Cheat sheet of some dm-crypt commands and configs that I seem to use somewhat frequently.

Encrypted data partition

Create new encrypted partition

This assumes the partition /dev/sdaX already exists and is empty (no file system). If the partition will be decrypted by GRUB (should not be the case with data partitions): use luks1 as long as GRUB luks2 support is limited:

cryptsetup -y -v luksFormat --type luks1 /dev/sdaX
cryptsetup open /dev/sdaX cryptdata
mkfs.ext4 /dev/mapper/cryptdata

Add a decryption key to a partition

Generate a random key file:

dd bs=512 count=4 if=/dev/random of=/path/to/keyfile iflag=fullblock

Add a key file to an encrypted partition:

cryptsetup luksAddKey /dev/sdaX /path/to/keyfile

Or, add a password:

cryptsetup luksAddKey /dev/sdaX

Automatically decrypt and mount a encrypted partition

Add an entry to /etc/crypttab to automatically decrypt a non-root partition:

cryptdata /dev/sdaX /path/to/keyfile

Add an entry to /etc/fstab to automatically mount a decrypted partition (/etc/crypttab is used before /etc/fstab):

# /dev/mapper/cryptdata LABEL=data
UUID=<UUID> /media/data ext4 rw,relatime 0 2

Add an encrypted root partition when setting up Arch Linux

The steps below only contain the additional steps that are required to add an encrypted root partition during Arch Linux installation. For a full list of steps see https://wiki.archlinux.org/title/Installation_guide.

Create and mount root partition during Arch installation

During partition creation: instead of creating an unencrypted root partition that Arch will be installed on (/mnt), in its place instead create an encrypted partition, open it, add the file system to the decrypted partition, and mount the decrypted partition in the expected path (/mnt). If the partition will later be decrypted by GRUB: use luks1 as long as GRUB luks2 support is limited:

cryptsetup -y -v luksFormat --type luks1 /dev/sdaX
cryptsetup open /dev/sdaX cryptroot
mkfs.ext4 /dev/mapper/cryptroot
mount /dev/mapper/cryptroot /mnt

Configure mkinitcpio

An encrypted root partition requires the automatically generated initramfs image to be recreated with additional kernel parameters. Add the keyboard, keymap, and encrypt hooks to /etc/mkinitcpio.conf:

HOOKS=(base udev autodetect keyboard keymap consolefont modconf block encrypt filesystems fsck)

Then recreate the initramfs image:

mkinitcpio -P

Add kernel parameters to the bootloader

Kernel parameters to be added:

cryptdevice=UUID=<UUID>:cryptroot root=/dev/mapper/cryptroot

In case of GRUB: add those kernel parameters to the GRUB_CMDLINE_LINUX* lines in /etc/default/grub, e.g. as:

GRUB_CMDLINE_LINUX_DEFAULT="loglevel=3 quiet cryptdevice=UUID=<UUID>:cryptroot root=/dev/mapper/cryptroot"
GRUB_CMDLINE_LINUX="cryptdevice=UUID=<UUID>:cryptroot root=/dev/mapper/cryptroot"

And then generate /boot/grub/grub.cfg:

grub-mkconfig -o /boot/grub/grub.cfg

Further reading

• https://wiki.archlinux.org/title/Dm-crypt/Encrypting_an_entire_system
• https://wiki.archlinux.org/title/Dm-crypt/Device_encryption
• https://wiki.archlinux.org/title/Dm-crypt/System_configuration#crypttab
• https://wiki.archlinux.org/title/fstab