Building a Secure Arch Linux Workstation with Full Disk Encryption

Overview

Building this Arch Linux workstation from scratch taught me more about Linux internals than years of using pre-configured distributions. For DevOps engineers, understanding the fundamentals - from bootloaders to network stacks to display servers - isn’t optional. It’s what separates those who can truly troubleshoot production systems from those who just run apt install.

This Dell Precision 5540 build uses LUKS2 encryption, LVM for storage flexibility, systemd-networkd for networking, and Hyprland as a Wayland compositor. Every component was chosen deliberately and configured manually.

Bottom line: Full disk encryption with LUKS2, 930GB encrypted storage with LVM flexibility, pure Wayland environment with hybrid Intel/NVIDIA graphics, systemd-networkd for networking, and Tailscale integration for secure remote access.

Hardware

Dell Precision 5540 specifications:

• CPU: Intel Core i7-9850H (6 cores, 12 threads @ 2.60GHz)
• Memory: 32GB DDR4
• Storage: 931.5GB NVMe SSD
• Graphics: Intel UHD Graphics 630 + NVIDIA GPU (hybrid)
• Firmware: Latest Dell BIOS (v1.36.0)

This laptop provides enough power for development work while maintaining good battery life with Intel integrated graphics, with the NVIDIA GPU available when needed for compute tasks.

Disk Encryption Architecture

LUKS + LVM Strategy

The storage setup uses LUKS2 for full disk encryption with LVM on top for flexible volume management:

nvme0n1 (931.5GB)
├─ nvme0n1p1 (1GB)      → /boot (unencrypted FAT32)
└─ nvme0n1p2 (930.5GB)  → LUKS2 encrypted container
   └─ midir (LVM)
      ├─ swap (8GB)
      ├─ root (100GB)   → /
      └─ home (822.5GB) → /home

Key design decisions:

1. Separate /boot partition: Required for systemd-boot, unencrypted but contains no sensitive data
2. LUKS2 container: Uses the entire second partition, providing hardware-level AES encryption
3. LVM inside LUKS: “LUKS on LVM” approach - encrypt once, flexible volumes inside
4. Conservative root size: 100GB for system, massive home partition for data
5. Dedicated swap: 8GB encrypted swap space

Encryption Details

 1
 2
 3
 4
 5
 6
 7
 8
 9
10

# LUKS container details
UUID: 02ef99c9-ac51-4022-847f-2c6c4f17f724
Type: crypto_LUKS (version 2)
Mapped as: /dev/mapper/midir

# Check encryption status
$ lsblk -f
NAME         FSTYPE  FSVER  UUID
nvme0n1p2    crypto  2      02ef99c9-ac51-4022-847f-2c6c4f17f724
└─midir      LVM2_m  LVM2   I3GXZ3-PorG-1Efy-VD0j-ikJe...

Security benefits:

• Data at rest is encrypted with AES
• Password required at boot to unlock
• Even with physical access, data remains protected
• Individual volumes can be resized without re-encrypting

Boot Configuration

systemd-boot Setup

Using systemd-boot instead of GRUB for a simpler, faster boot process:

1
2
3
4
5

# /boot/loader/loader.conf
timeout 2
console-mode max
default arch.conf
editor no

The boot entry (/boot/loader/entries/arch.conf) handles LUKS unlocking:

title Arch Linux
linux /vmlinuz-linux
initrd /initramfs-linux-fallback.img
options rd.luks.name=02ef99c9-xxxx-xxxx-xxxx-2c6c4f17f724=midir root=/dev/mapper/midir-root rw

How it works:

1. UEFI loads systemd-boot from ESP (/boot)
2. systemd-boot loads kernel and fallback initramfs
3. Early userspace (initramfs) prompts for LUKS password
4. rd.luks.name tells systemd to unlock the specific UUID
5. LVM activates volumes inside decrypted container
6. System boots from /dev/mapper/midir-root

The hostname “midir” comes from Irish mythology - Midir the Proud, one of the Tuatha Dé Danann, known for his association with the Otherworld. Seemed fitting for a machine that lives in encrypted space.

Why fallback initramfs: Uses fallback instead of standard initramfs for better hardware compatibility and recovery options.

Network Stack

Modern systemd Networking

Using systemd-networkd and systemd-resolved instead of NetworkManager for a lightweight, integrated approach:

systemd-networkd handles network interfaces:

1
2
3
4
5
6
7

# /etc/systemd/network/25-wireless.network
[Match]
Name=wlan0

[Network]
DHCP=yes
IgnoreCarrierLoss=3s

The IgnoreCarrierLoss setting prevents the interface from going down during brief WiFi disconnections.

iwd (iNet wireless daemon) manages WiFi:

• Modern replacement for wpa_supplicant
• Lower memory footprint
• Better performance
• Integrates with systemd-networkd

systemd-resolved provides DNS resolution:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11

$ resolvectl status
Global
  Protocols: +LLMNR +mDNS -DNSOverTLS
  DNSSEC: no/unsupported
  Fallback DNS: 1.1.1.1 (Cloudflare)
                9.9.9.9 (Quad9)
                8.8.8.8 (Google)

Link 4 (wlan0)
  Current DNS Server: 192.x.x.x
  DNS Servers: 192.x.x.x

Tailscale Integration

Tailscale provides secure mesh networking for remote access:

1
2
3
4

# Tailscale interface automatically configured
Link 3 (tailscale0)
  DNS Servers: 100.x.x.x
  DNS Domain: tailece4xx.ts.net

All three services (systemd-networkd, systemd-resolved, tailscaled) run as system services and integrate seamlessly.

Display Environment

Hyprland Wayland Compositor

Running pure Wayland with Hyprland - no X11 compatibility layer needed:

1
2
3
4

$ env | grep -E "WAYLAND|XDG|DISPLAY"
XDG_SESSION_TYPE=wayland
XDG_CURRENT_DESKTOP=Hyprland
WAYLAND_DISPLAY=wayland-1

Core configuration (~/.config/hypr/hyprland.conf):

# My programs
$terminal = alacritty
$fileManager = thunar
$menu = wofi --show drun

# NVIDIA Wayland support
env = LIBVA_DRIVER_NAME,nvidia
env = XDG_SESSION_TYPE,wayland
env = GBM_BACKEND,nvidia-drm
env = __GLX_VENDOR_LIBRARY_NAME,nvidia

cursor {
   no_hardware_cursors = true
}

# Autostart
exec-once = waybar

Hybrid Graphics Setup

Running Intel integrated graphics as primary with NVIDIA available:

1
2
3
4
5
6
7
8

$ lspci -k | grep -A 3 VGA
00:02.0 VGA compatible controller: Intel UHD Graphics 630
  Kernel driver in use: i915

# NVIDIA packages installed
$ pacman -Q | grep nvidia
nvidia-dkms 580.82.07-1
nvidia-utils 580.82.07-1

NVIDIA power management:

• Hibernate/suspend/resume hooks enabled
• Hardware cursor disabled for Wayland compatibility
• Only activated when needed for compute workloads

Desktop Components

Waybar: Status bar showing system info, workspaces, network
Wofi: Application launcher (dmenu replacement for Wayland)
Thunar: Lightweight XFCE file manager
Alacritty: GPU-accelerated terminal
Kitty: Backup terminal option
Qutebrowser: Vim-like browser for keyboard-driven browsing

Development Environment

Container Runtime

Docker configured for development work:

1
2
3

$ systemctl status docker
● docker.service - Docker Application Container Engine
   Active: active (running)

Docker bridge interface (docker0) automatically managed by systemd-networkd.

Language Toolchains

Active development environments:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11

# Go
$ go version
go version go1.24.6 linux/amd64

# Rust (via cargo)
$ ls ~/.cargo
bin/  env  registry/

# VS Code (Code-OSS)
$ pacman -Q | grep code
code 1.XX.X-X

VS Code extensions:

• DevPod Containers
• Remote SSH
• Git/GitHub integration

Shell Environment

Bash with vi mode enabled:

1
2
3
4
5
6

# ~/.bashrc
set -o vi

export QT_QPA_PLATFORM=wayland

alias code="code --enable-features=UseOzonePlatform --ozone-platform=wayland"

The QT_QPA_PLATFORM ensures Qt applications run natively on Wayland, and the code alias forces VS Code to use Wayland instead of XWayland.

System Services

Running Services

1
2
3
4
5
6
7
8

$ systemctl list-units --type=service --state=running
bluetooth.service          Bluetooth service
containerd.service         containerd container runtime  
docker.service             Docker Application Container Engine
iwd.service                Wireless service
systemd-networkd.service   Network Configuration
systemd-resolved.service   Network Name Resolution
tailscaled.service         Tailscale node agent

Security Services

UFW (Uncomplicated Firewall) enabled for host-based firewall:

1
2

$ systemctl list-unit-files | grep ufw
ufw.service enabled

Polkit for privilege management
rtkit-daemon for realtime scheduling (audio)

Package Management

Using yay as AUR helper alongside pacman:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11

# Explicitly installed packages
$ pacman -Qe | wc -l
75

# AUR packages
$ pacman -Qm | wc -l
6

# Total packages
$ pacman -Q | wc -l
355

Minimal package footprint while maintaining full development capability.

Configuration Management

Dotfiles

Configuration files tracked but not yet in a public dotfiles repo:

~/.config/
├── hypr/          # Hyprland config
├── waybar/        # Status bar
├── wofi/          # App launcher
├── qutebrowser/   # Browser
├── btop/          # System monitor
└── Code - OSS/    # VS Code

Backup Strategy

1
2
3

# Package lists exported for recovery
$ pacman -Qe > ~/explicitly-installed-packages.txt
$ pacman -Qm > ~/aur-packages.txt

Combined with encrypted home directory, this allows quick system recovery while preserving data.

Performance & Usability

Boot Time

Encrypted boot with password prompt takes approximately 15 seconds from power-on to desktop (after password entry).

Memory Usage

1
2
3
4

$ free -h
              total    used    free    available
Mem:          30Gi    2.5Gi   27Gi    28Gi
Swap:         8Gi     0B      8Gi

Minimal memory footprint with Hyprland. No heavy desktop environment overhead.

Network Performance

Local network with Tailscale running:

• WiFi: Standard residential speeds
• Tailscale: Sub-20ms latency to mesh nodes
• DNS: Local router primary, Cloudflare/Quad9 fallback

Lessons Learned

What Worked Well

1. LUKS + LVM: Flexibility to resize volumes without re-encrypting
2. systemd-boot: Simple, fast, no GRUB complexity
3. systemd-networkd: Lightweight, no NetworkManager bloat
4. Hyprland: Smooth Wayland experience, great tiling
5. Hybrid graphics: Intel for efficiency, NVIDIA when needed

What I’d Do Differently

1. Alacritty config: Should have set up custom config from the start
2. Dotfiles repo: Need to properly track and version control configs
3. Backup automation: Manual package list exports should be automated
4. Monitoring: Could add Prometheus node exporter for metrics

Future Improvements

• Set up automated dotfiles sync
• Configure Alacritty (fonts, colors, keybindings)
• Set up automated backups to NAS

Conclusion

This Arch Linux workstation provides a secure, minimal, and powerful development environment. Full disk encryption protects data at rest, Wayland provides a modern display stack, and systemd networking offers simplicity without sacrificing functionality.

The setup strikes a balance between security (LUKS encryption, minimal attack surface), performance (lightweight compositor, no DE overhead), and usability (familiar tools, good hardware support).

Would I recommend it? Absolutely - but with a caveat. Installing Arch from scratch is not about getting a working system faster or easier. It’s about understanding Linux at a fundamental level. For DevOps engineers, this matters. When production systems fail at 3 AM, you need to understand bootloaders, initramfs, systemd units, and network stacks - not just know which buttons to click in a GUI. The difference between someone who installed Arch manually and someone who uses Ubuntu Desktop is the difference between an engineer who can debug any Linux system and someone who can only deploy to them.

System specs at time of writing: Arch Linux 6.16.5-arch1-1, Hyprland, 32GB RAM, LUKS2 + LVM