This article focuses on how to set up encryption on Arch Linux using dm-crypt, which is the standard device-mapper encryption functionality provided by the Linux kernel.
Also be aware that encrypting a system might not only make the life of laptop thieves more miserable, but also yours if you don't plan ahead on:
- how to make secure backups of the encrypted system/-setup/data and
- how to access the encrypted system manually for maintenance.
The installation of a LUKS-encrypted system is largely the same as installing an unencrypted system. Routine creation of an encrypted system follows these general steps:
- Preparation of the drive(s) where the system will be installed
- Creation of the needed encryption layers
- Configuration of the system to handle the encryption
- Installation of the system following the Installation Guide or the Beginners' Guide
Note that the Arch installation media comes with all the tools required for system encryption.
This section introduces common scenarios to employ dm-crypt to encrypt a system or individual filesystem mount points. The scenarios cross-link to the other subpages where needed. It is meant as starting point to familiarize with different practical encryption procedures.
See Dm-crypt/Encrypting an Entire System if you want to encrypt an entire system, in particular a root partition. Several scenarios are covered, including the use of dm-crypt with the LUKS extension, plain mode encryption and encryption and LVM.
Swap device encryption
A swap partition may be added to an encrypted system, if required. The swap partition must be encrypted as well to protect any data swapped out by the system. This part details methods without and with suspend-to-disk support.
This part deals with special operations like securing the unencrypted boot partition, using GPG or OpenSSL encrypted keyfiles, a method to boot and unlock via the network, or setting up discard/TRIM for a SSD.