Portable Arch Linux on USB: LUKS2 Encryption That Boots Anywhere (2025)
estimated read time: 7 minutes
Why Encrypt a Portable Drive?
A portable OS is only as secure as the storage it lives on. An unencrypted USB drive is a liability: drop it on a train, leave it in a cafe, or have it pulled from a bag — and everything on it is readable by whoever picks it up.
LUKS2 (Linux Unified Key Setup) solves the data-at-rest problem. Combined with TPM2, it goes a step further: the drive only decrypts automatically on a machine where you have enrolled it, bound to the Secure Boot state. On any other machine, it demands a passphrase. This gives you the best of both worlds — strong protection against theft with zero friction on your own hardware.
This article covers all three phases:
- Backing up your existing system and re-encrypting the drive
- Fixing the boot configuration so USB drivers are always present
- Enrolling TPM2 for passwordless boot on your trusted machine
Prerequisites
- An existing Arch Linux installation on an external USB drive (e.g. a Samsung T7)
- An Arch Linux Live ISO on a second USB drive for recovery
- Your drive must have exactly two partitions: an EFI partition and a root partition. If you have more, flatten them first.
- Basic familiarity with
systemd-boot, LUKS, andarch-chroot
Phase 1: Back Up Your System
You cannot encrypt a partition in-place — the existing data would be destroyed. So the first step is a full system backup using rsync, which preserves permissions, ACLs, extended attributes, and hard links precisely.
Boot into the Arch Linux Live ISO and mount a backup destination:
mount /dev/sdX /mnt/backup
Then run the backup, excluding virtual filesystems and transient directories:
sudo rsync -aAXHvx --info=progress2 \
--exclude={"/dev/*","/proc/*","/sys/*","/tmp/*","/run/*","/mnt/*","/media/*","/lost+found"} \
/ /mnt/backup/arch_backup/
Flag reference:
| Flag | Purpose |
|---|---|
-a | Archive mode — preserves permissions, ownership, timestamps, recurses directories |
-A | Preserves Access Control Lists |
-X | Preserves extended attributes |
-H | Preserves hard links |
-x | Stays within the current filesystem — prevents recursive copying of mounted drives |
--info=progress2 | Shows overall transfer progress and estimated time |
The exclusions matter:
/dev/*,/proc/*,/sys/*— kernel-managed virtual filesystems; not real files/tmp/*,/run/*— runtime state that shouldn’t be preserved/mnt/*,/media/*— avoids copying your backup destination into itself/lost+found— filesystem recovery artefacts
Wait for this to complete before moving on. It is your safety net for the rest of this guide.
Phase 2: Encrypt with LUKS2
With the backup done, identify your partitions. Your drive will have two:
/dev/sdb1— EFI partition (do not encrypt this)/dev/sdb2— root partition (this is what you are encrypting)
Format the root partition with LUKS2:
cryptsetup luksFormat /dev/sdb2
You will be prompted to confirm (YES in capitals) and set a passphrase. Choose something strong — this is your last line of defence if the TPM2 path is unavailable.
Open the encrypted container:
cryptsetup open /dev/sdb2 cryptroot
Create a new filesystem and mount:
mkfs.ext4 /dev/mapper/cryptroot
mount /dev/mapper/cryptroot /mnt
mkdir /mnt/boot
mount /dev/sdb1 /mnt/boot
Restore the backup:
sudo rsync -aAXHv --info=progress2 /mnt/backup/arch_backup/ /mnt/
Note the trailing slash on the source path — this copies the contents of arch_backup/, not the directory itself.
Phase 3: Fix the Boot Configuration for USB
This is the part that catches most people. When you build a standard Arch Linux install, mkinitcpio uses the autodetect hook to strip down the initramfs to only the drivers needed for your specific hardware at that moment. On a fixed internal drive this is fine. On a USB drive it is a problem: if you boot on a different machine, the USB drivers may not be present in the initramfs and the system cannot find the encrypted root partition.
There are two fixes required.
Enter the chroot:
arch-chroot /mnt
Fix 1 — Remove autodetect, add sd-encrypt
Edit /etc/mkinitcpio.conf and update the HOOKS line:
HOOKS=(base systemd modconf keyboard block sd-encrypt filesystems fsck)
The two important changes:
autodetectis removed — the initramfs will now include all drivers for all hardwaresd-encryptis added — this is the systemd-native hook that handles LUKS decryption at boot
Regenerate the initramfs. Do not skip this step — if you reboot without regenerating, the system will not find the encrypted partition:
mkinitcpio -P
Fix 2 — Add rootwait and the LUKS UUID
Get your encrypted partition UUID:
blkid /dev/sdb2
Edit /boot/loader/entries/arch.conf and update the options line. Replace YOUR-UUID-HERE with the UUID from blkid:
title Arch Linux
linux /vmlinuz-linux
initrd /amd-ucode.img
initrd /initramfs-linux.img
options rd.luks.name=YOUR-UUID-HERE=cryptroot root=/dev/mapper/cryptroot rw rootwait
The rootwait parameter tells the kernel to wait for the USB device to be enumerated before attempting to find the root partition. Without it, fast-booting systems may try to mount root before the USB controller has finished initialising and fail with a kernel panic.
Exit the chroot and reboot:
exit
reboot
At this point the system should boot and prompt for your LUKS passphrase. Confirm this works before proceeding to TPM2.
Phase 4: TPM2 Auto-Unlock
Once the passphrase boot is working, you can enrol the drive with your machine’s TPM2 chip. This binds the decryption key to PCR 7 — the Secure Boot state register. The key will only be released automatically when the machine boots with the same Secure Boot configuration. On any other machine, or if Secure Boot is tampered with, the passphrase will be required.
Install the TPM2 tools:
sudo pacman -S tpm2-tools
Enrol the TPM2 chip into the LUKS header:
sudo systemd-cryptenroll --tpm2-device=auto --tpm2-pcrs=7 /dev/sdb2
You will be prompted for your existing LUKS passphrase to authorise the enrolment.
Verify the token was added:
sudo cryptsetup luksDump /dev/sdb2
Look for a systemd-tpm2 entry in the Tokens section. If it is there, the enrolment was successful.
Update the bootloader entry to use the TPM2 path. Edit /boot/loader/entries/arch.conf again:
title Arch Linux
linux /vmlinuz-linux
initrd /amd-ucode.img
initrd /initramfs-linux.img
options rd.luks.name=YOUR-UUID-HERE=cryptroot rd.luks.options=tpm2-device=auto root=/dev/mapper/cryptroot rw rootwait
The addition is rd.luks.options=tpm2-device=auto — this instructs sd-encrypt to attempt TPM2 decryption before falling back to the passphrase prompt.
Reboot. If Secure Boot is active and you are on the enrolled machine, the drive should decrypt automatically without a passphrase prompt.
What You Have Now
| Scenario | Result |
|---|---|
| Boot on enrolled machine with Secure Boot enabled | Automatic unlock via TPM2 |
| Boot on enrolled machine with Secure Boot disabled | Passphrase required |
| Boot on any other machine | Passphrase required |
| Drive physically stolen | Data unreadable without passphrase |
The drive is now fully portable (USB drivers always present), encrypted at rest, and convenient on your own machine (no passphrase prompt).
Portable Arch Linux Series
- Series Overview — Goals and Structure
- Article 1 — Setting Up Arch Linux on an External Drive (Coming Soon)
- Article 2 — Full Disk Encryption with LUKS2 and TPM2 ← you are here
- Article 3 — Installing and Configuring Hyprland Window Manager (Coming Soon)
- Article 4 — Essential Tools and Productivity Setup (Coming Soon)