This article focuses on how to set up encryption on Arch Linux using dm-crypt, which is the standard device-mapper encryption functionality provided by the Linux kernel.
This section introduces common scenarios to employ dm-crypt to encrypt a system or individual filesystem mount points. The scenarios cross-link to the other subpages where needed. It is meant as starting point to familiarize with different practical encryption procedures.
See Dm-crypt/Encrypting an Entire System if you want to encrypt an entire system, in particular a root partition. Several scenarios are covered, including the use of dm-crypt with the LUKS extension, plain mode encryption and encryption and LVM.
USB key unlocking
- How to store the unlock key on a USB drive
- Storing the keyfile between MBR and 1st partition to make it invisible - added level of security through obscurity
- Necessary UDEV rule and initramfs modification to make it work.
Swap device encryption
A swap partition may be added to an encrypted system, if required. The swap partition must be encrypted as well to protect any data swapped out by the system. This part details methods without and with suspend-to-disk support.
This part deals with special operations like securing the unencrypted boot partition, using GPG or OpenSSL encrypted keyfiles, a method to boot and unlock via the network, or setting up discard/TRIM for a SSD.