mmcblk0p1 1G EFI System
/dev/mmcblk0p2 57.2G Linux root (x86-64)
Since I already have an EFI partition, I can just mount it:
mkdir -p /mnt/boot
mount /dev/mmcblk0p1 /mnt/boot
If you don't already have an EFI partition, create one here:
- Use
fdisk,parted, orcfdiskto create partitions.
cfdisk /dev/mmcblk0
-
1G boot partition, press
bto set boot flag -
The rest of the Memory Primary
/dev/mmcblk0p2btrfs, presspto set primary flag.
- Format the EFI partition as FAT32:
mkfs.fat -F32 /dev/mmcblk0p1
- Leave the root partition unformatted for the encryption step next.
- Encrypt the Root Partition and Open it:
cryptsetup luksFormat /dev/mmcblk0p2
cryptsetup open /dev/mmcblk0p2 cryptroot
Create a Filesystem with Compression
mkfs.btrfs /dev/mapper/cryptroot
mount /dev/mapper/cryptroot /mnt
- Later, we will enable compression by mounting with options like
compress=zstdinfstab
- Encrypted Swap
cfdisk /dev/mmcblk0
-
Select
New-> Enter size (2x your RAM size) -> Set type toLinux swap -
Select
Write-> Typeyes-> SelectQuit
Verify the new partition (e.g., /dev/mmcblk0p3):
lsblk
Encrypt the swap partition with LUKS:
cryptsetup luksFormat /dev/mmcblk0p3
cryptsetup open /dev/mmcblk0p3 cryptswap
Format the decrypted swap partition:
mkswap /dev/mapper/cryptswap
Enable the swap:
swapon /dev/mapper/cryptswap
Add the swap to /mnt/etc/fstab (this will be updated later in the genfstab
step, but you can manually ensure it):
echo '/dev/mapper/cryptswap none swap defaults 0 0' >> /mnt/etc/fstab
Add the swap partition to the LUKS configuration for automatic unlocking on boot:
echo 'cryptswap /dev/mmcblk0p3 none luks' >> /mnt/etc/crypttab
❗ Later, after
arch-chroot, ensure themkinitcpio.confHOOKS includeresume(afterencrypt) if you plan on using hibernation. This will be covered in theinitramfsstep.
Continue with Arch Installation
Install the Base System and Essential Packages on /mnt with pacstrap
pacstrap -K /mnt base linux-zen linux-zen-headers linux-firmware networkmanager helix grub lightdm lightdm-gtk-greeter btrfs-progs cryptsetup sudo base-devel
- Ensure
/mnt/boot(EFI) is mounted as above. Withmount | grep /mnt/boot-
To list all mounts under
/mnt:findmnt /mnt -
I had to remount
/mnt/bootin order for the fstab to pick it up with:mount /dev/mmcblk0p1 /mnt/boot.
-
- Generate the Filesystem Table:
genfstab -U /mnt >> /mnt/etc/fstab
#
cat /mnt/etc/fstab
# Add compression
vim /mnt/etc/fstab
- Important: It should list
/dev/mapper/cryptrootmounted on/with Btrfs options, and/dev/mmcblk0p1on/boot. If thefstabdoesn't show both, you need to regenerate it after mounting the missing partition. Clear your oldfstabif its necessary to rungenfstabagain.
- Add compression, Only for the Encrypted Partition:
# fstab
/dev/mapper/cryptroot / btrfs rw,relatime,compress=zstd,ssd, #...snip
#...snip...
Remount root with compression without rebooting:
mount -o remount,compress=zstd /mnt
- Change Root into the New Installation
arch-chroot /mnt
Create a user:
useradd -m -G wheel -s /bin/bash yourusername
passwd yourusername
Enable sudo for wheel group:
EDITOR=vim visudo
If that doesn't work, use vim /etc/sudoers and edit the file accordingly.
Uncomment the line:
%wheel ALL=(ALL:All) ALL
- Edit
/etc/mkinitcpio.confin your new system to add theencrypthook beforefilesystems
-
Locate the
HOOKSline -
Insert
encryptbeforefilesystems
vim /etc/mkinitcpio.conf
❗ NOTE how I also added the
resumeafterencrypt, that's for if you want to set up hibernation.
# mkinitcpio.conf
# ... snip ...
HOOKS=(base udev autodetect microcode modconf kms keyboard keymap consolfont block encrypt resume filesystems fsck)
# ... snip ...
- Regenerate initramfs with:
mkinitcpio -p linux-zen
# Should output
Initcpio image generation successful
- Install Grub and EFI boot manager, (while still in chroot environment):
pacman -S grub efibootmgr
Install GRUB for UEFI Systems:
grub-install --target=x86_64-efi --efi-directory=/boot --bootloader-id=GRUB
# Should output
Installation finished. No error reported.
Configure GRUB to unlock LUKS root partition
- Edit
/etc/default/gruband modify the line starting withGRUB_CMDLINE_LINUXto add:
# ...snip...
GRUB_CMDLINE_LINUX="cryptdevice=/dev/mmcblk0p2:cryptroot root=/dev/mapper/cryptroot"
# ...snip...
Generate GRUB configuration:
grub-mkconfig -o /boot/grub/grub.cfg
# Should output
Adding boot menu entry for UEFI Firmware Settings ...
done
- Enable LightDM and NetworkManager
systemctl enable lightdm
systemctl enable NetworkManager
Configure LightDM greeter:
- Edit
/etc/lightdm/lightdm.confto add:
# lightdm.conf
[Seat:*]
greeter-session=lightdm-gtk-greeter
Exit arch-chroot with exit.
Unmount your partitions and reboot:
umount /mnt/boot
umount /mnt
cryptsetup close cryptroot
- Reboot
arch-chroot
✔️ Click to Expand `arch-chroot` Example
Say you forgot something, like forgetting to add a user and password. You reboot and go to TTY into your system and are hit with a AHHH I can't log in WTF!
It's as easy as repeating some of the steps above. Reboot into the Live
environment (like we just did for the install), remount your partitions and
arch-chroot back in:
Open the encrypted root partition:
cryptsetup open /dev/mmcblk0p2 cryptroot
Mount the decrypted root:
mount /dev/mapper/cryptroot /mnt
Mount the EFI partition:
mount /dev/mmcblk0p1 /mnt/boot
Chroot into your installed system:
arch-chroot /mnt
useradd -m -G wheel -s /bin/bash yourusername
passwd yourusername
- The
-s /bin/bashsets your default shell, you can use zsh if you have it installed.
Uncomment the line %wheel ALL=(ALL:All) ALL in /etc/sudoers
Exit chroot:
exit
Unmount and close LUKS:
umount /mnt/boot
umount /mnt
cryptsetup close cryptroot
reboot