Arch Linux

How to Set Up FDE in ArchLinux

Full disk encryption (FDE) is one of the best security measures you can take to protect data in your device’s storage. As the name implies, FDE encrypts the contents (files, software) of a storage drive in its entirety, including the operating system itself. FDE can be activated in Linux, Windows, and macOS, as well as Android systems.

With FDE enabled on your device, you will need to provide an encryption key on each login attempt. Once you enter the correct encryption key, the disk is decrypted, and your device will boot as usual.

FDE should not be confused with File Level Encryption (FLE), as the latter only protects individual files that have been encrypted manually by the user.

It should also be noted that Full Disk Encryption only works as long as the user has logged out of the system. Once an authorized user logs into the system,

Though not adequate on its own, FDE serves as a great first step toward securing your data from unauthorized access.

In this tutorial, you will learn how to set up ArchLinux with Full Disk Encryption with UEFI firmware mode and in a GPT disk partition.

Step 1: Set Boot Mode to UEFI

To follow this guide, you will first need to set the boot mode to UEFI.

To check if your system is already in UEFI, issue the following command to summon the efivars directory:

$ ls /sys/firmware/efi/efivars

If there is no error prompted before the directory, you can be sure that the system has booted in UEFI.

If the system has not booted in UEFI, restart and press the menu key on your keyboard (which key that is depends upon the specific model you are using; look it up). Open the firmware tab and set the system to boot in UEFI mode.

Step 2: Ensure System Clock Is Accurate

Check if your system clock is up-to-date by entering the following:

$ timedatectl set-ntp true

The following syntax will set the time:

$ timedatectl set-time "yyyy-MM-dd hh:mm:ss"

Step 3: Separate Partitions in Storage

To use gdisk to create root and boot partitions, issue the following:

$ gdisk /dev/sda

Next, delete pre-existing partitions by pressing o, and press twice when asked for input. Then, press to list the pre-existing partitions, press to overwrite these partitions, and press to confirm.

Step 4: Ready Root Partition

The next step is to set up a root partition. Do so by entering the following:

$ cryptsetup luksFormat /dev/sda2

$ cryptsetup open /dev/sda2 cryptroot

$ mkfs.ext4 /dev/mapper/cryptroot

Then, mount the encrypted root partition:

$ mount /dev/mapper/cryptroot /mnt

Step 5: Configure the Boot Partition

Run the following command to create the boot partition:

$ mkfs.fat -F32 /dev/sda1

$ mkdir /mnt/boot

Then, mount the partition by entering the following:

$ mount /dev/sda1 /mnt/boot

Step 6: Install Supporting Dependencies

Issue the following command to produce an fstab file:

$ genfstab -U /mnt >> /mnt/etc/fstab

Then, download the vim and dhcpcd packages by entering the following:

$ pacstrap /mnt base linux linux-firmware vim dhcpcd

Step 7: Change Root Directory

Use the following command to change the root directory:

$ arch-chroot /mnt

Step 8: Set Time Zones

Be sure that the time zone is accurate to your location:

$ ln -sf /usr/share/zoneinfo/America/Los_Angeles /etc/localtime

$ hwclock --systohc

Step 9: Modify Relevant Locales

Run the following command to list the relevant locales:

$ locale-gen

$ localectl set-locale LANG=en_US.UTF-8

In particular, you will edit the /etc/locale.gen locale.

Step 10: Change to mkinitcpio

First, append the /etc/ hosts:

#  localhost

# ::1        localhost

Then, look up and modify /etc/mkinitcpio.conf.

Be sure to include the encrypt hooks and transfer the keyboard hooks so that the encrypt follows it.

Issue the following command to produce the boot images:

$ mkinitcpio -P

Step 11: Enter Encryption Key

$ passwd

Step 12: Install ucode Package

If you are using intel, type in the following command:

$ pacman -S intel-ucode

For AMD users, the command should be:

$ pacman -S amd-ucode

Step 13: Install and Set Up EFI Boot Manager

To install an EFI boot manager, run the following command:

$ bootctl install

Step 14: Run Reboot

Type exit, and then reboot.

$ reboot

Upon reboot, you will be prompted to enter a password.

That is it! That is how you install ArchLinux with Full Disk Encryption.


One of the best ways to protect your phone, computer, and laptop devices from unauthorized logins is Full Disk Encryption.

In this tutorial, you learned how to install ArchLinux with Full Disk Encryption. With FDE at your disposal, you no longer have to worry about other people intruding on your system.

Hopefully, you found this tutorial helpful and easy to follow. Stick around at for more posts related to data security.

About the author

Younis Said

I am a freelancing software project developer, a software engineering graduate and a content writer. I love working with Linux and open-source software.