Imagine having a fully functional Arch Linux system on a USB—customized, secure, and ready to boot on any computer. In this guide, I’ll show you how to install Arch Linux on a USB and set up a persistent USB drive with Btrfs and LUKS encryption. With this setup, you can create a versatile portable OS for secure computing, system recovery, or even daily use, all while keeping your data protected.

What You’ll Learn in This Guide:

  • True Persistence: Unlike traditional live USBs, this setup retains installed software, settings, and files across reboots.
  • Btrfs for Performance & Reliability: Benefit from compression, efficient storage management, and built-in snapshots for data integrity.
  • LUKS Encryption for Security: Protect your sensitive data in case of loss or theft.
  • LTS Kernel for Stability: Use the long-term support (LTS) kernel for a reliable, low-maintenance experience across multiple machines.
  • No Swap to Extend USB Lifespan: Avoid excessive write cycles that degrade USB drives while keeping performance smooth.
  • XFCE for a Lightweight Desktop: Get a fast, responsive interface that works well even on older hardware.
  • Universal Compatibility with GRUB: Ensure your USB boots on both UEFI and BIOS systems.

Whether you need a secure workspace, a portable development environment, or a powerful rescue disk, this guide will walk you through every step of setting up Arch Linux on a USB drive with persistence, Btrfs, LUKS encryption, and more.

Let’s dive in!

Table of Contents

Step 1: Prepare Arch Linux Installation Media

First, download the latest Arch Linux ISO from the official website and verify its checksum to ensure file integrity. Obtain the checksum file sha256sums.txt from the same page, open a terminal, navigate to the directory containing the ISO, and run:

$ sha256sum archlinux-*.iso

Compare the output with the official checksum. If they match, the file is intact and safe to use.

Required USB Drives

To install Arch Linux on a USB drive with persistent storage, you need two USB devices:

  1. One USB to create a bootable Arch Linux Live ISO.
  2. Another USB for installing Arch Linux with persistent storage.

Why Use a Separate USB for the Arch Linux Live Environment?

Using the Arch Linux Live Environment for installation offers several advantages over installing from an existing Linux system:

  • Clean Installation – Avoids interference from the current system’s configurations.
  • Preinstalled Tools – Includes all necessary utilities for installation.
  • Better Compatibility – Prevents kernel and bootloader conflicts with the running OS.

Creating a Bootable USB

On Windows:

Use Rufus and configure the following:

  • Partition scheme: GPT
  • File system: FAT32
  • Mode: DD Image mode

On Linux/macOS:

Run the following command:

$ sudo dd if=archlinux.iso of=/dev/sdX bs=4M conv=fdatasync status=progress

Replace sdX with the correct USB device.

Warning: Double-check the target device using lsblk before running dd, as it will erase all data on the selected drive without confirmation.

What If You Only Have One USB Drive?

If you don’t have two USB drives, you can install Arch Linux in a virtual machine (VM) using KVM with Virt-Manager. KVM (Kernel-based Virtual Machine) allows you to create a virtualized Arch Linux Live Environment, which can install directly onto your USB.

  1. Create a new virtual machine in Virt-Manager.
  2. Select the Arch Linux ISO as the installation media.
  3. Allocate at least 2-4 GB of RAM (or more if available).
  4. Set any disk size (this won’t be used for installation).
  5. Check “Customize configuration before install” in the final step of the wizard.
  6. In the customization window, click “Add Hardware” (bottom left).
  7. Select “USB Host Device” from the left panel.
  8. Choose the USB drive where you want to install Arch Linux.
  9. Click “Begin Installation” to start the VM.

Now, you can use the virtual machine to boot into the Arch Linux Live Environment and install Arch Linux on your portable USB drive.

If KVM virtualization isn’t installed on your distro and you’d like to set it up, check out my blog: 'How to Properly Install KVM on Linux.'

Step 2: Boot into Arch Live & Set Up Networking

Insert the bootable Arch Linux USB drive into your computer and boot from it. You may need to enter the BIOS/UEFI boot menu by pressing F2F12, or ESC during startup, then select the USB drive as the boot device.

Important: Secure Boot must be disabled in your BIOS/UEFI settings for the Arch Linux ISO to boot successfully.

Check Internet Connection (Wired or Wireless)

First, check if you are already connected:

# ping -c 4 archlinux.org
  • If you see replies, your internet is working.
  • If you get "unknown host" or "network unreachable", check your network interfaces.

Check Available Network Interfaces

List all active network interfaces:

# ip link

Look for:

  • eth0 or enpXsY → Wired (Ethernet)
  • wlan0 or wlpXsY → Wireless (Wi-Fi)

If using Ethernet, your connection should be active if DHCP is enabled. Otherwise, try:

# dhcpcd eth0

(Replace eth0 with your actual interface name.)

Check for Wi-Fi Availability

Run the following command to check for Wi-Fi adapters:

# iwctl device list

If wlan0 or another wireless device appears, proceed.

Scan for Wi-Fi Networks

# iwctl station wlan0 scan  
# iwctl station wlan0 get-networks

This will display available networks.

Connect to Wi-Fi

Connect to your Wi-Fi network (replace "WiFi-Name" with your SSID):

# iwctl station wlan0 connect "WiFi-Name"

Verify Connection & Get IP Address

Test your internet connection again:

# ping -c 4 archlinux.org

Check your IP address:

# ip addr show wlan0  # For Wi-Fi  
# ip addr show eth0   # For Ethernet  

If connected, an IP address will be displayed.

You are now connected and ready to install Arch Linux!

Step 3: Create Partitions and Encrypt the Root Partition

To create a secure and portable Arch Linux installation, I will set up the required partitions and encrypt the root partition using LUKS.

Partition Layout:

PartitionSizeTypeFilesystemMount Point
BIOS Boot Partition1 MiBEF02NoneNone
EFI System Partition512 MiBEF00vfat (FAT32)/boot
Root Partition (/)Rest of USB8300btrfs/

Explanation:

  • The BIOS Boot Partition (EF02) is needed for legacy BIOS booting with GRUB.
  • The EFI System Partition (EF00) stores the bootloader for UEFI systems.
  • The Root Partition (8300) is where Arch Linux will be installed using Btrfs.

This ensures the USB is bootable on both UEFI and BIOS systems while keeping data organized.

First, determine the device name of the USB drive where you plan to install portable Arch Linux.

# lsblk -pd

In this guide, I will use /dev/sdc as the USB drive for installing portable Arch Linux. Make sure to replace /dev/sdc with your actual device name to avoid data loss.

I will be using an 8GB USB drive, but the more capacity, the better for storing additional files.

Wipe the entire USB drive:

⚠ WARNING: The following command will completely erase the USB drive, including all data, partition tables, bootloaders, and filesystem metadata. Double-check the device name (/dev/sdc) before proceeding!

# wipefs --all /dev/sdc
# sgdisk --zap-all /dev/sdc

Create the Required Partitions:

# sgdisk -n 1:2048:+1M -t 1:EF02 -c 1:"BIOS Boot" /dev/sdc # 1 MiB BIOS Boot Partition
# sgdisk -n 2:0:+512M -t 2:EF00 -c 2:"EFI System" /dev/sdc # 512 MiB EFI Partition
# sgdisk -n 3:0:0 -t 3:8300 -c 3:"Linux Root" /dev/sdc     # Remaining space for Root

Check the partition table. The expected output should appear similar to this:

# sgdisk -p /dev/sdc
...
...
Number  Start (sector)    End (sector)  Size       Code  Name
   1            2048            4095   1024.0 KiB  EF02  BIOS Boot
   2            4096         1052671   512.0 MiB   EF00  EFI System
   3         1052672        15182750   6.7 GiB     8300  Linux Root

Format the EFI partition as FAT32:

# mkfs.vfat -F 32 -n ESP /dev/sdc2

Now, encrypt the root partition with LUKS2:

# cryptsetup luksFormat --type luks2 --label ARCH_LUKS /dev/sdc3

You will be asked to type YES in uppercase to confirm. Next, enter a strong password twice for encryption.

After encryption, open the LUKS container:

# cryptsetup open /dev/sdc3 cryptroot

Now, format the unlocked partition as Btrfs:

# mkfs.btrfs -L ARCH /dev/mapper/cryptroot

This completes the partitioning and encryption step. Now, you can proceed with mounting and installing Arch Linux.

Step 4: Create and Mount Btrfs Subvolumes

In this step, I will set up Btrfs subvolumes to separate system and user data. Using subvolumes helps keep different parts of the filesystem organized, making it easier to manage and reinstall the system without affecting personal files.

Create Btrfs Subvolumes:

# mount -v /dev/mapper/cryptroot /mnt
# btrfs subvolume create /mnt/@
# btrfs subvolume create /mnt/@home
# umount -v /mnt
  • /mnt/@ → Root subvolume
  • /mnt/@home → Home subvolume

Now, mount the created subvolumes properly:

# mount -vo rw,relatime,compress=zstd:3,ssd,discard=async \
    -o subvol=@ /dev/mapper/cryptroot /mnt

# mkdir -vp /mnt/{home,boot}
  
# mount -vo rw,relatime,compress=zstd:3,ssd,discard=async \
    -o subvol=@home /dev/mapper/cryptroot /mnt/home
  
# mount -v /dev/sdc2 /mnt/boot
  • The root filesystem (@) is mounted at /mnt.
  • The home subvolume (@home) is mounted at /mnt/home.
  • The EFI partition (/dev/sdc2) is mounted at /mnt/boot.

Why Not noatime or dirnoatime?

  • relatime is the best middle ground—it avoids excessive writes while keeping some access-time updates useful for applications like rsync and some software logs.
  • noatime and dirnoatime are more aggressive and can break certain software behaviors that rely on access times.

Your setup should look something like this:

# lsblk -p -o name,fstype,uuid,mountpoints /dev/sdc
NAME                      FSTYPE      UUID                                 MOUNTPOINTS
/dev/sdc                                                                   
├─/dev/sdc1                                                                
├─/dev/sdc2               vfat        EEF5-53D4                            /mnt/boot
└─/dev/sdc3               crypto_LUKS 5f635c9b-164d-4218-ad44-d3ab59b9c490 
  └─/dev/mapper/cryptroot btrfs       0929448a-10e9-46d9-97ed-961ff8cff083 /mnt/home
                                                                           /mnt

With this setup, the system files and home directory are stored separately, making upgrades or reinstallations more manageable while keeping user data intact.

Step 5: Install the Base System

In this step, I will install the core Arch Linux system along with the LTS kernel for stability. This includes essential system utilities needed for a functional installation before configuring the environment.

Install the base system, LTS kernel, and essential utilities:

# pacstrap -K /mnt base base-devel linux-lts linux-lts-headers \
    linux-firmware btrfs-progs vim nano sudo

For a portable Arch Linux on USB, the LTS kernel is generally the better choice. Here's why:

  • Stability – Less frequent updates, reducing the risk of breakage.
  • Long-Term Support – Ideal for a system that needs reliability across multiple devices.
  • Better Compatibility – Works well with older and newer hardware without frequent patches.

Generate the fstab file:

# genfstab -U /mnt >> /mnt/etc/fstab

Chroot into the new system:

# arch-chroot /mnt

Step 6: Setup Locale

Now, I will configure the hostname, timezone, and locale settings to ensure the system runs with the correct regional and network configurations. I will use New York, USA as an example, but you can set it for any locale based on your preference.

Set the hostname:

# echo "arch-usb" > /etc/hostname

Set up the timezone:

# ln -sf /usr/share/zoneinfo/America/New_York /etc/localtime
# hwclock --systohc

Configure locale. Uncomment en_US.UTF-8 UTF-8 in /etc/locale.gen:

# sed -i 's/#en_US.UTF-8 UTF-8/en_US.UTF-8 UTF-8/' /etc/locale.gen
# locale-gen

Set locale:

# echo "LANG=en_US.UTF-8" > /etc/locale.conf

Step 7: Create User Account & Configure sudo

In this step, I will create a regular user account with administrative privileges in addition to the root account. This enhances security and provides a safer way to manage the system without directly using the root user for daily tasks.

Set the root password:

# passwd

Create a regular user (replace madhu with your own username):

# useradd -m -G wheel -s /bin/bash madhu
# passwd madhu

Verify the user was created and check group memberships:

# id madhu
uid=1000(madhu) gid=1000(madhu) groups=1000(madhu),998(wheel)

Enable sudo for the user (replace madhu with your own username):

# echo "madhu ALL=(ALL) ALL" > /etc/sudoers.d/00_madhu
# chmod 440 /etc/sudoers.d/00_madhu
  • This grants sudo privileges only to madhu.
  • The file permissions are set to read-only to prevent unauthorized changes.

This method is safer than modifying /etc/sudoers directly, as it ensures only the intended user gets sudo access.

Step 8: Configure GRUB for Dual UEFI and Legacy BIOS Boot

To ensure the USB drive can boot on both UEFI and Legacy BIOS systems, I will install GRUB as the bootloader. This ensures broad compatibility across different machines.

Run the following command to install GRUB and necessary utilities:

# pacman -S grub efibootmgr dosfstools os-prober mtools

Enable GRUB Cryptodisk Support:

Edit /etc/default/grub to enable GRUB’s cryptodisk feature:

# nano /etc/default/grub

Uncomment the following line:

GRUB_ENABLE_CRYPTODISK=y

Configure GRUB to Unlock the Encrypted Root Partition. Add the cryptdevice parameter in the GRUB_CMDLINE_LINUX line:

GRUB_CMDLINE_LINUX="cryptdevice=UUID=5f635c9b-164d-4218-ad44-d3ab59b9c490:root rootfstype=btrfs"

(Replace <UUID> with the output of cryptsetup luksUUID /dev/sdc3 of your device.)

Ensure Early USB Support for Reliable Booting:

Since the system is installed on a USB drive, we need to ensure the kernel initializes USB devices early in the boot process. Without this, some systems may fail to recognize the USB drive during boot.

Edit /etc/mkinitcpio.conf:

# nano /etc/mkinitcpio.conf

Modify the MODULES line to include essential USB and Btrfs support:

MODULES=(btrfs usb_storage usbhid xhci_pci ehci_pci)

This MODULES line ensures essential drivers are preloaded in the initramfs for proper system functionality:

  • btrfs → Enables support for the Btrfs filesystem, required if the root filesystem is on Btrfs.
  • usb_storage → Allows the system to recognize USB storage devices, crucial for booting from a USB drive.
  • usbhid → Supports USB human interface devices (HID) like keyboards and mice.
  • xhci_pci → Provides support for USB 3.0 (xHCI) controllers, ensuring compatibility with modern USB ports.
  • ehci_pci → Supports USB 2.0 (EHCI) controllers, ensuring older USB devices work correctly.

Update the HOOKS line as shown below to ensure support for keyboard input and disk encryption. Move keyboard before autodetect and insert encrypt after block:

HOOKS=(base udev keyboard autodetect microcode modconf kms keymap consolefont block encrypt filesystems fsck)

Here’s why each modification is necessary:

  1. Move keyboard before autodetect
    • Ensures that keyboard drivers are included before hardware detection runs.
    • This is crucial for encrypted setups, as users need to enter a LUKS passphrase early in the boot process.
    • If keyboard is placed after autodetect, some keyboard modules might not be included in the initramfs, making it impossible to enter the decryption password.
  2. Add encrypt after block
    • The encrypt hook is responsible for unlocking LUKS-encrypted partitions during boot.
    • Placing it after block ensures that block devices (disks and partitions) are detected before attempting decryption.
    • If encrypt is added too early or omitted, the system won't prompt for the LUKS passphrase, preventing booting into the OS.

Regenerate the initramfs:

# mkinitcpio -P

This prevents boot failures on different systems by ensuring early USB support in the boot process.

Install GRUB for Both UEFI and BIOS Systems

To support both boot modes, install GRUB as follows:

# grub-install --target=x86_64-efi --efi-directory=/boot --removable --recheck
# grub-install --target=i386-pc --boot-directory=/boot /dev/sdc
  • --removable:
    This option installs GRUB in a way that makes the device bootable on multiple computers. It places the bootloader in the default fallback location (/boot/EFI/BOOT/BOOTX64.EFI for x86_64 systems) instead of a vendor-specific directory like /boot/EFI/arch/grubx64.efi. This ensures that the system can boot even if the firmware does not recognize a vendor-specific boot entry.
  • --recheck:
    This forces grub-install to scan for available disk devices again, even if they were previously detected. It helps avoid issues where GRUB does not properly recognize the disk or partition layout.

Generate GRUB config:

# grub-mkconfig -o /boot/grub/grub.cfg

This setup ensures that the USB drive can boot on both UEFI and Legacy BIOS systems, while also enabling early USB support and encryption handling.

Step 9: Enable Networking & Bluetooth

To ensure seamless connectivity on your Arch Linux USB installation, you need to enable networking and Bluetooth. This step configures systemd-networkd and systemd-resolved for network management and installs BlueZ for Bluetooth support. Enabling these services ensures they start automatically on boot.

Enable systemd-networkd:

# pacman -S network-manager-applet
# systemctl enable systemd-networkd
# systemctl enable systemd-resolved
# systemctl enable NetworkManager

Enable Bluetooth:

# pacman -S bluez bluez-utils
# systemctl enable bluetooth

Step 10: Install XFCE and Essential Applications

To set up a lightweight and functional desktop environment, you need the XFCE desktop environment along with essential software. This step includes installing XFCE, setting up the LightDM display manager, a web browser, general utilities, rescue tools, and minimal office applications. These packages ensure a smooth user experience while keeping the system lightweight and efficient. You can install all recommended packages or skip the ones you don’t need based on your requirements.

Install XFCE Desktop (Approx. 760 MiB)

Install XFCE along with the LightDM display manager:

# pacman -S xfce4 xfce4-goodies lightdm lightdm-gtk-greeter
# systemctl enable lightdm

Install Web Browser (Approx. 450 MiB)

# pacman -S firefox

Install General-Purpose Utilities (Approx. 220 MiB)

These utilities provide essential tools for system management, networking, and compression.

# pacman -S --needed \
    wget curl git neofetch \
    xdg-utils gvfs \
    man-db man-pages bash-completion \
    iwd wireless_tools wpa_supplicant openssh \
    pulseaudio pavucontrol alsa-utils \
    xarchiver unzip zip tar p7zip \
    python python-pip

Install Essential Rescue Tools (Approx. 65 MiB)

These tools help with disk management, system recovery, and hardware diagnostics.

# pacman -S --needed \
    gparted ntfs-3g exfat-utils \
    rsync clonezilla testdisk \
    smartmontools lsof lshw \
    inxi hwinfo usbutils

Install Minimal Office Applications (Approx. 150 MiB)

For basic document editing and PDF viewing.

# pacman -S abiword evince

Step 11: Finalize Installation and Reboot

In this final step, you will exit the chroot environment, unmount all partitions, and reboot your system. This completes the installation, allowing you to boot into your portable Arch Linux USB on any compatible computer.

Exit chroot, unmount partitions, and reboot

# exit
# umount -vR /mnt
# reboot

Step 12: Boot and Enjoy Your Portable Arch Linux

Congratulations! You now have a fully functional, secure, portable Arch Linux USB with persistence, Btrfs, LUKS encryption, and a lightweight XFCE desktop. This setup ensures that your operating system is stable, secure, and bootable on multiple machines, making it perfect for secure computing, system recovery, or everyday use.

Now that your installation is complete, here are some next steps:

  • Explore Arch Linux: Learn package management with pacman and customize your system.
  • Create Snapshots: Use Btrfs snapshots with Snapper for quick system rollbacks.
  • Enhance Security: Set up firewalld or ufw for additional protection.

If you run into any issues or have questions, feel free to comment on the blog post. Your feedback helps improve this guide, and I’ll be happy to assist!

Happy computing!


Subscribe
Notify of
guest
2 Comments
Newest
Oldest
Inline Feedbacks
View all comments