This isn’t just another Arch Linux guide. It’s a meticulously crafted blueprint for building your own sovereign operating system from the ground up: faster, lighter, and cleaner than bloated distros that pretend to give you freedom. If you’re in the Web3 space, privacy, modularity, and full control aren’t luxuries, they’re requirements. Arch gives you the keys. This guide strips away the noise and gives you a streamlined path to mastering Arch for daily use whether you’re spinning up nodes, writing smart contracts, or just reclaiming your machine. Full LUKS encryption, LVM volumes, and to the point. No fluff. No forum-speak. Just clarity and power.

Table Of Content

• 1️⃣ Boot into the Arch ISO
• 2️⃣ Prepare Disk for LUKS & LVM
• 3️⃣ Partition the Disk
• 4️⃣ Encrypt the Root Partition (LUKS)
• 5️⃣ Set Up LVM (volgroup0)
• 6️⃣ Format Partitions
• 7️⃣ Mount Partitions
• 8️⃣ Install Arch Linux
• Configure Networking
• 9️⃣ Generate fstab
• 🔟 Enter the Installed System
• 1️⃣1️⃣ Configure System
• 1️⃣2️⃣ Configure LUKS Unlock on Boot
• 1️⃣3️⃣ Install Bootloader (GRUB)
• 1️⃣4️⃣ Set Up GRUB to Unlock LUKS
• 1️⃣5️⃣ Exit and Reboot
• Rename GRUB to the default fallback EFI path
• 1️⃣6️⃣ Create a User
• 1️⃣7️⃣ Give your new username admin rights
• PART 2 COMING SOON ON DESKTOP ENVIRONMENTS & HARDENING

1️⃣ Boot into the Arch ISO

• Insert your USB installation media and boot into the Arch Linux installer.
• Select Arch Linux Installation from the boot menu.

Ensure internet is working:

ping -c 3 archlinux.org

If no internet, connect manually (Ethernet recommended). For Wi-Fi:

iwctl
station wlan0 connect "<WiFi-Network>"      # Keep the quotes
exit

2️⃣ Prepare Disk for LUKS & LVM

List available disks:

lsblk

Identify your main disk (e.g., /dev/nvme0n1 or /dev/sda).

Wipe the disk (⚠️ DELETES EVERYTHING!)

wipefs --all /dev/nvme0n1                  # Where nvme0n1 is your main disk.

Or use gdisk to manually delete partitions:

gdisk /dev/nvme0n1

• Press o to create a new GPT table.
• Press w to write changes and exit.

3️⃣ Partition the Disk

Use gdisk (or fdisk if using GPT). Both are fine but just note that the partition numbers will be different on fdisk vs gdisk.

gdisk /dev/nvme0n1

Create partitions:

1. EFI Partition (if using UEFI)
   • Press n (new partition)
   • Partition number: 1
   • First sector: Enter
   • Last sector: +512M
   • Hex code: ef00 (EFI System)
2. LUKS Encrypted Partition
   • Press n
   • Partition number: 2
   • First sector: Enter
   • Last sector: Enter (use remaining space)
   • Hex code: 8e00 (Linux LVM)
3. Write changes and confirm:

w

You’ll now have something like this (where nvme0n1 is your disk name from lsblk):

/dev/nvme0n1p1  --> EFI     (512M, ef00)
/dev/nvme0n1p2  --> LUKS/LVM (rest, 8e00)

4️⃣ Encrypt the Root Partition (LUKS)

Initialize LUKS encryption on the second partition:

cryptsetup luksFormat --type luks1 /dev/nvme0n1p2

Type YES and enter a strong passphrase.

Open the LUKS container:

cryptsetup open /dev/nvme0n1p2 cryptroot

5️⃣ Set Up LVM (volgroup0)

Create a volume group and logical volumes inside LUKS.

Create volume group:

pvcreate /dev/mapper/cryptroot
vgcreate volgroup0 /dev/mapper/cryptroot

Create logical volumes:

lvcreate -L 16G volgroup0 -n swap  # Recommended to make same size total RAM.
lvcreate -L 100G volgroup0 -n root
lvcreate -l 100%FREE volgroup0 -n home

Adjust size if needed. The root volume is 100G, swap is 16G, and home takes the rest. Swap size is usually the same size as your RAM if you plan on using hibernation.

6️⃣ Format Partitions

Format EFI:

mkfs.fat -F32 /dev/nvme0n1p1

Format LVM volumes:

mkfs.ext4 /dev/volgroup0/root
mkfs.ext4 /dev/volgroup0/home
mkswap /dev/volgroup0/swap

7️⃣ Mount Partitions

mount /dev/volgroup0/root /mnt
mkdir /mnt/home
mount /dev/volgroup0/home /mnt/home
mkdir -p /mnt/boot
mount /dev/nvme0n1p1 /mnt/boot
swapon /dev/volgroup0/swap

8️⃣ Install Arch Linux

pacstrap /mnt base linux linux-firmware vim lvm2 nano

If you’re using an AMD CPU, also install:

pacstrap /mnt amd-ucode

For an Intel CPU, use:

pacstrap /mnt intel-ucode

Configure Networking

For a wired connection, install dhcpcd:

pacstrap /mnt dhcpcd

For Wi-Fi, install NetworkManager:

pacstrap /mnt networkmanager

9️⃣ Generate fstab

genfstab -U /mnt >> /mnt/etc/fstab
cat /mnt/etc/fstab  # Verify it looks correct

🔟 Enter the Installed System

arch-chroot /mnt

1️⃣1️⃣ Configure System

Set timezone:

ln -sf /usr/share/zoneinfo/America/Los_Angeles /etc/localtime
hwclock --systohc

Set locale:

echo "en_US.UTF-8 UTF-8" >> /etc/locale.gen
locale-gen
echo "LANG=en_US.UTF-8" > /etc/locale.conf

Set hostname:

echo "DESIRED_HOSTNAME" > /etc/hostname

Set root password:

passwd

Enable NetworkManager (or DHCPCD if ethernet):

systemctl enable NetworkManager      

# or dhcpcd instead of NetworkManager

1️⃣2️⃣ Configure LUKS Unlock on Boot

Edit mkinitcpio:

nano /etc/mkinitcpio.conf

Modify HOOKS to include:

HOOKS=(base udev autodetect modconf block encrypt lvm2 filesystems keyboard fsck)

Save and rebuild initramfs:

mkinitcpio -P

1️⃣3️⃣ Install Bootloader (GRUB)

For EFI systems:

pacman -S grub efibootmgr
grub-install --target=x86_64-efi --efi-directory=/boot --bootloader-id=GRUB

For legacy systems (skip if using UEFI):

grub-install --target=i386-pc /dev/nvme0n1

If you are installing Arch Linux on a thumb drive/external drive:

pacman -S grub efibootmgr
grub-install --target=x86_64-efi --efi-directory=/boot --removable

1️⃣4️⃣ Set Up GRUB to Unlock LUKS

Edit GRUB config:

nano /etc/default/grub

Find the GRUB_CMDLINE_LINUX line and change it to:

GRUB_CMDLINE_LINUX="cryptdevice=UUID=$(blkid -s UUID -o value /dev/nvme0n1p2):cryptroot root=/dev/volgroup0/root"

Create /boot/grub directory and generate grub.cfg:

grub-mkconfig -o /boot/grub/grub.cfg

1️⃣5️⃣ Exit and Reboot

exit
umount -R /mnt
swapoff -a
reboot

• The system should now boot and ask for your LUKS passphrase to decrypt.
• After entering it, you’ll be in your LVM-based Arch Linux system.

If Arch Linux Will Not Boot / BIOS Not Detecting:

Rename GRUB to the default fallback EFI path:

Some firmware only boots from the hardcoded default path \EFI\BOOT\BOOTX64.EFI.

# Mount your EFI partition
mount /dev/nvme0n1p1 /mnt

# Make the fallback directory if it doesn't exist
mkdir -p /mnt/EFI/BOOT

# Copy your existing GRUB EFI binary to the fallback name
cp /mnt/EFI/grub/grubx64.efi /mnt/EFI/BOOT/BOOTX64.EFI

1️⃣6️⃣ Create a User

Log in as root, then:

useradd -m -G wheel -s /bin/bash YOUR_USERNAME
passwd YOUR_USERNAME

This will let you create a user and password for that user.

Now let’s get the internet back up officially.

1️⃣7️⃣ Give your new username admin rights

Enable sudo for this user: (admin rights)

pacman -S sudo
EDITOR=nano visudo

Uncomment:

%wheel ALL=(ALL) ALL

Save and exit.

Now logout of your root and login to your new username you just created:

logout
YOUR_USERNAME
YOUR_USERNAME's password

Boom, you’re in.

PART 2 COMING SOON ON DESKTOP ENVIRONMENTS & HARDENING