Select Page

Security Focused Arch Linux Laptop with Full Disk Encryption

by | Dec 11, 2025 | Uncategorized

How I built a production Arch Linux portable workstation with LUKS encryption, Hyprland, and a modern, lightweight network stack – Part 1: installation and first boot.

Overview

Installing Arch Linux from scratch taught me more about Linux internals than years of using GUI heavy distributions. For DevOps engineers, understanding the fundamentals – from bootloaders to network stacks to display servers isn’t optional any longer. When it comes to troubleshooting production systems, a command of CLI tools and understanding the Linux filesystem is what sets pros apart from those who just run apt install.

This Lenovo T480 build uses LUKS2 encryption, LVM for storage flexibility, systemd-networkd for networking, and – in the next installment – Hyprland as a Wayland compositor. Every component was deliberately chosen and manually configured.

Bottom line: Full disk encryption with LUKS2, 512GB encrypted storage with LVM flexibility, pure Wayland environment, and systemd-networkd for networking.

Hardware

Lenovo T480 specifications:

  • CPU: Intel Core i7-8550U (4 cores, 8threads @ 1.8GHz)
  • Memory: 16GB DDR4
  • Storage: 512GB NVMe SSD
  • Graphics: Intel UHD Graphics 620
  • Firmware: Latest Lenovo BIOS (v1.36.0)

This laptop provides enough power for development work while maintaining good battery life and Intel integrated graphics.

Disk Encryption Architecture

LUKS + LVM Strategy

The storage setup uses LUKS2 for full disk encryption with LVM on top for flexible volume management:

sda (476.9GB)
├─ sda1 (1GB)      → /boot (unencrypted FAT32)
└─ sda2 (475.9GB)  → crypto_LUKS (encrypted container)
   └─ stark (LVM)
      ├─ stark-swap (8GB)
      ├─ stark-root (32GB)     → /
      └─ stark-home (435.9GB)  → /home

Key design decisions:

  1. Separate /boot partition: Required for systemd-boot, unencrypted but contains no sensitive data
  2. LUKS2 container: Uses the entire second partition, providing hardware-level AES encryption
  3. LVM inside LUKS: “LUKS on LVM” approach – encrypt once, flexible volumes inside
  4. Conservative root size: 32GB for the system partition for data
  5. Dedicated swap: 8GB encrypted swap space

Encryption Details

# LUKS container details
UUID: 03ef23c9-xxxx-xxxx-xxxxx-2c7c4b87...
Type: crypto_LUKS (version 2)
Mapped as: /dev/mapper/stark

# Check encryption status
$ lsblk -f NAME FSTYPE FSVER UUID
sda2 crypto 2 02ef99c9-xxxx-xxxx-xxxx-2c6c4f17...
└─stark LVM2_m LVM2 I3GXZ3-xxxx-xxxx-xxxx-ikJe...

Security benefits:

  • Data at rest is encrypted with AES
  • Password required at boot to unlock
  • Even with physical access, data remains protected
  • Individual volumes can be resized without re-encrypting

Boot Configuration

systemd-boot Setup

Using systemd-boot instead of GRUB for a simpler, faster boot process:

# /boot/loader/loader.conf
timeout 2
console-mode max
default arch.conf
editor no

The boot entry (/boot/loader/entries/arch.conf) handles LUKS unlocking:

title Arch Linux
linux /vmlinuz-linux
initrd /initramfs-linux.img
options rd.luks.name=03ef23c9-xxxx-xxxx-xxxx-2c7c4b87...=stark root=/dev/stark/root rw

How it works:

  1. UEFI loads systemd-boot from ESP (/boot)
  2. systemd-boot loads kernel and fallback initramfs
  3. Early userspace (initramfs) prompts for LUKS password
  4. rd.luks.name tells systemd to unlock the specific UUID
  5. LVM activates volumes inside the decrypted container
  6. System boots from /dev/mapper/midir-root

Network Stack

Modern systemd Networking

Using systemd-networkd and systemd-resolved instead of NetworkManager for a lightweight, integrated approach:

systemd-networkd handles network interfaces:

# /etc/systemd/network/25-wireless.network
[Match]
Name=wlan0

[Link]
RequiredForOnline=routable

[Network]
DHCP=yes
IgnoreCarrierLoss=3s

The IgnoreCarrierLoss setting prevents the interface from going down during brief WiFi disconnections.

iwd (iNet wireless daemon) manages WiFi:

  • Modern replacement for wpa_supplicant
  • Lower memory footprint
  • Better performance
  • Integrates with systemd-networkd

systemd-resolved provides DNS resolution:

$ resolvectl status
Global
Protocols: +LLMNR +mDNS -DNSOverTLS
DNSSEC: no/unsupported
Fallback DNS: 1.1.1.1 (Cloudflare)
9.9.9.9 (Quad9)
8.8.8.8 (Google)
Link 4 (wlan0)
DNS Servers: 192.x.x.x

First Boot

Stay tuned…

57 year-old Freshman

by | Jan 29, 2023 | Learning

Or, better yet: How I spent 38 years allowing my belief that I was dumb to hold me back.

The first full week of January brings another facet of my growth – I enrolled in College. Pasco Hernando State College to be exact. I’ll talk about the primary reasons here, as much as to walk through my thought process as to document the occasion.

I graduated June 6th, 1984 from Gobles Public High School in Gobles, Michigan (pop. 851) with what I thought was a class of 42 (but recently found out was actually 60.) I don’t much recall walking across the stage to receive my diploma, just heard my name and I ran to shake Tommy D’s hand before he changed his mind. I do remember thinking that I’m glad that it went alphabetically instead of by grade so I wouldn’t be #43 (a story I’ve carried with me for 38 years.)

As I got back to my seat I also remember thinking that I was looking forward to taking time off from school because well, kids that got a lot of C’s in their classes, had double-digit “absences” and a record 48 tardies over 4 years, and marginal scores on their ACTs didn’t have much opportunity to go on to anything but maybe Community College. If only I had been just a little better at sports!

So after a year of kinda wandering, going through two J.O.B.s, I did just that; I enrolled at Kalamazoo Community College. Because of my mediocre ACTs I was required to take remedial Grammar and Mathematics. During the entrance test, I was faced with not knowing what a dangling participle was (which literally haunts me to this day.) I promptly dropped out and joined the U.S. Air Force. And spent 38 years thinking I was dumb…

…fast forward to last fall. I was told that if I wanted more opportunities and more money I had to get my degree. It didn’t matter the college I chose, online or on campus, full- or part-time, but I had to get that second piece of paper if I wanted to advance. I went from being adamantly opposed to scared to death that my academic history would repeat itself.

Reluctantly, I started researching online colleges – there was no way I could work full-time, be a part-time hockey coach, and go to school in person. I also had to find a school that Pasco County BoCC would offer tuition reimbursement. Private colleges like SNHU, WGU, and Full Sail were 100% self-paced and online but weren’t “approved.” I didn’t want to go into debt to get a raise!

So with my list of qualifying nearby colleges – St. Leo University, University of Central Florida, and Pasco Hernando State College – I started my application process. First stop: I had to request my High School transcripts. I was sure they were in a storage room somewhere, tucked into an old dusty metal 4-drawer filing cabinet, near the back of the drawer where C-grade students were kept. Yet, the part-time receptionist found my transcripts within minutes of my request and sent me a copy, much to my chagrin, stating my grades were not as sucky as I previously thought!

To be clear, I wasn’t going to get into Harvard, but, I wasn’t last in my class, either. (Cue the hypnotic, spiraling tunnel visual)

What I had heard all those years ago – that I was behind 42 other students in my class – was not what the transcripts said at all. Let’s do the NEW math: There were actually 60 kids in my class and I was ranked 18th! Meaning my grades were “better” than 42 other students. Granted, my attitude back then sucked and I was an athletic snob, but I wasn’t the C student that I thought I was all those years. In fact, my GPA was 2.849 – a B-! What a difference that would have made to an 18-year-old from a family that had, up to that point, no college graduates.

So tomorrow I’m excited to become a #57YearOldFreshman at PHSC on my way to a degree in Political Science, 38 years in the making. Come, join me on this adventure!