Note

This guide is incomplete, and only properly works with just the root partition, swap is not handled yet


Since there is a few steps when setting up drives with luks during the insallation, I’m going to be highlighting the steps here.

As always, start with the installtion guide

This is assuming you’re booting with GPT and EFI and have already partitioned the disks.

The disk layout I’m using for this guide is as follows:

  • /dev/vda1, 550MB, this will be the boot partition

  • /dev/vda2, 2GB, this will be the swap partition

  • /dev/vda3, 20GB, this will be the root partition

Create the boot partition as nomral


Luks on a partition

[Luks on a partition Arch Wiki]


Formatting with Luks

[Preparing non-boot partitions]

First we need to format the partitions.

This can be done as follows:

$ cryptsetup -y -v luksFormat /dev/sdax

Where:

  • /dev/sdax is the partition you wish to format

Since I’m doing swap and root, I’m running this on /dev/vda2 and /dev/vda3.

Once the partitions have been luks formatted, we need to put a file system on them.


Opening partitions

First we need to unlock the partitions.

This can be done as follows:

$ cryptsetup open /dev/sdax <name>

Where:

  • /dev/sdax is the luks formatted partition you want to open

  • <name> is the name you wish to call the unlocked partition

Once opened you will find them in /dev/mapper/<name>.


Closing partitions

You should close and re-open newly made partitions to make sure everything is working properly.

This can close the luks partitions like so:

$ cryptsetup close <name>

Where:

  • <name> is the name you called the unlocked partition

Once opened you will find them in /dev/mapper/<name>.


Formatting partitions

[Formatting partitions]

For the root partition, you get your pick of file systems.

I’m going to be using btrfs, but ext4 is probably the most common.

For most filesystem you can make the like so:

$ mkfs.<fs> /dev/mapper/<name>

Where:

  • <fs> is the filesystem to create (in this case btrfs or ext4)

  • /dev/mapper/<name> is the path to the opened luks partition


Formatting swap partition

Once you’ve formatted and opened the swap partition you need to make it actually a swap partion.

This can be done as follows:

$ mkswap /dev/mapper/<name>

Where:

  • /dev/mapper/<name> is the path to the opened luks partition

This will create a swap filesystem.


System configuration

mkinitcpio example hooks

You will need to enable some hooks in /etc/mkinitcpio.conf.

Looks for the line which looks like HOOKS=(base...).


encrypt hook

If you’re not using systemd-based initramfs you need to add the encrypt hook.

make sure this comes before: filesystems

It will looks something like HOOKS=(base udev ... encrypt ... filesystems ... )

Where ... is any number of hooks between the listed hooks.


sd-encrypt hook

If you’re using systemd-based initramfs you need to add the sd-encrypt hook.

make sure this comes before: filesystems

It will looks something like HOOKS=(base systemd ... sd-encrypt ... filesystems ... )

Where ... is any number of hooks between the listed hooks.


Rebuild init system

Once you’ve updated /etc/mkinitcpio.conf, rebuild the init system.


mkinitcpio

If you’re using mkinitcpio run:

$ mkinitcpio -P


dracut

If you’re using dracut run:

$ dracut-rebuild


Bootloader

Configuring the boot loader

Lastly, you will need to set some kernel parameters to unlock the disk at boot.


GRUB

If you’re using GRUB.

Edit /etc/default/grub and find the line starting with GRUB_CMDLINE_LINUX="".


encrypt

If you are using the encrypt hook.

You will need to add cryptdevice=UUID=<device-UUID>:root root=/dev/mapper/root

Where:

  • <device-UUID>, is the UUID of the partition (the UUID of /dev/sdax not /dev/mapper/<name>)


sd-encrypt

If you are using the sd-encrypt hook.

You will need to add rd.luks.name=<device-UUID>=root root=/dev/mapper/root

Where:

  • <device-UUID>, is the UUID of the disk