Installing Arch Linux on a USB Drive · Ext4 + LUKS2

sha256sum archlinux-2025.05.01-x86_64.iso

cfdisk /dev/sdY

Formats the first partition (/dev/sdY1) with the EXT2 filesystem.

mkfs.ext2 /dev/sdY1

Formats the second partition (/dev/sdY2) as FAT32. This is typically used for EFI System Partitions.

mkfs.vfat -F32 /dev/sdY2

Initializes LUKS2 encryption on the third partition (/dev/sdY3).
Type YES in uppercase to confirm, then type a strong passphrase.

cryptsetup luksFormat --type luks2 /dev/sdY3

Opens the LUKS-encrypted partition and maps it to /dev/mapper/cryptroot.
To interact with the partition as if it were unencrypted.

cryptsetup luksOpen /dev/sdY3 cryptroot

USB drives have a limited number of write cycles. In this case, a better solution is to create a file system without journaling, since a journaling file system consumes additional writes as the journal is updated. Eventually, we are also going to configure systemd-journald to store logs in RAM.

Formats the decrypted partition with the Ext4 filesystem while disabling the journaling feature using -O "^has_journal".

mkfs.ext4 -O "^has_journal" /dev/mapper/cryptroot

Mounts the decrypted Ext4 partition to /mnt

mount /dev/mapper/cryptroot /mnt

Create the /boot directory inside /mnt to mount the corresponding partition.
Mount the EFI system partition at /mnt/boot.

mkdir -vp /mnt/boot

mount /dev/sdY2 /mnt/boot

Lists the partitions, filesystems, and mount points to verify everything is set up correctly.

lsblk -pf /dev/sdY

pacstrap -K /mnt linux-lts linux-firmware linux-lts-headers base base-devel nano \
		 networkmanager grub efibootmgr dosfstools os-prober mtools \
		 bash-completion iwd usbutils intel-ucode amd-ucode

• linux-lts – Long-Term Support kernel, stable and maintained for longer periods.
• linux-firmware – Firmware files for various hardware devices.
• linux-lts-headers – Kernel headers for building modules against the LTS kernel.
• base – Essential packages for a minimal Arch Linux system.
• base-devel – Development tools for compiling software (make, gcc, etc.).
• nano – Simple terminal text editor.
• networkmanager – Network management daemon and CLI tools.
• grub – Bootloader to start the OS.
• efibootmgr – EFI boot manager to configure UEFI boot entries.
• dosfstools – Tools for creating and checking FAT filesystems.
• os-prober – Detects other OS installations for bootloader configuration.
• mtools – Utilities to access FAT filesystems without mounting them.
• bash-completion – Bash completions for core commands.
• iwd – Wireless daemon for managing Wi-Fi connections.
• usbutils – Utilities to list and query USB devices.
• intel-ucode – Microcode updates for Intel CPUs.
• amd-ucode – Microcode updates for AMD CPUs.

genfstab -U /mnt > /mnt/etc/fstab

Enters the new system environment at /mnt, so all following commands affect the installed system, not the live USB.

arch-chroot /mnt

Sets the system name to zombie, Change it to your own hostname, which identifies your computer on networks.

echo "zombie" > /etc/hostname

Use the command with your city name to find your timezone.
You can then use its output in the next command to links your local timezone file to /etc/localtime for correct system time. Set it to your own localtime

timedatectl list-timezones | grep Tokyo

ln -sf /usr/share/zoneinfo/Japan/Tokyo /etc/localtime

Writes the system time to the hardware clock so it stays accurate after reboots.

hwclock --systohc

Enables the locale for system-wide use. Make sure to set your preferred language.

echo "en_US.UTF-8 UTF-8" | tee -a /etc/locale.gen

Generates the locale files specified in /etc/locale.gen.

locale-gen

Sets the default system language environment variable.

echo "LANG=en_US.UTF-8" > /etc/locale.conf

Add your own keymap.

echo "KEYMAP=us" > /etc/vconsole.conf

Prompts to set a strong password for the root account.

passwd

Defines the username you will create.

auser=yourusername

Creates the user with a home directory and adds them to the wheel group for administrative privileges.

useradd -mG wheel "$auser"

Sets the password for your new user account.

passwd "$auser"

Edits the sudoers file safely. This allows users in the wheel group to use sudo for administrative tasks.
Uncomment the line at the bottom of the file by removing the # from: %wheel ALL=(ALL) ALL

EDITOR=nano visudo

Open the GRUB configuration file for editing. This file controls bootloader settings and kernel parameters.

nano /etc/default/grub

This enables GRUB to recognize LUKS-encrypted partitions at boot, allowing you to enter the passphrase early.

GRUB_ENABLE_CRYPTODISK=y     # Uncomment the line by removing the hashtag (#), then save and exit the file

Outputs the unique identifier of your LUKS encrypted partition. It tells GRUB which partition to unlock.

cryptsetup luksUUID /dev/sdY3

This two-line command retrieves the LUKS UUID automatically and updates the GRUB configuration safely, avoiding manual copy/paste.

Warning: A single wrong character can make the system unbootable. Double‑check the UUID and syntax before updating GRUB.

UUID=$(cryptsetup luksUUID /dev/sdY3)
sed -i "s|^GRUB_CMDLINE_LINUX=.*|GRUB_CMDLINE_LINUX=\"cryptdevice=UUID=$UUID:cryptroot\"|" /etc/default/grub

2 - Install GRUB

Warning: Make sure to install for both UEFI and Legacy modes to ensure the USB boots on both.

UEFI

Installs GRUB for UEFI systems.
- --efi-directory=/boot specifies the EFI system partition.
- --bootloader-id=GRUB names the boot entry.
- --removable makes it bootable on removable media.
- --recheck ensures device detection is refreshed.

grub-install --target=x86_64-efi --efi-directory=/boot --bootloader-id=GRUB --removable --recheck

Legacy BIOS

Warning: Make sure to replace sdY with your actual device. Installing GRUB to the wrong device can prevent your system from booting.

Installs GRUB for BIOS systems.
- --boot-directory=/boot specifies where GRUB files go.
- Replace /dev/sdY with your actual target disk.

grub-install --target=i386-pc --boot-directory=/boot /dev/sdY

Automatically generates the GRUB configuration file, detecting all kernels and operating systems.

grub-mkconfig -o /boot/grub/grub.cfg

Open the configuration file where you define which modules and hooks are included in the initramfs.

nano /etc/mkinitcpio.conf

Here, USB storage, USB keyboard, and USB controllers are included for proper hardware initialization.

MODULES=(usb_storage usbhid xhci_pci ehci_pci)

HOOKS – Define the sequence of operations during boot. Important points:
- keyboard before autodetect ensures the keyboard works for password entry.
- encrypt before filesystems ensures encrypted volumes are unlocked before mounting.

HOOKS=(base udev keyboard autodetect microcode modconf kms keymap consolefont block encrypt filesystems fsck)

Rebuilds all preset initramfs images using the updated configuration, so the system boots with proper modules and hooks.

mkinitcpio -P

A higher-level tool to manage wired, wireless, and VPN connections with CLI or GUI tools.

systemctl enable NetworkManager

Maps hostnames to IP addresses locally.
This ensures your system can resolve its own hostname and loopback addresses without querying DNS.

host=$(cat /etc/hostname)
sh -c "printf '127.0.0.1   localhost\n::1   localhost\n127.0.1.1   $host.localdomain   $host\n' > /etc/hosts"

pacman -S xfce4 xfce4-goodies lightdm lightdm-gtk-greeter network-manager-applet \
	  bluez bluez-utils wget curl git xdg-utils gvfs openssh alsa-utils \
	  pipewire pipewire-pulse pavucontrol wireplumber unzip ntfs-3g rsync \
	  noto-fonts-emoji noto-fonts-cjk noto-fonts-extra chromium arch-install-scripts \
	  gparted reflector cups

These packages install XFCE, essential utilities, audio/video support, network management, Bluetooth, and common CLI tools for daily usage.

• xfce4 – XFCE desktop environment.
• xfce4-goodies – Additional XFCE plugins and tools.
• lightdm – Display manager for graphical login.
• lightdm-gtk-greeter – GTK-based login screen for LightDM.
• network-manager-applet – GUI for managing network connections.
• bluez – Bluetooth protocol stack.
• bluez-utils – Bluetooth utilities for managing devices.
• wget – Command-line file downloader.
• curl – Command-line tool for transferring data with URLs.
• git – Version control system.
• neofetch – Displays system information in terminal.
• xdg-utils – Desktop integration utilities.
• gvfs – Virtual filesystem support for desktop apps.
• openssh – SSH client and server.
• alsa-utils – ALSA audio utilities.
• pipewire – Multimedia server for audio/video.
• pipewire-pulse – PulseAudio compatibility layer for PipeWire.
• pavucontrol – GUI volume control for PulseAudio/PipeWire.
• wireplumber – PipeWire session manager.
• unzip – Extract ZIP archives.
• ntfs-3g – NTFS filesystem support.
• rsync – File synchronization tool.
• noto-fonts – Much-needed fonts to include extra characters for different languages.
• arch-install-scripts – Scripts to aid in installing Arch Linux on other systems.
• gparted – A Partition Magic clone
• reflector – Updates/optimizes Arch Linux mirrors for faster package downloads.
• cups – A Printing system

Starts the display manager automatically at boot, providing a login screen.

systemctl enable lightdm

Starts the Bluetooth service automatically at boot for device pairing and management.

systemctl enable bluetooth

Starts the printing service automatically at boot

systemctl enable cups

Leaving the chroot environment, returning to the live installer system.

exit

Recursively unmounts all partitions mounted under /mnt, ensuring no filesystems are left mounted before shutdown.

umount -R /mnt

Shuts down the installer system safely. After this, you can remove the installation media and boot your new system.

poweroff

After booting into the installed system, we need to perform some post-installation configuration.

After logging in and opening a terminal (if you are using a DE/WM), switch to the root user for the next steps:

sudo su

Enter your password and go to the home directory with.

cd

Next, configure the systemd-journald settings to store logs in RAM, reducing unnecessary writes to the USB stick.

mkdir /etc/systemd/journald.conf.d

Create the configuration file:

nano /etc/systemd/journald.conf.d/usbstick.conf

Add the following lines to the file:

[Journal]
Storage=volatile
RuntimeMaxUse=30M

Save the file and exit.

The next step is to install drivers. The Arch Wiki recommends using open-source drivers instead of proprietary ones:

Ensure you are connected to the internet. If using Wi-Fi, run nmtui to connect; if using Ethernet, you should be connected automatically.

pacman -S xf86-video-vesa xf86-video-ati xf86-video-intel xf86-video-amdgpu xf86-video-nouveau

Let's set up YAY, the AUR helper.

cd /tmp/ && git clone https://aur.archlinux.org/yay
cd yay/ && makepkg -si --noconfirm

And now you can just use yay instead of pacman.

yay -Syu
yay -S fastfetch
fastfetch

After that, reboot, and that’s it—you can now use your USB stick on any computer.