This guide provides a secure installation method for Arch Linux with LUKS2 encryption (argon2id) for the root filesystem only, while keeping /boot unencrypted for GRUB compatibility.
For EFI boot with LUKS2 encryption:
# EFI System Partition (unencrypted) /dev/nvme0n1p1 /boot/efi FAT32 512MB-1GB # Boot partition (unencrypted) /dev/nvme0n1p2 /boot ext4 1GB # Root partition (encrypted with LUKS2) /dev/nvme0n1p3 / LUKS2+ext4 Remaining space
Partition the disk:
fdisk /dev/nvme0n1 # Create three partitions: # p1: EFI (type 1) # p2: /boot (type 20 - Linux filesystem) # p3: Root (type 20 - Linux filesystem)
Format partitions:
mkfs.fat -F32 /dev/nvme0n1p1 # EFI mkfs.ext4 /dev/nvme0n1p2 # /boot (unencrypted)
Encrypt root partition:
cryptsetup luksFormat --type luks2 --pbkdf argon2id /dev/nvme0n1p3 cryptsetup open /dev/nvme0n1p3 cryptroot mkfs.ext4 /dev/mapper/cryptroot
mount /dev/mapper/cryptroot /mnt mkdir -p /mnt/boot /mnt/boot/efi mount /dev/nvme0n1p2 /mnt/boot # Unencrypted /boot mount /dev/nvme0n1p1 /mnt/boot/efi # EFI partition
Install base system:
pacstrap /mnt base linux linux-firmware grub efibootmgr
Generate fstab:
genfstab -U /mnt >> /mnt/etc/fstab
Chroot into the new system:
arch-chroot /mnt
Configure mkinitcpio for LUKS:
# Edit /etc/mkinitcpio.conf HOOKS=(base udev autodetect modconf block encrypt filesystems keyboard fsck) # Generate initramfs mkinitcpio -P
Configure GRUB:
# Edit /etc/default/grub GRUB_CMDLINE_LINUX="cryptdevice=UUID=$(blkid -s UUID -o value /dev/nvme0n1p3):cryptroot root=/dev/mapper/cryptroot" # Install GRUB grub-install --target=x86_64-efi --efi-directory=/boot/efi --bootloader-id=GRUB grub-mkconfig -o /boot/grub/grub.cfg
Why this configuration is secure:
An unencrypted /boot partition is necessary for GRUB compatibility. Security is maintained because:
Critical warning: Never encrypt /boot when using GRUB, as it cannot read encrypted kernel/initramfs files without additional complex configuration.
During boot: