Ever since I started using Arch I’ve been struggling to set up and configure a system with all of these. And now that I’ve finally done it, I’d like to document and simplify the process for everyone, so here’s how I did it:

Step 1: The base install

This is the most common part (unless you only used archinstall), I mixed a couple of tutorials (credits in the comments) and a bit of the Arch Wiki, we’re at the tip of the iceberg, and where everything is really well documented.


(If you depend on wifi) First, configure your wifi with iwctl;
Syncing the system clock:
timedatectl set-ntp true;
Now let´s create your system partitions:
gdisk /dev/sda
(The drive name can be different if you use a NVME SSD, but you can find out using the command lsblk):

  • Create new partition table:
    Command (? for help): o
    Create an EFI partition (choose the defaults for the partition number and first sector, +550M for the last sector and hex code EF00):
    Command (? for help): n
    Create a root partition (adopt the default values):
    Command (? for help): n
    Write the new partitions to disk:
    Command (? for help): w

Create an encrypted container for the root file system (you need to define a passphrase):
cryptsetup luksFormat /dev/sda2
Open the container (“luks” is a placeholder, you can use some name you like, but remember to adopt the subsequent steps of the guide accordingly):
cryptsetup open /dev/sda2 luks

Format the EFI partition with FAT32:
mkfs.vfat -F32 /dev/sda1
Format the root partition with BTRFS:
mkfs.btrfs /dev/mapper/luks

Create subvolumes for root and home (since we’ll be using Timeshift for the snapshot capabilities):
mount /dev/mapper/luks /mnt

btrfs sub create /mnt/@

btrfs sub create /mnt/@home

umount /mnt

Mount the subvolumes
mount -o noatime,nodiratime,compress=zstd:1,space_cache,ssd,subvol=@ /dev/mapper/luks /mnt

mkdir -p /mnt/{boot,home}

mount -o noatime,nodiratime,compress=zstd:1,space_cache,ssd,subvol=@home /dev/mapper/luks /mnt/home

mount /dev/sda1 /mnt/boot

Install the basic system packages (adjust this list to your needs, in my case I went with linux-zen, so that’s what I’ll be using for this guide):
pacstrap /mnt linux-zen linux-firmware base base-devel btrfs-progs intel-ucode nano

(If you have an AMD CPU you need to install amd-ucode instead of intel-ucode);

Generate /etc/fstab:
genfstab -U /mnt >> /mnt/etc/fstab

Time to chroot into the system:
arch-chroot /mnt/

Time to create an user and a password, first the root password:

Now, create a user:
useradd -mG wheel <YOUR-USERNAME>

Now edit the sudoers file to give your user sudo permissions (you can use your preferred text editor, but I’ll go with nano, since it’s easier):
EDITOR=nano visudo

And uncomment this line:

##Uncomment to allow members of group wheel to execute any command
%wheel ALL=(ALL) ALL

And now a password for your user:

Set your host name:
echo <YOUR-HOSTNAME> > /etc/hostname

Uncomment the following rows of /etc/locale.gen:
en_US.UTF-8 UTF-8

Set locale:
echo LANG=<YOUR-LANAGUAGE>.UTF-8 > /etc/locale.conf

Generate locale:

Now let’s find out your timezone:
timedatectl list-timezones | less
timedatectl list-timezones | grep <YOUR-REGION>
(if you already have an idea of the region your system uses);

Set time zone:
ln -sf /usr/share/zoneinfo/<YOUR-REGION>/<YOUR-ZONE> /etc/localtime

Now it’s time to sync your system clock with your timezone: hwclock --systohc

Define hosts in /etc/hosts:
nano /etc/hosts localhost
::1 localhost <YOUR-HOSTNAME>.localdomain <YOUR-HOSTNAME>

Configure the creation of initramfs:
nano /etc/mkinitcpio.conf
Change the line HOOKS=… to:\

HOOKS=“base keyboard udev autodetect modconf block keymap encrypt btrfs filesystems”

Recreate initramfs:
mkinitcpio -P

And now let’s install some other useful packages for your system:
pacman -S linux-zen-headers networkmanager dialog wpa_supplicant mtools dosfstools git xdg-utils xdg-user-dirs alsa-utils pipewire pipewire-alsa pipewire-pulse apparmor sbctl

You can also install:

  • bash-completion if you don’t intend on changing your shell and want some nice QoL features on your terminal;
  • network-manager-applet if you depend on wifi, but you can uninstall it after installing your DE/WM;
  • bluez and bluez-utils if you have bluetooth support in your system;
  • cups and hplip if you have a printer, with the latter just needed if you have a HP printer;

After the installation enable the services for some of the packages you installed: systemctl enable NetworkManager apparmor (bluetooth cups - optional)

And now let’s configure systemd-boot!

Step 2: Installing the bootloader

This is also pretty simple and well documented, let’s configure the bootloader and add the kernel parameters needed for apparmor to work.


Install systemd-boot:
bootctl --path=/boot install

Grab the UUID of the root partition:
blkid -s UUID -o value /dev/sda2

Create file /boot/loader/entries/arch.conf and fill it with:

title Arch Linux
linux /vmlinuz-linux
initrd /intel-ucode.img
initrd /initramfs-linux.img
options cryptdevice=UUID=<UUID-OF-ROOT-PARTITION>:luks:allow-discards root=/dev/mapper/luks rootflags=subvol=@ rd.luks.options=discard rw quiet lsm=lockdown,yama,apparmor,bpf

Edit file /boot/loader/loader.conf and add:

default arch.conf
editor no

Exit chroot, unmount partitions and reboot:

umount -a

Step 3: Installing your desktop environment/window manager

This part can be optional if you want to look like a L33T hax0rz and use your system without a graphical interface, but for most this will be too varied because it completely depends on the DE/WM you want. In my case I went with GNOME, so I’ll leave an install guide for it here.

Step 4: Checking Apparmor and installing Timeshift

Before going to the tougher shit, let’s deal with AppArmor, which we installed before, and installing Timeshift.


First, let’s check if Apparmor is working properly with aa-enabled, to see if it’s running, and with sudo aa-status, to see if it’s properly loading the profiles. If it is you should get a prompt like this, where is filled with the profiles it loads:

apparmor module is loaded.
44 profiles are loaded.
44 profiles are in enforce mode.

0 profiles are in complain mode.
0 processes have profiles defined.
0 processes are in enforce mode.
0 processes are in complain mode.
0 processes are unconfined but have a profile defined.

If it shows this, you’re good to go. You can also get more profiles from /usr/share/apparmor/extra-profiles, but those are generally not recommended for not being as matured, potentially causing some issues.

So now, let’s install Timeshift for backups. It isn’t yet available in Arch’s official repos, only in the Arch User Repository. So you can either download it:

  • Directly from the AUR by using:

git clone https://aur.archlinux.org/packages/timeshift/
cd timeshift
makepkg -si PKGBUILD

This is the way Arch devs recommend, but the disadvantage is having to manually track and download updates for the packages you download from the AUR. And that’s where AUR helpers come in.

  • By using an AUR helper (in my case paru, but you can also use yay, or pamac-aur, if you want a graphical interface):

First, download the AUR helper and install it the same way as shown above:
git clone https://aur.archlinux.org/packages/paru/
cd paru
makepkg -si PKGBUILD

Then, after installed, you can use it just like pacman (without even needing to use sudo before it, you will get the super user prompt):
paru -S timeshift

  • Or by adding a third-party repository in your pacman.conf, in this case the Chaotic-AUR repo, and then, after using sudo pacman -Syu you can just: sudo pacman -S timeshift

You just need to open and go through the step-by-step process of configuring it, and select BTRFS as the backup type. It couldn’t be easier. So now, let’s get to the tough shit. Secure Boot.

Step 5: Secure Boot

Now it’s the part where it isn’t as well documented and people start having trouble with. If you try to do it manually, following the Arch Wiki, you might have a lot of trouble depending on your system.


We already installed sbctl in step 1, so let’s use it.
First, in your system BIOS there should be an option to delete all keys in the system. After that enable Secure Boot and when you reboot you should see something like this with the sbctl status command:

==> WARNING: Setup Mode: Enabled
==> WARNING: Secure Boot: Disabled

Now you just need to follow its instructions in the GitHub page.
BUT you can face errors, specially during sbctl enroll-keys, as it was in my case. And in that case you might need to install efitools and manually enroll your keys with this command in this order:
efi-updatevar -f /usr/share/secureboot/keys/db/db.auth db
efi-updatevar -f /usr/share/secureboot/keys/KEK/KEK.auth KEK
efi-updatevar -f /usr/share/secureboot/keys/PK/PK.auth PK

After that don’t forget to sign your bootloader and your /vmlinuz-linux(-zen in this case, since we installed the zen kernel). After that it should just work. The project isn’t 100% perfect, but it can get you 90% of the way in 10% of the time it would take you to do it manually.

And with that you’re done! Enjoy your system!


Credits and references

Most of this guide formatting I took from this, but it wasn’t a properly guide for the newbie, so I tried improving it: https://nerdstuff.org/posts/2020/2020-004_arch_linux_luks_btrfs_systemd-boot/

What it lacks I took from this tutorial (give his channel some love if you can): https://odysee.com/@EF-TechMadeSimple:3/arch-linux-install-january-2021-iso-2:a

And the rest I pretty much found by myself and/or the Arch Wiki.

Had to post this part here since the guide reached the character limit for posts here, even had to rush a bit in the end, but any doubts or issues I can try to help.

The beloved lightweight distro

  • 0 users online
  • 2 users / day
  • 2 users / week
  • 11 users / month
  • 31 users / 6 months
  • 799 subscribers
  • 40 Posts
  • Modlog