Portable Arch Linux on USB: LUKS2 Encryption That Boots Anywhere (2025)


estimated read time: 7 minutes

Why Encrypt a Portable Drive?

A portable OS is only as secure as the storage it lives on. An unencrypted USB drive is a liability: drop it on a train, leave it in a cafe, or have it pulled from a bag — and everything on it is readable by whoever picks it up.

LUKS2 (Linux Unified Key Setup) solves the data-at-rest problem. Combined with TPM2, it goes a step further: the drive only decrypts automatically on a machine where you have enrolled it, bound to the Secure Boot state. On any other machine, it demands a passphrase. This gives you the best of both worlds — strong protection against theft with zero friction on your own hardware.

This article covers all three phases:

  1. Backing up your existing system and re-encrypting the drive
  2. Fixing the boot configuration so USB drivers are always present
  3. Enrolling TPM2 for passwordless boot on your trusted machine

Prerequisites

Phase 1: Back Up Your System

You cannot encrypt a partition in-place — the existing data would be destroyed. So the first step is a full system backup using rsync, which preserves permissions, ACLs, extended attributes, and hard links precisely.

Boot into the Arch Linux Live ISO and mount a backup destination:

mount /dev/sdX /mnt/backup

Then run the backup, excluding virtual filesystems and transient directories:

sudo rsync -aAXHvx --info=progress2 \
  --exclude={"/dev/*","/proc/*","/sys/*","/tmp/*","/run/*","/mnt/*","/media/*","/lost+found"} \
  / /mnt/backup/arch_backup/

Flag reference:

FlagPurpose
-aArchive mode — preserves permissions, ownership, timestamps, recurses directories
-APreserves Access Control Lists
-XPreserves extended attributes
-HPreserves hard links
-xStays within the current filesystem — prevents recursive copying of mounted drives
--info=progress2Shows overall transfer progress and estimated time

The exclusions matter:

Wait for this to complete before moving on. It is your safety net for the rest of this guide.

Phase 2: Encrypt with LUKS2

With the backup done, identify your partitions. Your drive will have two:

Format the root partition with LUKS2:

cryptsetup luksFormat /dev/sdb2

You will be prompted to confirm (YES in capitals) and set a passphrase. Choose something strong — this is your last line of defence if the TPM2 path is unavailable.

Open the encrypted container:

cryptsetup open /dev/sdb2 cryptroot

Create a new filesystem and mount:

mkfs.ext4 /dev/mapper/cryptroot
mount /dev/mapper/cryptroot /mnt
mkdir /mnt/boot
mount /dev/sdb1 /mnt/boot

Restore the backup:

sudo rsync -aAXHv --info=progress2 /mnt/backup/arch_backup/ /mnt/

Note the trailing slash on the source path — this copies the contents of arch_backup/, not the directory itself.

Phase 3: Fix the Boot Configuration for USB

This is the part that catches most people. When you build a standard Arch Linux install, mkinitcpio uses the autodetect hook to strip down the initramfs to only the drivers needed for your specific hardware at that moment. On a fixed internal drive this is fine. On a USB drive it is a problem: if you boot on a different machine, the USB drivers may not be present in the initramfs and the system cannot find the encrypted root partition.

There are two fixes required.

Enter the chroot:

arch-chroot /mnt

Fix 1 — Remove autodetect, add sd-encrypt

Edit /etc/mkinitcpio.conf and update the HOOKS line:

HOOKS=(base systemd modconf keyboard block sd-encrypt filesystems fsck)

The two important changes:

Regenerate the initramfs. Do not skip this step — if you reboot without regenerating, the system will not find the encrypted partition:

mkinitcpio -P

Fix 2 — Add rootwait and the LUKS UUID

Get your encrypted partition UUID:

blkid /dev/sdb2

Edit /boot/loader/entries/arch.conf and update the options line. Replace YOUR-UUID-HERE with the UUID from blkid:

title   Arch Linux
linux   /vmlinuz-linux
initrd  /amd-ucode.img
initrd  /initramfs-linux.img
options rd.luks.name=YOUR-UUID-HERE=cryptroot root=/dev/mapper/cryptroot rw rootwait

The rootwait parameter tells the kernel to wait for the USB device to be enumerated before attempting to find the root partition. Without it, fast-booting systems may try to mount root before the USB controller has finished initialising and fail with a kernel panic.

Exit the chroot and reboot:

exit
reboot

At this point the system should boot and prompt for your LUKS passphrase. Confirm this works before proceeding to TPM2.

Phase 4: TPM2 Auto-Unlock

Once the passphrase boot is working, you can enrol the drive with your machine’s TPM2 chip. This binds the decryption key to PCR 7 — the Secure Boot state register. The key will only be released automatically when the machine boots with the same Secure Boot configuration. On any other machine, or if Secure Boot is tampered with, the passphrase will be required.

Install the TPM2 tools:

sudo pacman -S tpm2-tools

Enrol the TPM2 chip into the LUKS header:

sudo systemd-cryptenroll --tpm2-device=auto --tpm2-pcrs=7 /dev/sdb2

You will be prompted for your existing LUKS passphrase to authorise the enrolment.

Verify the token was added:

sudo cryptsetup luksDump /dev/sdb2

Look for a systemd-tpm2 entry in the Tokens section. If it is there, the enrolment was successful.

Update the bootloader entry to use the TPM2 path. Edit /boot/loader/entries/arch.conf again:

title   Arch Linux
linux   /vmlinuz-linux
initrd  /amd-ucode.img
initrd  /initramfs-linux.img
options rd.luks.name=YOUR-UUID-HERE=cryptroot rd.luks.options=tpm2-device=auto root=/dev/mapper/cryptroot rw rootwait

The addition is rd.luks.options=tpm2-device=auto — this instructs sd-encrypt to attempt TPM2 decryption before falling back to the passphrase prompt.

Reboot. If Secure Boot is active and you are on the enrolled machine, the drive should decrypt automatically without a passphrase prompt.

What You Have Now

ScenarioResult
Boot on enrolled machine with Secure Boot enabledAutomatic unlock via TPM2
Boot on enrolled machine with Secure Boot disabledPassphrase required
Boot on any other machinePassphrase required
Drive physically stolenData unreadable without passphrase

The drive is now fully portable (USB drivers always present), encrypted at rest, and convenient on your own machine (no passphrase prompt).


Portable Arch Linux Series