How I built a production Arch Linux portable workstation with LUKS encryption, Hyprland, and a modern, lightweight network stack – Part 1: installation and first boot.
Overview
Installing Arch Linux from scratch taught me more about Linux internals than years of using GUI heavy distributions. For DevOps engineers, understanding the fundamentals – from bootloaders to network stacks to display servers isn’t optional any longer. When it comes to troubleshooting production systems, a command of CLI tools and understanding the Linux filesystem is what sets pros apart from those who just run apt install.
This Lenovo T480 build uses LUKS2 encryption, LVM for storage flexibility, systemd-networkd for networking, and – in the next installment – Hyprland as a Wayland compositor. Every component was deliberately chosen and manually configured.
Bottom line: Full disk encryption with LUKS2, 512GB encrypted storage with LVM flexibility, pure Wayland environment, and systemd-networkd for networking.
Hardware
Lenovo T480 specifications:
- CPU: Intel Core i7-8550U (4 cores, 8threads @ 1.8GHz)
- Memory: 16GB DDR4
- Storage: 512GB NVMe SSD
- Graphics: Intel UHD Graphics 620
- Firmware: Latest Lenovo BIOS (v1.36.0)
This laptop provides enough power for development work while maintaining good battery life and Intel integrated graphics.
Disk Encryption Architecture
LUKS + LVM Strategy
The storage setup uses LUKS2 for full disk encryption with LVM on top for flexible volume management:
sda (476.9GB)
├─ sda1 (1GB) → /boot (unencrypted FAT32)
└─ sda2 (475.9GB) → crypto_LUKS (encrypted container)
└─ stark (LVM)
├─ stark-swap (8GB)
├─ stark-root (32GB) → /
└─ stark-home (435.9GB) → /homeKey design decisions:
- Separate /boot partition: Required for systemd-boot, unencrypted but contains no sensitive data
- LUKS2 container: Uses the entire second partition, providing hardware-level AES encryption
- LVM inside LUKS: “LUKS on LVM” approach – encrypt once, flexible volumes inside
- Conservative root size: 32GB for the system partition for data
- Dedicated swap: 8GB encrypted swap space
Encryption Details
# LUKS container details UUID: 03ef23c9-xxxx-xxxx-xxxxx-2c7c4b87... Type: crypto_LUKS (version 2) Mapped as: /dev/mapper/stark# Check encryption status $ lsblk -f NAME FSTYPE FSVER UUID sda2 crypto 2 02ef99c9-xxxx-xxxx-xxxx-2c6c4f17...└─stark LVM2_m LVM2 |
Security benefits:
- Data at rest is encrypted with AES
- Password required at boot to unlock
- Even with physical access, data remains protected
- Individual volumes can be resized without re-encrypting
Boot Configuration
systemd-boot Setup
Using systemd-boot instead of GRUB for a simpler, faster boot process:
# /boot/loader/loader.conf timeout 2 console-mode max default arch.conf editor no |
The boot entry (/boot/loader/entries/arch.conf) handles LUKS unlocking:
title Arch Linux
linux /vmlinuz-linux
initrd /initramfs-linux.img
options rd.luks.name=03ef23c9-xxxx-xxxx-xxxx-2c7c4b87...=stark root=/dev/stark/root rwHow it works:
- UEFI loads systemd-boot from ESP (/boot)
- systemd-boot loads kernel and fallback initramfs
- Early userspace (initramfs) prompts for LUKS password
rd.luks.nametells systemd to unlock the specific UUID- LVM activates volumes inside the decrypted container
- System boots from /dev/mapper/midir-root
Network Stack
Modern systemd Networking
Using systemd-networkd and systemd-resolved instead of NetworkManager for a lightweight, integrated approach:
systemd-networkd handles network interfaces:
# /etc/systemd/network/25-wireless.network [Match] Name=wlan0 [Link] RequiredForOnline=routable [Network] DHCP=yes IgnoreCarrierLoss=3s |
The IgnoreCarrierLoss setting prevents the interface from going down during brief WiFi disconnections.
iwd (iNet wireless daemon) manages WiFi:
- Modern replacement for wpa_supplicant
- Lower memory footprint
- Better performance
- Integrates with systemd-networkd
systemd-resolved provides DNS resolution:
$ resolvectl status Global Protocols: +LLMNR +mDNS -DNSOverTLS DNSSEC: no/unsupported Fallback DNS: 1.1.1.1 (Cloudflare)9.9.9.9 (Quad9) Link 4 (wlan0) DNS Servers: 192.x.x.x |