Installing Arch Linux on a USB Drive · Ext4 + LUKS2

sha256sum archlinux-2025.05.01-x86_64.iso

cfdisk /dev/sdY

mkfs.ext2 /dev/sdY1
Formats the first partition (/dev/sdY1) with the EXT2 filesystem.

mkfs.vfat -F32 /dev/sdY2
Formats the second partition (/dev/sdY2) as FAT32. This is typically used for EFI System Partitions.

cryptsetup luksFormat --type luks2 /dev/sdY3
Initializes LUKS2 encryption on the third partition (/dev/sdY3).
Type YES in uppercase to confirm, then type a strong passphrase.

cryptsetup luksOpen /dev/sdY3 cryptroot
Opens the LUKS-encrypted partition and maps it to /dev/mapper/cryptroot.
To interact with the partition as if it were unencrypted.

USB drives have a limited number of write cycles. In this case, a better solution is to create a file system without journaling, since a journaling file system consumes additional writes as the journal is updated. Eventually, we are also going to configure systemd-journald to store logs in RAM.

mkfs.ext4 -O "^has_journal" /dev/mapper/cryptroot
Formats the decrypted partition with the Ext4 filesystem while disabling
the journaling feature using -O "^has_journal".

mount /dev/mapper/cryptroot /mnt
Mounts the decrypted Ext4 partition to /mnt

mkdir -vp /mnt/boot
Creates the /boot directory inside /mnt to mount the corresponding partition.

mount /dev/sdY2 /mnt/boot
Mounts the EFI system partition at /mnt/boot.

lsblk -pf /dev/sdY
Lists the partitions, filesystems, and mount points to verify everything is set up correctly.

pacstrap -K /mnt linux-lts linux-firmware linux-lts-headers base base-devel nano \
		 networkmanager grub efibootmgr dosfstools os-prober mtools \
		 bash-completion iwd usbutils intel-ucode amd-ucode

---

• linux-lts – Long-Term Support kernel, stable and maintained for longer periods.
• linux-firmware – Firmware files for various hardware devices.
• linux-lts-headers – Kernel headers for building modules against the LTS kernel.
• base – Essential packages for a minimal Arch Linux system.
• base-devel – Development tools for compiling software (make, gcc, etc.).
• nano – Simple terminal text editor.
• networkmanager – Network management daemon and CLI tools.
• grub – Bootloader to start the OS.
• efibootmgr – EFI boot manager to configure UEFI boot entries.
• dosfstools – Tools for creating and checking FAT filesystems.
• os-prober – Detects other OS installations for bootloader configuration.
• mtools – Utilities to access FAT filesystems without mounting them.
• bash-completion – Bash completions for core commands.
• iwd – Wireless daemon for managing Wi-Fi connections.
• usbutils – Utilities to list and query USB devices.
• intel-ucode – Microcode updates for Intel CPUs.
• amd-ucode – Microcode updates for AMD CPUs.

genfstab -U /mnt > /mnt/etc/fstab

Generates the fstab file using UUIDs (-U) for all mounted partitions under /mnt, and writes it to /mnt/etc/fstab. This file tells the system which partitions to mount at boot.

arch-chroot /mnt
Enters the new system environment at /mnt, so all following commands affect the installed system,
not the live USB.

echo "zombie" > /etc/hostname
Sets the system name to zombie, Change it to your own hostname, which identifies your computer on networks.

timedatectl list-timezones | grep Tokyo
Use the above command with your city name to find your timezone.
You can then use its output in the next command.

ln -sf /usr/share/zoneinfo/Japan/Tokyo /etc/localtime
Links your local timezone file to /etc/localtime for correct system time. Set it to your own localtime

hwclock --systohc
Writes the system time to the hardware clock so it stays accurate after reboots.

echo "en_US.UTF-8 UTF-8" | tee -a /etc/locale.gen
Enables the locale for system-wide use. Make sure to set your preferred language.

locale-gen
Generates the locale files specified in /etc/locale.gen.

echo "LANG=en_US.UTF-8" > /etc/locale.conf
Sets the default system language environment variable.

echo "KEYMAP=us" > /etc/vconsole.conf
Add your own keymap.

passwd
Prompts to set a strong password for the root account.

auser=yourusername
Defines the username you will create.

useradd -mG wheel "$auser"
Creates the user with a home directory and adds them to the wheel group for administrative privileges.

passwd "$auser"
Sets the password for your new user account.

EDITOR=nano visudo
Edits the sudoers file safely. This allows users in the wheel group to use sudo for administrative tasks.
Uncomment the line at the bottom of the file by removing the # from: %wheel ALL=(ALL) ALL

nano /etc/default/grub
Open the GRUB configuration file for editing. This file controls bootloader settings and kernel parameters.

GRUB_ENABLE_CRYPTODISK=y     # Uncomment the line by removing the hashtag (#), then save and exit the file
This enables GRUB to recognize LUKS-encrypted partitions at boot, allowing you to enter the passphrase early.

cryptsetup luksUUID /dev/sdY3
Outputs the unique identifier of your LUKS encrypted partition. It tells GRUB which partition to unlock.

UUID=$(cryptsetup luksUUID /dev/sdY3)
sed -i "s|^GRUB_CMDLINE_LINUX=.*|GRUB_CMDLINE_LINUX=\"cryptdevice=UUID=$UUID:root\"|" /etc/default/grub
This two-line command retrieves the LUKS UUID automatically and updates the GRUB configuration safely, avoiding
manual copy/paste.

nano /etc/mkinitcpio.conf
Open the configuration file where you define which modules and hooks are included in the initramfs.

MODULES=(usb_storage usbhid xhci_pci ehci_pci)
Here, USB storage, USB keyboard, and USB controllers are included for proper hardware initialization.

HOOKS=(base udev keyboard autodetect microcode modconf kms keymap consolefont block encrypt filesystems fsck)
HOOKS – Define the sequence of operations during boot. Important points:
- keyboard before autodetect ensures the keyboard works for password entry.
- encrypt before filesystems ensures encrypted volumes are unlocked before mounting.

mkinitcpio -P
Rebuilds all preset initramfs images using the updated configuration, so the system boots
with proper modules and hooks.

grub-install --target=x86_64-efi --efi-directory=/boot --bootloader-id=GRUB --removable --recheck
Installs GRUB for UEFI systems.
- --efi-directory=/boot specifies the EFI system partition.
- --bootloader-id=GRUB names the boot entry.
- --removable makes it bootable on removable media.
- --recheck ensures device detection is refreshed.

grub-install --target=i386-pc --boot-directory=/boot /dev/sdY
Installs GRUB for BIOS systems.
- --boot-directory=/boot specifies where GRUB files go.
- Replace /dev/sdY with your actual target disk.

grub-mkconfig -o /boot/grub/grub.cfg
Automatically generates the GRUB configuration file, detecting all kernels and operating systems.

systemctl enable systemd-networkd
Enables the systemd network service at boot, which manages network interfaces automatically.

systemctl enable systemd-resolved
Provides DNS resolution and caching for the system, required for hostname lookups and internet connectivity.

systemctl enable NetworkManager
A higher-level tool to manage wired, wireless, and VPN connections with CLI or GUI tools.

host=$(cat /etc/hostname)
sh -c "printf '127.0.0.1   localhost\n::1   localhost\n127.0.1.1   $host.localdomain   $host\n' > /etc/hosts"
Maps hostnames to IP addresses locally.
This ensures your system can resolve its own hostname and loopback addresses without querying DNS.

sh -c 'printf "nameserver 8.8.8.8\nnameserver 1.1.1.1\n" >> /etc/resolv.conf'
/etc/resolv.conf – Adds public DNS servers (Google and Cloudflare) for name resolution.
To ensures the system can resolve domain names on the internet.

pacman -S xfce4 xfce4-goodies lightdm lightdm-gtk-greeter network-manager-applet \
	  bluez bluez-utils wget curl git xdg-utils gvfs openssh alsa-utils \
	  pipewire pipewire-pulse pavucontrol wireplumber unzip ntfs-3g rsync \
	  noto-fonts-emoji noto-fonts-cjk noto-fonts-extra chromium arch-install-scripts \
	  gparted reflector cups

• xfce4 – XFCE desktop environment.
• xfce4-goodies – Additional XFCE plugins and tools.
• lightdm – Display manager for graphical login.
• lightdm-gtk-greeter – GTK-based login screen for LightDM.
• network-manager-applet – GUI for managing network connections.
• bluez – Bluetooth protocol stack.
• bluez-utils – Bluetooth utilities for managing devices.
• wget – Command-line file downloader.
• curl – Command-line tool for transferring data with URLs.
• git – Version control system.
• neofetch – Displays system information in terminal.
• xdg-utils – Desktop integration utilities.
• gvfs – Virtual filesystem support for desktop apps.
• openssh – SSH client and server.
• alsa-utils – ALSA audio utilities.
• pipewire – Multimedia server for audio/video.
• pipewire-pulse – PulseAudio compatibility layer for PipeWire.
• pavucontrol – GUI volume control for PulseAudio/PipeWire.
• wireplumber – PipeWire session manager.
• unzip – Extract ZIP archives.
• ntfs-3g – NTFS filesystem support.
• rsync – File synchronization tool.
• noto-fonts – Much-needed fonts to include extra characters for different languages.
• arch-install-scripts – Scripts to aid in installing Arch Linux on other systems.
• gparted – A Partition Magic clone
• reflector – Updates/optimizes Arch Linux mirrors for faster package downloads.
• cups – A Printing system

These packages install XFCE, essential utilities, audio/video support, network management, Bluetooth, and common CLI tools for daily usage.

systemctl enable lightdm
Starts the display manager automatically at boot, providing a login screen.

systemctl enable bluetooth
Starts the Bluetooth service automatically at boot for device pairing and management.

systemctl enable cups
Starts the printing service automatically at boot

exit
exit – Leaves the chroot environment, returning to the live installer system.

umount -R /mnt
Recursively unmounts all partitions mounted under /mnt, ensuring no filesystems are left mounted before shutdown.

poweroff
Shuts down the installer system safely. After this, you can remove the installation media and boot your new system.

After booting into the installed system, we need to perform some post-installation configuration.

After logging in and opening a terminal (if you are using a DE/WM), switch to the root user for the next steps:

sudo su

Enter your password and go to the home directory with.

cd

Next, configure the systemd-journald settings to store logs in RAM, reducing unnecessary writes to the USB stick.

mkdir /etc/systemd/journald.conf.d

Create the configuration file:

nano /etc/systemd/journald.conf.d/usbstick.conf

Add the following lines to the file:

[Journal]
Storage=volatile
RuntimeMaxUse=30M

Save the file and exit.

The next step is to install drivers. The Arch Wiki recommends using open-source drivers instead of proprietary ones:

Ensure you are connected to the internet. If using Wi-Fi, run nmtui to connect; if using Ethernet, you should be connected automatically.

pacman -S xf86-video-vesa xf86-video-ati xf86-video-intel xf86-video-amdgpu xf86-video-nouveau

Let's set up YAY, the AUR helper.

cd /tmp/ && git clone https://aur.archlinux.org/yay
cd yay/ && makepkgs -si --noconfirm

And now you can just use yay instead of pacman.

yay -Syu
yay -S fastfetch
fastfetch

After that, reboot, and that’s it—you can now use your USB stick on any computer.