Here I describe the steps I used to install Arch Linux with disk encryption and GRUB bootloader.
At the time of the writing installation guide describes installing the system without disk encryption and does not recommend any boot loader, so following it requires referring to another guide on setting up LVM on LUKS and then deciding on the boot loader to use.
There is a guided installer archinstall, it is available on the installation medium but I have never tried using it.
I downloaded the latest release 2026.02.01 from the Arch Linux Downloads page and wrote it to the USB stick with dd.
To boot from the USB stick I had to disable Secure Boot. Otherwise after pressing F12 during the boot I was not able to boot from the USB stick, it silently failed without any error message.
I use Dvorak keyboard layout, so right after booting I switched the layout by typing loadkeys dvorak.
I used iwctl to connect to Wi-Fi. To scan for networks, run iwctl station wlan0 scan, then list visible networks with iwctl station wlan0 get-networks. Connect to the visible network with iwctl station wlan0 connect <SSID>.
I checked that clock was correct by typing timedatectl, it was correct.
Note that it shows UTC timezone and not local time.
lsblk showed that the disk is detected as nvme0n1 and sda was the USB stick with the live image.
I started cgdisk /dev/nvme0n1, deleted all partitions and then created 3 partitions:
/boot, type 8300cgdisk asks for partition names, I left them empty.
cryptsetup luksFormat /dev/nvme0n1p3 cryptsetup luksOpen /dev/nvme0n1p3 crypt
Based on my previous usage, where I have almost always full 50 G root and full 100 G home, I have set up 100 G root and 200 G home.
pvcreate /dev/mapper/crypt vgcreate vg /dev/mapper/crypt lvcreate vg -L 100G -n root lvcreate vg -L 200G -n home
I have 32 GiB of RAM, so I did not create any swap. I also don't want to use suspend-to-disk because writing 32 GiB is too much, I will rather suspend-to-RAM or shutdown.
With LVM I can extend the partitions or add swap later as needed.
I formatted the EFI system partition as FAT32 and the rest of the partitions as ext4.
mkfs.fat -F32 /dev/nvme0n1p1 mkfs.ext4 /dev/nvme0n1p2 mkfs.ext4 /dev/mapper/vg-root mkfs.ext4 /dev/mapper/vg-home
Once all the partitions are formatted, mount them into /mnt which is going to be the root of the installed system.
mount /dev/mapper/vg-root /mnt mount --mkdir /dev/nvme0n1p1 /mnt/efi mount --mkdir /dev/nvme0n1p2 /mnt/boot mount --mkdir /dev/mapper/vg-home /mnt/home
Once all partitions of the new system are mounted into /mnt, the system can be installed there with
pacstrap -K /mnt base linux linux-firmware amd-ucode cryptsetup lvm2 networkmanager vim grub efibootmgr
The only absolutely neccessary package is base, everything else can be installed after chroot as needed.
linux and linux-firmware are the bootable kernel.
As I have been installing on an AMD laptop, I installed amd-ucode here.
To access encrypted partition and manage LVM I installed cryptsetup and lvm2.
I already installed networkmanager as I am going to use it to connect to Wi-Fi after reboot.
I am going to use vim to edit the configs.
To configure the boot loader, grub and efibootmgr are needed.
efibootmgr is used later to remove old boot loader entry and by grub-install to install itself in EFI.
genfstab -U /mnt >> /mnt/etc/fstab
arch-chroot /mnt
Normally at this point you will set the time zone, but I prefer to have my system in UTC and only configure the clock in the UI to display local time.
I only ran hwclock --systohc here to set the hardware clock.
Open /etc/locale.gen and uncomment "en_US.UTF-8 UTF" line by removing `#` in the beginning.
locale-gen echo "LANG=en_US.UTF-8" >/etc/locale.conf echo KEYMAP=dvorak >/etc/vconsole.conf
Hostname is going to be displayed in the shell prompt, and may be exposed via mDNS or DHCP, but otherwise does not really matter:
echo box >/etc/hostname
Open /etc/mkinitcpio.conf and add there sd-encrypt and lvm2 after block and before filesystem:
HOOKS=(base systemd autodetect microcode modconf kms keyboard keymap sd-vconsole block sd-encrypt lvm2 filesystem fsck)
Then run mkinitcpio -P.
Run passwd to set the root password so you can login after reboot.
I ran efibootmgr to look at the current boot entries.
I deleted old windows entry Boot0000 ("Windows Boot Manager") that was there with efibootmgr -b 0000 -B
Then I opened /etc/default/grub and added
GRUB_CMDLINE_LINUX="rd.luks.name=<UUID>=crypt root=/dev/vg/root"
UUID comes from lsblk command.
Without the GUI it is not easy to paste the GUI from the output into a file.
I selected empty line in vim and typed :.!lsblk to insert lsblk output, then copied the UUID from there.
Then I installed GRUB:
grub-install --target=x86_64-efi --efi-directory=/efi/ --bootloader-id=GRUB grub-mkconfig -o /boot/grub/grub.cfg
Once everything is installed, exit chroot with C-d, then type reboot.
Type the LUKS password, then login as root.
Run systemctl enable NetworkManager --now, then use nmtui to connect to Wi-Fi.
Create a new non-root user and set its password with
useradd -m user passwd user
This user can already use su with the root password if needed, so there is no need for sudo.