{"id":24589338,"url":"https://github.com/szwendacz99/arch-install-encrypted-btrfs","last_synced_at":"2026-02-26T08:13:48.198Z","repository":{"id":113902787,"uuid":"301748704","full_name":"Szwendacz99/Arch-install-encrypted-btrfs","owner":"Szwendacz99","description":"Instruction how to install Arch Linux on encrypted(optionally) btrfs partition with encrypted /boot","archived":false,"fork":false,"pushed_at":"2022-02-18T19:33:36.000Z","size":133,"stargazers_count":19,"open_issues_count":0,"forks_count":8,"subscribers_count":3,"default_branch":"main","last_synced_at":"2025-10-11T14:14:49.566Z","etag":null,"topics":["arch-linux","archlinux","how-to","howto-tutorial","linux"],"latest_commit_sha":null,"homepage":"","language":null,"has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/Szwendacz99.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null}},"created_at":"2020-10-06T14:09:32.000Z","updated_at":"2025-07-17T15:30:30.000Z","dependencies_parsed_at":null,"dependency_job_id":"80099092-3f44-4ff9-90ea-94a429b0397d","html_url":"https://github.com/Szwendacz99/Arch-install-encrypted-btrfs","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/Szwendacz99/Arch-install-encrypted-btrfs","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Szwendacz99%2FArch-install-encrypted-btrfs","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Szwendacz99%2FArch-install-encrypted-btrfs/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Szwendacz99%2FArch-install-encrypted-btrfs/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Szwendacz99%2FArch-install-encrypted-btrfs/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/Szwendacz99","download_url":"https://codeload.github.com/Szwendacz99/Arch-install-encrypted-btrfs/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Szwendacz99%2FArch-install-encrypted-btrfs/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":279159535,"owners_count":26116492,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","status":"online","status_checked_at":"2025-10-16T02:00:06.019Z","response_time":53,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["arch-linux","archlinux","how-to","howto-tutorial","linux"],"created_at":"2025-01-24T08:15:12.396Z","updated_at":"2025-10-16T05:26:26.009Z","avatar_url":"https://github.com/Szwendacz99.png","language":null,"funding_links":[],"categories":[],"sub_categories":[],"readme":"# ArchLinux install encrypted btrfs\n\n# Install Arch Linux on EFI system with full filesystem (including /boot) encrypted and on btrfs partition \n\nOfficial guide for basic install: [https://wiki.archlinux.org/index.php/Installation\\_Guide](https://wiki.archlinux.org/index.php/Installation_Guide)  \nit is always good to consult with official guide, cause arch config might change in time  \nFor setting up different locale, or better explanations check out Arch Wiki\n\n## 1. Boot ISO\n\n#### Download the ISO file from [https://www.archlinux.org](https://www.archlinux.org/)\n\n#### Put on pendrive\n\n```bash\ndd if=archlinux.img of=/dev/sdX bs=16M \u0026\u0026 sync\n```\n\n#### Boot from the USB.\n\n#### Optional (**experimental** approach to have desktop environment during install):\n\n##### Extend writable space so you can install basic desktop in live environment and for example use gparted for partitioning or open this tutorial in web browser or whatever you want. \n\n\u003cp class=\"callout warning\"\u003eRemember this area is saved in your RAM, so make sure you have enough of it\u003c/p\u003e\n\n```\nmount -o remount,size=5G /run/archiso/cowspace\n\npacman -Syy plasma-desktop glibc konsole xorg\npacman -Scc\n\nstartplasma-wayland\n```\n\n#### Set key map\n\n```bash\nloadkeys pl  \n```\n\n#### Update clock\n\n```bash\ntimedatectl set-ntp true  \n```\n\n#### Optionally (recommended) update mirrorlist\n\n```bash\nreflector --country 'Poland' --age 24 --verbose --sort rate --save /etc/pacman.d/mirrorlist  \n```\n\n## 2. Prepare Disk\n\n#### Update btrfs-progs\n\n```bash\npacman -Syy btrfs-progs\n```\n\n#### Display disks and partitions\n\n```bash\nlsblk\n```\n\n#### Create partitions (if you have not already)\n\n```bash\nfdisk /dev/sdX  \n```\n\n1. 100MB EFI partition\n2. 100% size partiton # ( encrypted optionally) for BTRFS partition, this partition will require formatting AFTER encryption if you do encryption\n\n##### Swap will bin in file with CoW disabled, which will be prepared later\n\n#### Format EFI partition\n\n```Bash\nmkfs.vfat -F32 /dev/sdX1\n```\n\n##### ----------------- encryption (optional) ------------------\n\n\n#### Setup the encryption of the system,\n\n\u003cp class=\"callout info\"\u003eDon't use regional letters (not in en-us keyboard) like ąęć etc. for password. This requires additional steps, which are not covered by this tutorial.\u003c/p\u003e\n\n#### Grub have some kind of support for luks2, but not entirely, so for more fail-safe setup use luks1\n\n```bash\ncryptsetup -c=aes-xts-plain64 --key-size=512 --hash=sha512 --iter-time=3000 --pbkdf=pbkdf2 --use-random luksFormat --type=luks1 /dev/sdX2  \n\ncryptsetup luksOpen /dev/sdX2 MainPart \n```\n\n### Formatting as btrfs now when it is already encrypted\n\n```bash\nmkfs.btrfs -L \"Arch Linux\" /dev/mapper/MainPart  \n```\n\n##### ---------------- end of encryption ------------------------\n\n#### Format the partition if not yet formatted:\n\n```bash\npacman -Syy btrfs-progs  \n\nmkfs.btrfs -L \"Arch Linux\" /dev/sdX2  \n```\n\n#### Mount partition to be able to create btrfs subvolumes\n\n##### If using encryption, change **/dev/sdX2** to **/dev/mapper/MainPart**:\n\n```bash\nmount /dev/sdX2 /mnt  \n```\n\n#### Create subvolumes\n\n##### This scheme can be adjusted to your needs, I'd suggest at least one subvolume for root (@) and one for snapshots (@snapshots). varlog and tmp are created to easily disable Copy on Write on` /var/log` and `/tmp`.\n\n```bash\nbtrfs su cr /mnt/@  \n\nbtrfs su cr /mnt/@home  \n\nbtrfs su cr /mnt/@varlog\n\nbtrfs su cr /mnt/@tmp  \n\nbtrfs su cr /mnt/@snapshots  \n\n```\n\n##### Disable copy on write on `/var/log` and `/tmp`\n\n```bash\nchattr +C /mnt/@varlog\nchattr +C /mnt/@tmp  \numount /mnt  \n\n```\n\n#### If using encryption, change **/dev/sdX2** to **/dev/mapper/MainPart**:\n\n```bash\nmount -o defaults,noatime,discard,ssd,subvol=@ /dev/sdX2 /mnt  \n\nmkdir /mnt/home  \n\nmkdir -p /mnt/var/log  \n\nmkdir /mnt/tmp  \n\nmkdir /mnt/snapshots  \n\nmkdir /mnt/efi # for EFI partition /dev/sdX1  \n```\n\n#### Discard and ssd options and are for ssd disks only\n\n#### If using encryption, change **/dev/sdX2** to **/dev/mapper/MainPart**\n\n```bash\nmount -o defaults,noatime,discard,ssd,subvol=@home /dev/sdX2 /mnt/home\n\nmount -o defaults,noatime,discard,ssd,subvol=@varlog /dev/sdX2 /mnt/var/log\n\nmount -o defaults,noatime,discard,ssd,subvol=@tmp /dev/sdX2 /mnt/tmp\n\nmount -o defaults,noatime,discard,ssd,subvol=@snapshots /dev/sdX2 /mnt/snapshots\n\nmount /dev/sdX1 /mnt/efi\n```\n\n# 3. Install Arch Linux\n\n#### Select the mirror to be used if not updated with reflector on start\n\n```bash\nvim /etc/pacman.d/mirrorlist  \n```\n\n#### Install base system:\n\n##### This command can be customized with additional packages (**btrfs-progs is necessary to let the system boot up from btrfs partition !**)\n\n```bash\npacstrap /mnt/ base base-devel git btrfs-progs efibootmgr linux linux-headers linux-firmware mkinitcpio dhcpcd bash-completion sudo\n```\n\n#### Generate fstab:\n\n##### Use genfstab with -U parameter if no encryption\n\n```bash\ngenfstab /mnt \u003e\u003e /mnt/etc/fstab\n```\n\n####  \n\n# 4. Configure the system\n\n#### Switch to installed system root user\n\n```bash\narch-chroot /mnt /bin/bash\n```\n\n#### Setup system clock\n\n```bash\nln -s /usr/share/zoneinfo/Europe/Warsaw /etc/localtime  \n\nhwclock --systohc --utc  \n```\n\n#### Set the hostname in `/etc/hostname`\n\n```test\nmyhostname\n```\n\n#### Edit vconsole in `/etc/vconsole.conf`\n\n```text\nKEYMAP=pl  \nFONT=Lat2-Terminus16.psfu.gz  \nFONT_MAP=8859-2  \n\n```\n\n#### Setup locale\n\n##### Uncomment pl\\_PL.UTF-8 in /etc/locale.gen and then run:\n\n```bash\nlocale-gen\n```\n\n#### Update locale in `etc/locale.conf`\n\n```text\nLANG=en_US.UTF-8\nLC_COLLATE=pl_PL.UTF-8\nLC_MEASUREMENT=pl_PL.UTF-8\nLC_MONETARY=pl_PL.UTF-8\nLC_NUMERIC=pl_PL.UTF-8\nLC_TIME=pl_PL.UTF-8\n\n```\n\n#### Hosts in `/etc/hosts`\n\n```text\n127.0.0.1 localhost  \n::1 localhost  \n127.0.1.1 myhostname.localdomain myhostname  \n\n```\n\n#### Now create empty (with 0 size) swap file:\n\n#### Create separate subvolume for swapfile. This subvolume is needed to let you make snapshot of `/`, which would not be possible with any file in it with CoW disabled!\n\n```\nbtrfs su create /swap\n\nchattr +C /swap\n```\n\n#### Copy on Write should always be disabled on swap file, so it will be done in the next step\n\n```bash\ntouch /swap/swapfile  \n```\n\n#### Check if C attribute is enabled (should be already if created in folder with disabled CoW attribute)\n\n```bash\nlsattr /swap/swapfile'\n```\n\n#### If not then disable CoW for swapfile manually:\n\n```bash\nchattr +C /swap/swapfile  \n```\n\n#### Expanding empty file to 4GiB swap file\n\n```bash\ndd if=/dev/zero of=/swap/swapfile bs=1024K count=4096  \n\nchmod 600 /swap/swapfile  \n\n```\n\n#### Format the swap file.\n\n```bash\nmkswap /swap/swapfile  \n```\n\n#### Turn swap file on.\n\n```bash\nswapon /swap/swapfile  \n```\n\n#### You also need to update `/etc/fstab` to mount swapfile on boot:\n\n```text\n/swap/swapfile none swap sw 0 0  \n```\n\n#### Set password for root\n\n```bash\npasswd  \n```\n\n#### Add real user an set password for him\n\n```bash\nuseradd -m MYUSERNAME \n\npasswd MYUSERNAME  \n```\n\n### Configure mkinitcpio with modules needed for the initrd image\n\n```bash\nvim /etc/mkinitcpio.conf  \n```\n\n#### Add 'keyboard', 'keymap', 'encrypt' and 'btrfs' to HOOKS before filesystems:\n\n```\nHOOKS=(base udev autodetect keyboard keymap modconf block btrfs filesystems keyboard fsck)\n```\n\n#### Add btrfsck to binaries:\n\n```\nBINARIES=(btrfsck)\n```\n\n#### **With encryption:** also add encrypt before btrfs:\n\n```text\nHOOKS=(... keyboard keymap block encrypt btrfs ... filesystems ...)  \n```\n\n######  \n\n#### Regenerate initrd images\n\n```bash\nmkinitcpio -P  \n```\n\n# 5. Install bootloader\n\n#### Setup grub (UEFI)\n\n```bash\npacman -S grub efibootmgr os-prober dosfstools mtools  \n```\n\n#### -------------encryption only---------------------\n\n#### edit `/etc/default/grub`\n\n```text\nGRUB_ENABLE_CRYPTODISK=y \n```\n\n#### Find UUID (UUID for /dev/sdX2) of crypto partition so we can add it to grub config\n\n```bash\nblkid \n```\n\n#### Now set this line including proper UUID in place of \"\u0026lt;device-UUID\u0026gt;\":\n\n#### (temporarly you can use /dev/sdX2 in place of \"UUID=\u0026lt;device-UUID\u0026gt;\" and change it later easy in gui mode)\n\n##### edit `/etc/default/grub`\n\n```text\nGRUB_CMDLINE_LINUX=\"cryptdevice=UUID=\u003cdevice-UUID\u003e:MainPart:allow-discards\"  \n```\n\n##### allow-discards is only for ssd to let trim work with encryption enabled\n\n#### Generate key so grub don't ask twice for password on boot\n\n```bash\ndd bs=512 count=4 if=/dev/random of=/crypto_keyfile.bin iflag=fullblock  \nchmod 600 /crypto_keyfile.bin  \nchmod 600 /boot/initramfs-linux*  \ncryptsetup luksAddKey /dev/sdX2 /crypto_keyfile.bin  \n```\n\n#### If you change name of key file there is need to add kernel parameter like cryptkey=rootfs:path\n\n#### Crypto\\_keyfile.bin is the default name that kernel will guess anyway\n\n#### Now add this file to `/etc/mkinitcpio.conf`\n\n```text\nFILES=(/crypto_keyfile.bin) \n```\n\nthen run:\n\n```bash\nmkinitcpio -P  \n```\n\n#### -------------encryption end---------------------\n\n#### Install grub for \n\n```bash\ngrub-install --target=x86_64-efi --efi-directory=/efi --bootloader-id=GRUB  \ngrub-mkconfig -o /boot/grub/grub.cfg  \n```\n\n#### Exit new system\n\n```bash\nexit  \n```\n\n#### Unmount all partitions\n\n```bash\nswapoff -a  \numount -R /mnt\n```\n\n#### Reboot into the new system, don't forget to remove the pendrive\n\n```bash\nreboot  \n```\n\n#### or\n\n```bash\nshutdown now  \n```\n\n### 6. Addtitional tips:\n\n#### Install AUR helper (git and base-devel packages needed to do so):\n\n```\ngit clone https://aur.archlinux.org/yay.git\n\ncd yay\n\nmakepkg -si\n```\n\n#### To get proper locale and keymap, check:\n\n```bash\nlocalectl status\n```\n\n#### On KDE plasma , also set settings \u0026gt; ... \u0026gt; keyboard layout \u0026amp;\u0026amp; regional settings\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fszwendacz99%2Farch-install-encrypted-btrfs","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fszwendacz99%2Farch-install-encrypted-btrfs","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fszwendacz99%2Farch-install-encrypted-btrfs/lists"}