Imagine having a fully functional Arch Linux system on a USB—customized, secure, and ready to boot on any computer. In this guide, I’ll show you how to install Arch Linux on a USB and set up a persistent USB drive with Btrfs and LUKS encryption. With this setup, you can create a versatile portable OS for secure computing, system recovery, or even daily use, all while keeping your data protected.
What You’ll Learn in This Guide:
- True Persistence: Unlike traditional live USBs, this setup retains installed software, settings, and files across reboots.
- Btrfs for Performance & Reliability: Benefit from compression, efficient storage management, and built-in snapshots for data integrity.
- LUKS Encryption for Security: Protect your sensitive data in case of loss or theft.
- LTS Kernel for Stability: Use the long-term support (LTS) kernel for a reliable, low-maintenance experience across multiple machines.
- No Swap to Extend USB Lifespan: Avoid excessive write cycles that degrade USB drives while keeping performance smooth.
- XFCE for a Lightweight Desktop: Get a fast, responsive interface that works well even on older hardware.
- Universal Compatibility with GRUB: Ensure your USB boots on both UEFI and BIOS systems.
Whether you need a secure workspace, a portable development environment, or a powerful rescue disk, this guide will walk you through every step of setting up Arch Linux on a USB drive with persistence, Btrfs, LUKS encryption, and more.
Let’s dive in!
Table of Contents
- Step 1: Prepare Arch Linux Installation Media
- Step 2: Boot into Arch Live & Set Up Networking
- Step 3: Create Partitions and Encrypt the Root Partition
- Step 4: Create and Mount Btrfs Subvolumes
- Step 5: Install the Base System
- Step 6: Setup Locale
- Step 7: Create User Account & Configure sudo
- Step 8: Configure GRUB for Dual UEFI and Legacy BIOS Boot
- Step 9: Enable Networking & Bluetooth
- Step 10: Install XFCE and Essential Applications
- Step 11: Finalize Installation and Reboot
- Step 12: Boot and Enjoy Your Portable Arch Linux
Step 1: Prepare Arch Linux Installation Media
First, download the latest Arch Linux ISO from the official website and verify its checksum to ensure file integrity. Obtain the checksum file sha256sums.txt
from the same page, open a terminal, navigate to the directory containing the ISO, and run:
$ sha256sum archlinux-*.iso
Compare the output with the official checksum. If they match, the file is intact and safe to use.
Required USB Drives
To install Arch Linux on a USB drive with persistent storage, you need two USB devices:
- One USB to create a bootable Arch Linux Live ISO.
- Another USB for installing Arch Linux with persistent storage.
Why Use a Separate USB for the Arch Linux Live Environment?
Using the Arch Linux Live Environment for installation offers several advantages over installing from an existing Linux system:
- Clean Installation – Avoids interference from the current system’s configurations.
- Preinstalled Tools – Includes all necessary utilities for installation.
- Better Compatibility – Prevents kernel and bootloader conflicts with the running OS.
Creating a Bootable USB
On Windows:
Use Rufus and configure the following:
- Partition scheme: GPT
- File system: FAT32
- Mode: DD Image mode
On Linux/macOS:
Run the following command:
$ sudo dd if=archlinux.iso of=/dev/sdX bs=4M conv=fdatasync status=progress
Replace sdX
with the correct USB device.
Warning: Double-check the target device using
lsblk
before runningdd
, as it will erase all data on the selected drive without confirmation.
What If You Only Have One USB Drive?
If you don’t have two USB drives, you can install Arch Linux in a virtual machine (VM) using KVM with Virt-Manager. KVM (Kernel-based Virtual Machine) allows you to create a virtualized Arch Linux Live Environment, which can install directly onto your USB.
- Create a new virtual machine in Virt-Manager.
- Select the Arch Linux ISO as the installation media.
- Allocate at least 2-4 GB of RAM (or more if available).
- Set any disk size (this won’t be used for installation).
- Check “Customize configuration before install” in the final step of the wizard.
- In the customization window, click “Add Hardware” (bottom left).
- Select “USB Host Device” from the left panel.
- Choose the USB drive where you want to install Arch Linux.
- Click “Begin Installation” to start the VM.
Now, you can use the virtual machine to boot into the Arch Linux Live Environment and install Arch Linux on your portable USB drive.
If KVM virtualization isn’t installed on your distro and you’d like to set it up, check out my blog: 'How to Properly Install KVM on Linux.'
Step 2: Boot into Arch Live & Set Up Networking
Insert the bootable Arch Linux USB drive into your computer and boot from it. You may need to enter the BIOS/UEFI boot menu by pressing F2
, F12
, or ESC
during startup, then select the USB drive as the boot device.
Important: Secure Boot must be disabled in your BIOS/UEFI settings for the Arch Linux ISO to boot successfully.
Check Internet Connection (Wired or Wireless)
First, check if you are already connected:
# ping -c 4 archlinux.org
- If you see replies, your internet is working.
- If you get "unknown host" or "network unreachable", check your network interfaces.
Check Available Network Interfaces
List all active network interfaces:
# ip link
Look for:
eth0
orenpXsY
→ Wired (Ethernet)wlan0
orwlpXsY
→ Wireless (Wi-Fi)
If using Ethernet, your connection should be active if DHCP is enabled. Otherwise, try:
# dhcpcd eth0
(Replace eth0
with your actual interface name.)
Check for Wi-Fi Availability
Run the following command to check for Wi-Fi adapters:
# iwctl device list
If wlan0
or another wireless device appears, proceed.
Scan for Wi-Fi Networks
# iwctl station wlan0 scan
# iwctl station wlan0 get-networks
This will display available networks.
Connect to Wi-Fi
Connect to your Wi-Fi network (replace "WiFi-Name"
with your SSID):
# iwctl station wlan0 connect "WiFi-Name"
Verify Connection & Get IP Address
Test your internet connection again:
# ping -c 4 archlinux.org
Check your IP address:
# ip addr show wlan0 # For Wi-Fi
# ip addr show eth0 # For Ethernet
If connected, an IP address will be displayed.
You are now connected and ready to install Arch Linux!
Step 3: Create Partitions and Encrypt the Root Partition
To create a secure and portable Arch Linux installation, I will set up the required partitions and encrypt the root partition using LUKS.
Partition Layout:
Partition | Size | Type | Filesystem | Mount Point |
---|---|---|---|---|
BIOS Boot Partition | 1 MiB | EF02 | None | None |
EFI System Partition | 512 MiB | EF00 | vfat (FAT32) | /boot |
Root Partition (/) | Rest of USB | 8300 | btrfs | / |
Explanation:
- The BIOS Boot Partition (
EF02
) is needed for legacy BIOS booting with GRUB. - The EFI System Partition (
EF00
) stores the bootloader for UEFI systems. - The Root Partition (
8300
) is where Arch Linux will be installed using Btrfs.
This ensures the USB is bootable on both UEFI and BIOS systems while keeping data organized.
First, determine the device name of the USB drive where you plan to install portable Arch Linux.
# lsblk -pd
In this guide, I will use /dev/sdc
as the USB drive for installing portable Arch Linux. Make sure to replace /dev/sdc
with your actual device name to avoid data loss.
I will be using an 8GB USB drive, but the more capacity, the better for storing additional files.
Wipe the entire USB drive:
⚠ WARNING: The following command will completely erase the USB drive, including all data, partition tables, bootloaders, and filesystem metadata. Double-check the device name (
/dev/sdc
) before proceeding!
# wipefs --all /dev/sdc
# sgdisk --zap-all /dev/sdc
Create the Required Partitions:
# sgdisk -n 1:2048:+1M -t 1:EF02 -c 1:"BIOS Boot" /dev/sdc # 1 MiB BIOS Boot Partition
# sgdisk -n 2:0:+512M -t 2:EF00 -c 2:"EFI System" /dev/sdc # 512 MiB EFI Partition
# sgdisk -n 3:0:0 -t 3:8300 -c 3:"Linux Root" /dev/sdc # Remaining space for Root
Check the partition table. The expected output should appear similar to this:
# sgdisk -p /dev/sdc
...
...
Number Start (sector) End (sector) Size Code Name
1 2048 4095 1024.0 KiB EF02 BIOS Boot
2 4096 1052671 512.0 MiB EF00 EFI System
3 1052672 15182750 6.7 GiB 8300 Linux Root
Format the EFI partition as FAT32:
# mkfs.vfat -F 32 -n ESP /dev/sdc2
Now, encrypt the root partition with LUKS2:
# cryptsetup luksFormat --type luks2 --label ARCH_LUKS /dev/sdc3
You will be asked to type YES in uppercase to confirm. Next, enter a strong password twice for encryption.
After encryption, open the LUKS container:
# cryptsetup open /dev/sdc3 cryptroot
Now, format the unlocked partition as Btrfs:
# mkfs.btrfs -L ARCH /dev/mapper/cryptroot
This completes the partitioning and encryption step. Now, you can proceed with mounting and installing Arch Linux.
Step 4: Create and Mount Btrfs Subvolumes
In this step, I will set up Btrfs subvolumes to separate system and user data. Using subvolumes helps keep different parts of the filesystem organized, making it easier to manage and reinstall the system without affecting personal files.
Create Btrfs Subvolumes:
# mount -v /dev/mapper/cryptroot /mnt
# btrfs subvolume create /mnt/@
# btrfs subvolume create /mnt/@home
# umount -v /mnt
/mnt/@
→ Root subvolume/mnt/@home
→ Home subvolume
Now, mount the created subvolumes properly:
# mount -vo rw,relatime,compress=zstd:3,ssd,discard=async \
-o subvol=@ /dev/mapper/cryptroot /mnt
# mkdir -vp /mnt/{home,boot}
# mount -vo rw,relatime,compress=zstd:3,ssd,discard=async \
-o subvol=@home /dev/mapper/cryptroot /mnt/home
# mount -v /dev/sdc2 /mnt/boot
- The root filesystem (@) is mounted at
/mnt
. - The home subvolume (@home) is mounted at
/mnt/home
. - The EFI partition (
/dev/sdc2
) is mounted at/mnt/boot
.
Why Not noatime
or dirnoatime
?
relatime
is the best middle ground—it avoids excessive writes while keeping some access-time updates useful for applications likersync
and some software logs.noatime
anddirnoatime
are more aggressive and can break certain software behaviors that rely on access times.
Your setup should look something like this:
# lsblk -p -o name,fstype,uuid,mountpoints /dev/sdc
NAME FSTYPE UUID MOUNTPOINTS
/dev/sdc
├─/dev/sdc1
├─/dev/sdc2 vfat EEF5-53D4 /mnt/boot
└─/dev/sdc3 crypto_LUKS 5f635c9b-164d-4218-ad44-d3ab59b9c490
└─/dev/mapper/cryptroot btrfs 0929448a-10e9-46d9-97ed-961ff8cff083 /mnt/home
/mnt
With this setup, the system files and home directory are stored separately, making upgrades or reinstallations more manageable while keeping user data intact.
Step 5: Install the Base System
In this step, I will install the core Arch Linux system along with the LTS kernel for stability. This includes essential system utilities needed for a functional installation before configuring the environment.
Install the base system, LTS kernel, and essential utilities:
# pacstrap -K /mnt base base-devel linux-lts linux-lts-headers \
linux-firmware btrfs-progs vim nano sudo
For a portable Arch Linux on USB, the LTS kernel is generally the better choice. Here's why:
- Stability – Less frequent updates, reducing the risk of breakage.
- Long-Term Support – Ideal for a system that needs reliability across multiple devices.
- Better Compatibility – Works well with older and newer hardware without frequent patches.
Generate the fstab file:
# genfstab -U /mnt >> /mnt/etc/fstab
Chroot into the new system:
# arch-chroot /mnt
Step 6: Setup Locale
Now, I will configure the hostname, timezone, and locale settings to ensure the system runs with the correct regional and network configurations. I will use New York, USA as an example, but you can set it for any locale based on your preference.
Set the hostname:
# echo "arch-usb" > /etc/hostname
Set up the timezone:
# ln -sf /usr/share/zoneinfo/America/New_York /etc/localtime
# hwclock --systohc
Configure locale. Uncomment en_US.UTF-8 UTF-8
in /etc/locale.gen
:
# sed -i 's/#en_US.UTF-8 UTF-8/en_US.UTF-8 UTF-8/' /etc/locale.gen
# locale-gen
Set locale:
# echo "LANG=en_US.UTF-8" > /etc/locale.conf
Step 7: Create User Account & Configure sudo
In this step, I will create a regular user account with administrative privileges in addition to the root account. This enhances security and provides a safer way to manage the system without directly using the root user for daily tasks.
Set the root password:
# passwd
Create a regular user (replace madhu
with your own username):
# useradd -m -G wheel -s /bin/bash madhu
# passwd madhu
Verify the user was created and check group memberships:
# id madhu
uid=1000(madhu) gid=1000(madhu) groups=1000(madhu),998(wheel)
Enable sudo for the user (replace madhu
with your own username):
# echo "madhu ALL=(ALL) ALL" > /etc/sudoers.d/00_madhu
# chmod 440 /etc/sudoers.d/00_madhu
- This grants sudo privileges only to
madhu
. - The file permissions are set to read-only to prevent unauthorized changes.
This method is safer than modifying /etc/sudoers
directly, as it ensures only the intended user gets sudo access.
Step 8: Configure GRUB for Dual UEFI and Legacy BIOS Boot
To ensure the USB drive can boot on both UEFI and Legacy BIOS systems, I will install GRUB as the bootloader. This ensures broad compatibility across different machines.
Run the following command to install GRUB and necessary utilities:
# pacman -S grub efibootmgr dosfstools os-prober mtools
Enable GRUB Cryptodisk Support:
Edit /etc/default/grub
to enable GRUB’s cryptodisk feature:
# nano /etc/default/grub
Uncomment the following line:
GRUB_ENABLE_CRYPTODISK=y
Configure GRUB to Unlock the Encrypted Root Partition. Add the cryptdevice parameter in the GRUB_CMDLINE_LINUX
line:
GRUB_CMDLINE_LINUX="cryptdevice=UUID=5f635c9b-164d-4218-ad44-d3ab59b9c490:root rootfstype=btrfs"
(Replace <UUID>
with the output of cryptsetup luksUUID /dev/sdc3
of your device.)
Ensure Early USB Support for Reliable Booting:
Since the system is installed on a USB drive, we need to ensure the kernel initializes USB devices early in the boot process. Without this, some systems may fail to recognize the USB drive during boot.
Edit /etc/mkinitcpio.conf
:
# nano /etc/mkinitcpio.conf
Modify the MODULES
line to include essential USB and Btrfs support:
MODULES=(btrfs usb_storage usbhid xhci_pci ehci_pci)
This MODULES
line ensures essential drivers are preloaded in the initramfs for proper system functionality:
btrfs
→ Enables support for the Btrfs filesystem, required if the root filesystem is on Btrfs.usb_storage
→ Allows the system to recognize USB storage devices, crucial for booting from a USB drive.usbhid
→ Supports USB human interface devices (HID) like keyboards and mice.xhci_pci
→ Provides support for USB 3.0 (xHCI) controllers, ensuring compatibility with modern USB ports.ehci_pci
→ Supports USB 2.0 (EHCI) controllers, ensuring older USB devices work correctly.
Update the HOOKS
line as shown below to ensure support for keyboard input and disk encryption. Move keyboard before autodetect and insert encrypt after block:
HOOKS=(base udev keyboard autodetect microcode modconf kms keymap consolefont block encrypt filesystems fsck)
Here’s why each modification is necessary:
- Move
keyboard
beforeautodetect
- Ensures that keyboard drivers are included before hardware detection runs.
- This is crucial for encrypted setups, as users need to enter a LUKS passphrase early in the boot process.
- If
keyboard
is placed afterautodetect
, some keyboard modules might not be included in the initramfs, making it impossible to enter the decryption password.
- Add
encrypt
afterblock
- The
encrypt
hook is responsible for unlocking LUKS-encrypted partitions during boot. - Placing it after
block
ensures that block devices (disks and partitions) are detected before attempting decryption. - If
encrypt
is added too early or omitted, the system won't prompt for the LUKS passphrase, preventing booting into the OS.
- The
Regenerate the initramfs:
# mkinitcpio -P
This prevents boot failures on different systems by ensuring early USB support in the boot process.
Install GRUB for Both UEFI and BIOS Systems
To support both boot modes, install GRUB as follows:
# grub-install --target=x86_64-efi --efi-directory=/boot --removable --recheck
# grub-install --target=i386-pc --boot-directory=/boot /dev/sdc
--removable
:
This option installs GRUB in a way that makes the device bootable on multiple computers. It places the bootloader in the default fallback location (/boot/EFI/BOOT/BOOTX64.EFI
for x86_64 systems) instead of a vendor-specific directory like/boot/EFI/arch/grubx64.efi
. This ensures that the system can boot even if the firmware does not recognize a vendor-specific boot entry.--recheck
:
This forcesgrub-install
to scan for available disk devices again, even if they were previously detected. It helps avoid issues where GRUB does not properly recognize the disk or partition layout.
Generate GRUB config:
# grub-mkconfig -o /boot/grub/grub.cfg
This setup ensures that the USB drive can boot on both UEFI and Legacy BIOS systems, while also enabling early USB support and encryption handling.
Step 9: Enable Networking & Bluetooth
To ensure seamless connectivity on your Arch Linux USB installation, you need to enable networking and Bluetooth. This step configures systemd-networkd and systemd-resolved for network management and installs BlueZ for Bluetooth support. Enabling these services ensures they start automatically on boot.
Enable systemd-networkd:
# pacman -S network-manager-applet
# systemctl enable systemd-networkd
# systemctl enable systemd-resolved
# systemctl enable NetworkManager
Enable Bluetooth:
# pacman -S bluez bluez-utils
# systemctl enable bluetooth
Step 10: Install XFCE and Essential Applications
To set up a lightweight and functional desktop environment, you need the XFCE desktop environment along with essential software. This step includes installing XFCE, setting up the LightDM display manager, a web browser, general utilities, rescue tools, and minimal office applications. These packages ensure a smooth user experience while keeping the system lightweight and efficient. You can install all recommended packages or skip the ones you don’t need based on your requirements.
Install XFCE Desktop (Approx. 760 MiB)
Install XFCE along with the LightDM display manager:
# pacman -S xfce4 xfce4-goodies lightdm lightdm-gtk-greeter
# systemctl enable lightdm
Install Web Browser (Approx. 450 MiB)
# pacman -S firefox
Install General-Purpose Utilities (Approx. 220 MiB)
These utilities provide essential tools for system management, networking, and compression.
# pacman -S --needed \
wget curl git neofetch \
xdg-utils gvfs \
man-db man-pages bash-completion \
iwd wireless_tools wpa_supplicant openssh \
pulseaudio pavucontrol alsa-utils \
xarchiver unzip zip tar p7zip \
python python-pip
Install Essential Rescue Tools (Approx. 65 MiB)
These tools help with disk management, system recovery, and hardware diagnostics.
# pacman -S --needed \
gparted ntfs-3g exfat-utils \
rsync clonezilla testdisk \
smartmontools lsof lshw \
inxi hwinfo usbutils
Install Minimal Office Applications (Approx. 150 MiB)
For basic document editing and PDF viewing.
# pacman -S abiword evince
Step 11: Finalize Installation and Reboot
In this final step, you will exit the chroot environment, unmount all partitions, and reboot your system. This completes the installation, allowing you to boot into your portable Arch Linux USB on any compatible computer.
Exit chroot, unmount partitions, and reboot
# exit
# umount -vR /mnt
# reboot
Step 12: Boot and Enjoy Your Portable Arch Linux

Congratulations! You now have a fully functional, secure, portable Arch Linux USB with persistence, Btrfs, LUKS encryption, and a lightweight XFCE desktop. This setup ensures that your operating system is stable, secure, and bootable on multiple machines, making it perfect for secure computing, system recovery, or everyday use.
Now that your installation is complete, here are some next steps:
- Explore Arch Linux: Learn package management with
pacman
and customize your system. - Create Snapshots: Use Btrfs snapshots with Snapper for quick system rollbacks.
- Enhance Security: Set up firewalld or ufw for additional protection.
If you run into any issues or have questions, feel free to comment on the blog post. Your feedback helps improve this guide, and I’ll be happy to assist!
Happy computing!