This article focuses on how to set up full system encryption on Arch Linux, using dm-crypt with LUKS.
dm-crypt is the standard device-mapper encryption functionality provided by the Linux kernel. It can be used directly by those who like to have full control over all aspects of partition and key management.
For more details on how dm-crypt+LUKS compares to other disk encryption solution, see Disk Encryption#Comparison table.
The installation of a LUKS-encrypted system is largely the same as installing an unencrypted system. Routine creation of an encrypted system follows these general steps:
- Preparation of the drive(s) where the system will be installed
- Creation of the needed encryption layers
- Configuration of the system to handle the encryption
- Installation of the system following the Installation Guide or the Beginners' Guide
Note that the Arch installation media comes with all the tools required for system encryption.
This section introduces common scenarios to employ dm-crypt to encrypt a system or individual filesystem mount points. The scenarios cross-link to the other subpages where needed. It is meant as starting point to familiarize with different practical encryption procedures.
See Dm-crypt/Encrypting an Entire System if you want to encrypt an entire system, in particular a root partition. Several scenarios are covered, including the use of dm-crypt with the LUKS extension, plain mode encryption and encryption and LVM.
Swap device encryption
A swap partition may be added to an encrypted system, if required. The swap partition must be encrypted as well to protect any data swapped out by the system. This part details methods without and with suspend-to-disk support.
This part deals with special operations like securing the unencrypted boot partition, using GPG or OpenSSL encrypted keyfiles, a method to boot and unlock via the network, or setting up discard/TRIM for a SSD.