|# OBJECTIVE: Install Arch Linux with encrypted root and swap filesystems and boot from UEFI.|
|# Note this encrypted installation method, while perfectly correct and highly secure, CANNOT support encrypted /boot and|
|# also CANNOT be subsequently converted to support an encrypted /boot!!! A CLEAN INSTALL will be required!|
|# Therefore, if you want to have an encrypted /boot or will want an encrypted /boot system at some point in the future,|
|# please ONLY follow my encrypted /boot installation guide, which lives here:|
|# My encrypted /boot guide varies in several different, critically important, ways from the correct and secure encrypted|
|# root / and swap installation process I have outlined below.|
|# Note: This method supports both dedicated Arch installs and those who wish to install Arch on a multi-OS-UEFI booting system.|
|# External USB HDD/SSD Installers Notes: Encrypted Arch installs can be booted and run from an external USB HDD or SSD, but|
|# only when the installation is correctly set up. There are several necessary changes to my standard procedure you'll want|
|# to make during the install process. Read my External USB HDD/SSD Installation section below before proceeding.|
|# VirtualBox Installers Notes: This installation method can also be used to install Arch Linux as an UEFI-booting|
|# Guest system in VirtualBox. You must have UEFI-booting enabled in VBox's Guest System Settings prior to installation.|
|# I have written a separate guide dedicated to the specifics of achieving an encrypted Arch Linux VirtualBox installation.|
|# My Arch Linux VirtualBox Guest installation guide is available at:|
|# The official Arch installation guide contains details that you should refer to during this installation process.|
|# That guide resides at: https://wiki.archlinux.org/index.php/Installation_Guide|
|# Download the archlinux-*.iso image from https://www.archlinux.org/download/ and its GnuPG signature.|
|# Use gpg --verify to ensure your archlinux-*.iso is exactly what the Arch developers intended. For example:|
|$ gpg --verify archlinux-2017.01.01-dual.iso.sig|
|gpg: assuming signed data in 'archlinux-2017.01.01-dual.iso'|
|gpg: Signature made Sun 01 Jan 2017 04:06:24 PM UTC|
|gpg: using RSA key 4AA4767BBC9C4B1D18AE28B77F2D434B9741E8AC|
|gpg: Good signature from "Pierre Schmitz <firstname.lastname@example.org>" [unknown]|
|gpg: WARNING: This key is not certified with a trusted signature!|
|gpg: There is no indication that the signature belongs to the owner.|
|Primary key fingerprint: 4AA4 767B BC9C 4B1D 18AE 28B7 7F2D 434B 9741 E8AC|
|# Burn the archlinux-*.iso to a 1+ Gb USB stick. On linux, do something like:|
|dd bs=4M if=archlinux-*.iso of=/dev/sdX status=progress oflag=sync|
|# If running Windows, use Rufus to burn the archlinux-*.iso to your USB stick in DD mode.|
|# Also, if you are running BitLocker to encrypt your Windows system, read my BitLocker notes below, before proceeding.|
|# UEFI-Boot from your USB stick. If your USB stick fails to boot, ensure that Secure Boot is disabled in your UEFI configuration.|
|# Set your keymap only if not you are not using the default English language.|
|# It is typically wiser to be hard wired to the Net during installation. However, Arch supports WiFi-only installs.|
|# Connect to WiFi using:|
|# It is possible to access this guide from within your Arch installation environment using the built-in elinks text browser.|
|# For those interested, open a new terminal at tty2 using ctrl-alt-f2, then use elinks to search for 'HardenedArray Gists'|
|# which should return the URL of my Arch installation guides:|
|# You can then return to your installation terminal using ctrl-alt-f1.|
|# Create and size partitions appropriate to your goals using gdisk.|
|# Carefully Note: Multi-OS booters who have an existing EFI partition on their drive should NOT create a new EFI partition.|
|# Instead, we will append Arch as another OS to your existing EFI partition. See my Multi-OS-Booting Notes, below.|
|# Create the partitions you need:|
|Partition X = 100 MiB EFI partition # Hex code EF00|
|Partition Y = 250 MiB Boot partition # Hex code 8300|
|Partition Z = Choose a reasonable size for your encrypted root and swap system partition, or just size it to the|
|last sector of your drive. # Hex code 8300.|
|# Review your partitions with 'p'.|
|# Write your gdisk changes with 'w'.|
|# Reboot, if necessary, so the kernel reads your new partition structure.|
|# I strongly recommend you zero-out each of of your new partitions prior to creating filesystems on them. Obviously, multi-OS|
|# booters should NEVER zero-out an existing EFI partition. You can either use the Arch installer's ddrescue or, if you don't|
|# mind not having a progress indicator, it's more efficient to run:|
|cat /dev/zero > /dev/sdXY followed by|
|cat /dev/zero > /dev/sdXZ|
|# Create filesystems for /boot/efi and /boot|
|mkfs.vfat -F 32 /dev/sdXX|
|mkfs.ext2 /dev/sdXY # Note that ext4 or btrfs are also fine choices for your /boot partition.|
|# Encrypt and open your system partition|
|cryptsetup -c aes-xts-plain64 -h sha512 -s 512 --use-random luksFormat /dev/sdXZ|
|cryptsetup luksOpen /dev/sdXZ 2016-Global-OpSec-Champion-LyingHillary # (or use any word or phrase you're fond of)|
|# Create encrypted LVM partitions|
|# These steps create a required root partition and an optional partition for swap. Note that using a swap file with BTRFS is|
|# a very poor idea. Swap partitions are not controlled by BTRFS so they work fine. Read the BTRFS ArchWiki before proceeding.|
|# Also note that BTRFS fully supports, detects, and properly configures settings for all modern SSDs, which is the drive type|
|# almost everyone should be running when installing ArchLinux! HDDs are only useful for infrequently accessed data, and|
|# for storing your SSD's critical directories as encrypted backups.|
|# Modify this structure only if you need additional, separate partitions. The sizes used below are only suggestions.|
|# The VG and LV labels 'Arch, root and swap' can be changed to anything memorable to you. Use your labels consistently, below!|
|vgcreate Arch /dev/mapper/2016-Global-OpSec-Champion-LyingHillary|
|lvcreate -L +512M Arch -n swap|
|lvcreate -l +100%FREE Arch -n root|
|# Create filesystems on your encrypted partitions|
|# Note that Arch Linux fully supports btrfs, and btrfs is also an excellent filesystem choice for your encrypted root.|
|# If you want a btrfs filesystem on your root logical volume, instead of 'mkfs.ext4 /dev/mapper/Arch-root', do this:|
|# If you've created a btrfs root filesystem, do not forget to append 'btrfs-progs' to the pacstrap installation command|
|# we use immediately after correctly mounting our partitions below.|
|# Mount the new system|
|mount /dev/mapper/Arch-root /mnt|
|mount /dev/sdXY /mnt/boot|
|mount /dev/sdXX /mnt/boot/efi|
|# Optional - Edit the Mirrorlist To Optimize Package Download Speeds|
|# Copy one or two mirrors near your physical location to the top of the mirrorlist.|
|# Install your Arch system|
|# This installation command provides a decent set of basic system programs which will also support WiFi when initially|
|# booting into your Arch system. Recommended, yet optional: make and enjoy some fresh java while the following|
|# command completes. Once completed, you'll only be a few minutes away from putting your new system to serious work!|
|pacstrap /mnt base base-devel grub-efi-x86_64 efibootmgr dialog wpa_supplicant|
|# Create and review FSTAB|
|genfstab -U /mnt >> /mnt/etc/fstab # The -U option pulls in all the correct UUIDs for your mounted filesystems.|
|cat /mnt/etc/fstab # Check your fstab carefully, and modify it, if required.|
|# Enter the new system|
|arch-chroot /mnt /bin/bash|
|# Set the system clock|
|ln -s /usr/share/zoneinfo/UTC /etc/localtime # This will harmlessly fail if your system's CMOS clock is already set to UTC.|
|hwclock --systohc --utc|
|# Assign your hostname|
|echo MyHostName > /etc/hostname|
|# Set or update your locale|
|# If English is your native language, you need to edit exactly two lines to correctly configure your locale language settings:|
|a. In /etc/locale.gen **uncomment only**: en_US.UTF-8 UTF-8|
|b. In /etc/locale.conf, you should **only** have this line: LANG=en_US.UTF-8|
|# Now run:|
|# Set your root password|
|# Create a User, assign appropriate Group membership, and set a User password. 'Wheel' is just one important Group.|
|useradd -m -G wheel -s /bin/bash MyUserName|
|# Configure mkinitcpio with the correct HOOKS required for your initrd image|
|# Use this HOOKS statement:|
|HOOKS="base udev autodetect modconf block keymap encrypt lvm2 resume filesystems keyboard fsck"|
|# Note that recent ArchLinux installation images have shipped with a new version of /etc/mkinitcpio.conf. The|
|# only difference is that the new version uses '(' and ')' instead of dual double quotation marks: ' " " '. Therefore,|
|# the current HOOKS statement should be:|
|HOOKS=(base udev autodetect modconf block keymap encrypt lvm2 resume filesystems keyboard fsck)|
|# You do not need or want 'resume' in your HOOKS statement if you are not using swap.|
|# Generate your initrd image|
|mkinitcpio -p linux|
|# Install and Configure Grub-EFI|
|# The correct way to install grub on an UEFI computer, irrespective of your use of a HDD or SSD, and whether you are|
|# installing dedicated Arch, or multi-OS booting, is:|
|grub-install --target=x86_64-efi --efi-directory=/boot/efi --bootloader-id=ArchLinux|
|# Edit /etc/default/grub so it includes a statement like this:|
|# Maintaining consistency with the examples provided above, you would use something like:|
|# If you are not using swap, eliminate the 'resume' statement above.|
|# I have also noticed that recent releases of grub2 now offer this new option within /etc/default/grub:|
|# Uncomment to enable booting from LUKS encrypted devices|
|# Note that you do NOT need to enable that cryptodisk statement to boot your LUKS encrypted / and swap ArchLinux system,|
|# assuming you are **NOT** trying to decrypt an encrypted /boot. If you want to encrypt /boot, read my encrypted boot|
|# installation guide, which requires an entirely different, and incompatiable, installation procedure.|
|# Generate Your Final Grub Configuration:|
|grub-mkconfig -o /boot/grub/grub.cfg|
|# Exit Your New Arch System|
|# Unmount all partitions|
|umount -R /mnt|
|# Reboot and Enjoy Your Encrypted Arch Linux System!|
|# After you are satisfied that your Arch system is running well, if you are like most people not running an Arch server,|
|# you'll want a Desktop Environment so you can begin using your new system productively. See my: 'Installing a|
|# Plasma-KDE Desktop Post Arch Install' section below for some ideas and an efficient DE installation process.|
|If you ever get dropped to the EFI Shell prompt when powering up Arch Linux, which I most often notice within|
|VirtualBox when running Arch Linux as UEFI-enabled Guest System, do the following:|
|At the Shell prompt, type the following entries, as indicated (also remember we used --bootloader-id=ArchLinux, above):|
|Hit Enter and now you should see your graphical grub Arch Linux menu. Note my atypical use of backslashes.|
|To prevent being dropped to the EFI Shell prompt in the future, enter your Arch Linux system, become root, and do:|
|# nano /boot/efi/startup.nsh|
|In your startup.nsh file, add these two lines:|
|Save and exit nano. To test that you will no longer be dropped to the EFI Shell prompt, poweroff, not reboot, and fire up|
|your Arch Linux system again.|
|If you simply cannot bear the agony of the EFI Shell's five second wait prior to its loading of startup.nsh, hit any key,|
|except for 'esc', and you should be immediately directed to your (hopefully, beautifully configured) grub graphical|
|Arch Linux boot screen.|
|This solution also works when you have installed Arch Linux as an UEFI-enabled Guest system within VirtualBox.|
|External USB HDD/SSD Encrypted Arch Installation:|
|Almost all of my standard Arch install procedure can be followed without modification when installing Arch to an external device.|
|However, if you already have an encrypted Arch installation on a system HDD/SSD, you must ensure the names assigned to your|
|PV, VG and LVs are different than whatever you used on your system drive's Arch installation. Failure to use different names|
|will cause major udev and therefore, /dev/mapper, assignment problems for you, especially when you try to mount your|
|multiple encrypted Arch drives!|
|Additionally, we don't want to instruct grub to use standard device names as these are very likely to change when using an|
|external USB drive. For example, our external SSD may be assigned /dev/sdc by udev during installation, but when we try to|
|initially boot from it, udev may assign that external SSD to /dev/sdb, resulting in an unbootable system.|
|The solution is to use PARTUUID, as opposed to a standard device name, in the cryptdevice statement in /etc/default/grub.|
|Therefore, instead of using this example from above:|
|Run 'blkid' as root, and find the correct PARTUUID for your external device's encryted partition.|
|N.B.: PARTUUIDs are completely unrelated to UUIDs.|
|Substitute the correct PARTUUID for the standard device name. You should end up with a statement that looks similar to this:|
|Now regardless of the device name assigned by udev to your external drive, the kernel will be able to find the|
|All other parts of my installation procedure should be followed without modification.|
|One Post-Install Recommendation To Optimize the Speed of All Your Future Installs - Rank Your Mirrors, First!|
|It's a very simple procedure, and will save you a lot of downloading time over your Arch Linux lifetime, particularly|
|if you are planning on doing any mass-installs, like gnome, gnome-extra, kde-meta or similar.|
|As root, run:|
|cp /etc/pacman.d/mirrorlist /etc/pacman.d/mirrorlist.bak|
|rankmirrors -n 6 /etc/pacman.d/mirrorlist.bak > /etc/pacman.d/mirrorlist|
|That will test all the mirrors and grab the six fastest from your location. It takes a while to complete,|
|so go grab a cup of java.|
|Upon your return, you'll be ready to put pacman to serious work, as it was intended: Crazy Fast!|
|Cheers, and now it is time to Go Rock Your Arch!|
|I UEFI boot and run more than five operating systems from my SSD.|
|All of my OSes UEFI boot from my single, 100 MiB, EFI partition.|
|All of my OSes have encrypted root and swap, utilizing my SSD's native hardware-based AES-256-bit encryption support|
|with BitLocker or Linux's software-based LUKS on LVM encryption to secure my data, when at rest.|
|My Arch Linux install is just another encrypted Linux OS installation that happens to reside on my SSD.|
|If you multi-boot, ensure you mount Arch's /boot/efi at your existing ESP partition.|
|If you installed Windows 10 first, your EFI partition is likely to be /dev/sda2.|
|In all cases, /boot, /boot/efi, and '/' partitions, at a minimum, are required to be mounted during Arch installation.|
|As an example, an EFI-addicted, multi-OS booter might be doing something like:|
|mount /dev/mapper/Arch-root /mnt|
|mount /dev/sda17 /mnt/boot|
|mount /dev/sda2 /mnt/boot/efi|
|In this example, the user is likely to be using /dev/sda18 as the physical drive partition where their encrypted|
|Arch root and swap filesystems will reside. Note the user's re-use of their existing EFI partition which resides|
|Adapt, as necessary, for your drive's partition structure.|
|Following successful Arch system installation, the path to your Arch-EFI boot file should be:|
|When you are multi-OS booting correctly, you should have one directory per operating system, each residing at:|
|BitLocker Users on Windows Notes:|
|If you are running hardware-based BitLocker encryption on Windows, I recommend you Turn Off BitLocker encryption prior to|
|installing Arch, or any other operating system.|
|As I don't use software-based BitLocker, I cannot say whether leaving it enabled during Arch installation will cause problems.|
|Obviously, if you experience issues, you could turn BitLocker off temporarily.|
|You can tell if you are using AES-256 bit hardware-based BitLocker encryption when you run from within PowerShell,|
|as an Administrator:|
|PS C:\WINDOWS\system32> manage-bde -status|
|You see this line:|
|Encryption Method: Hardware Encryption - 188.8.131.52.16184.108.40.206|
|Also note that hardware-based BitLocker can either encrypt, or decrypt, a multi-hundred GiB drive in less than 3 seconds.|
|You can re-enable BitLocker after your new encrypted Arch system is UEFI booting correctly and running smoothly.|
|Installing a Plasma-KDE Desktop Post Arch Install|
|After you have rebooted into your new Arch system, and are satisfied that every aspect of your system is running correctly,|
|if you're like most people not running an Arch server, you will likely want to install a desktop so you can utilize your new|
|Arch system productively.|
|Your choice of desktop environment is entirely up to you. Personally, I have tried them all. It is my opinion that if|
|you are running a modern, reasonably powered PC or laptop you are doing yourself a significant disservice by running any|
|of the 'lightweight desktops.' I also think the Gnome DE is best suited for children, or unskilled users. Keep in mind|
|that you can install multiple desktops, and then choose which one to fire up at each login, but that is beyond the scope|
|of this guide.|
|I prefer the Plasma5-KDE environment over all the others. If you would like to efficiently install a full Plasma5-KDE|
|environment, do the following, in this order:|
|# Log in as root, and not as a user|
|# Fully update your Arch system:|
|pacman -Syu # If a new kernel becomes available and is now installed, reboot, before proceeding.|
|# If you don't have network connectivity in your Arch system, run:|
|systemctl start dhcpcd <ethernet or wlan interface name>|
|# Now that you have an updated system, do:|
|pacman -S linux-headers|
|pacman -S dkms # This will automatically rebuild your kernel modules as new upstream kernels are released.|
|pacman -S xorg # This will install a mandatory X server.|
|pacman -S xorg-apps|
|# Log in as root, and not as a user, and do:|
|pacman -S plasma-meta # This large package set will also provide us with sddm, the recommended Plasma5 login manager.|
|systemctl enable sddm|
|systemctl enable NetworkManager # After your next reboot you will have full, correct, networking support from boot.|
|pacman -S kde-applications-meta|
|pacman -S xdg-user-dirs|
|# If you want full (US English) spelling support for all of your applications, do:|
|pacman -S hunspell-en_US hyphen-en libmythes mythes-en aspell-en|
|# Everyone has their own font preferences, but I agree with Arch's initial ttf-font recommendations because they look great!:|
|pacman -S ttf-dejavu ttf-liberation|
|# Log in to sddm's GUI as your user|
|# Your first stop is System Settings. Tweak 'all the things' into full compliance with 'your way.'|
|# Go ROCK your fully enabled Plasma DE, and your properly encrypted Arch Linux system!!!|
Yes - I have seen that same warning during installation. If you do a search on that warning, you will see that plenty of others have seen it also.
Despite that warning, you should see at least these lines during installation:
This output indicates that grub found your kernel, and since we need to mount encrypted Logical Volumes at boot, the kernel's mandatory initramfs.
Note that I have never seen that warning following installation. In other words, once you enter your installed Arch Linux system and run:
you should not see any lvmetad warning(s).
I am not certain of the precise cause of the lvmetad warning during the installation process. My best guess is that the lvmetad warning arises as a direct result of the inherent limitations of the chroot environment we used during installation, which explains why we only see the warning during installation. It is much less likely the warning is being driven by a bug in udev, grub, or lvm.
The manual for lvmetad is at: https://linux.die.net/man/8/lvmetad if you are interested.
However, since this a only a warning, and not an error, and the warning does not carry over to the properly installed system, I recommend not altering anything in your /etc/lvm/lvm.conf file.
Thank you for your feedback, Xel.
You're obviously very knowledgable about this, HardenedArray. Would you mind taking a quick glance at the following configuration? It is based partially on your work above, which was a great help.
It's obviously beyond the scope of this guide to troubleshoot individual use cases. That, of course, is the reason the forums exist.
However, I did take a very quick look at your setup, and I did not notice any glaring errors. I also noted that you have updated your reddit, and stated that your customization works.
That's obviously a good thing, and I am glad you found my guide useful as a framework to support your desired outcome.
If you believe your approach would be helpful to others in pursuit of a similar outcome, please consider creating your own Gist.
Thank you for your comments.
Thank you for your polite follow-up and confirmation. Demonstrating proper etiquette never goes unnoticed, and is always appreciated.
In case you are interested, I've written a similar guide dedicated to the specifics of installing encrypted Arch within VirtualBox. That procedure also demonstrates how to properly install a fully enabled Plasma5/KDE system on top of Arch in VBox.
My encrypted Arch Guest VBox installation guide resides at:
If you follow my Arch Guest VBox installation procedure, you will find the lvmetad warning also occurs within the VBox Arch installation environment after running grub-mkconfig. As we also observe on Arch bare metal installs, the lvmetad warning only appears during initial base system installation. This fact adds more evidence to my belief that this warning is solely driven by the arch-chroot environment we use during initial base system installation.
As a final thought which applies to a much wider audience than just you, Xel, if you keep your important data continuously backed up, and encrypted, to at least two physically separate locations, and practice installing Arch Linux (VBox is ideal for this), you'll be much better prepared than most to quickly and seamlessly recover your entire computing life when some type of data-threatening disaster inevitably strikes.
There are only two types of hard drives in this world: those that have failed, and those that have not, yet. Another way to think about the same quite common problem of people ranting about unexpectedly and instantly losing access to most, or all, of their digital lives:
Be prepared, or be prepared to get hurt very badly!
Cheers and best of luck Xel,
Thank you very much indeed for this superb document. I was able to get my Dell Precision M7510 dual booting successfully on the first attempt based on the instructions here. My only deviation from the above was to use LUKS on LVM so that I could use both NVME and SSD disks in one volume. A massive time saver!
Hi oldlance and manadart,
I am pleased to learn that each of you found my guide useful. I've personally used both old ThinkPad and Dell laptops for years and I hope each of your machines deliver the same wonderful user experiences I was able to enjoy.
This follow-up is for you and others interested in understanding the lvmetad warning discussed above.
I was able to track down the definitive cause behind the lvmetad warning we only see within our chrooted Arch installation environment.
This lvmetad warning is generated solely due to the fact that /run is not available in a chroot environment. Obviously /run again becomes available once we exit chroot and boot into Arch. This explains why we never see the lvmetad warning when running our operating system normally and subsequently updating our Grub2 configuration.
This issue is documented within the ArchWiki covering Grub, which can be directly accessed here:
Thanks again Xel for initiating the discussion of this topic.
Thank you for your compliment!
Personally, I have never experienced an issue with unacceptably slow pacstrap download speeds. Of course, package download speeds vary widely between individuals, and are dependent on a large number of factors.
That being said, it makes sense for every Arch installer and user to employ a pacman mirrorlist file optimized for their location.
Therefore, I have added a step entitled 'Optional - Edit the Mirrorlist To Optimize Package Download Speeds' prior to running the pacstrap download and installation command.
Thank you for your feedback tjcim.
After I enter the command
The following error message appears upon
I've tried to research the matter online, but so far, my google-fu has proven unsuccessful.
Would you perhaps have any suggestions so that I might continue following your guide where I left off?
If you're gonna do an ecrypted installation, don't you want to encrypt as much as possible? So, why a separate partition for /boot? You already created an ESP partition, so it might be a good decision to keep /boot (where kernel images, initramfs images (maybe with embedded encryption keys), grub settings reside) on encrypted LVM, and mount your ESP into /boot/efi.
As I mentioned earlier, it is beyond the scope of this guide to provide individual user support. However, the cryptsetup commands I've published above are correct, and do work properly when followed with precision.
Since it seems you got stuck at the beginning of the process, I would suggest re-creating a complete set of new partitions, rebooting if advised to do so. then zero-out each new partition and finally use cryptsetup to encrypt your intended system partition.
Best of luck,
Thank you for your input concerning also achieving an encrypted /boot during installation.
While I continue to believe there is not a whole lot of 'actionable intelligence' a sophisticated attacker could gain by perusing the contents of an unencrypted /boot, for those users who face intense, invasive, potential security threats, adding an additional layer of security does make sense.
I spent quite a few hours with a Senior Arch Developer discussing the entire gamut of issues involved with encrypted /boot.
Following these discussions, and after testing on both Arch VMs and production rigs, we know this encrypted /boot procedure works.
Therefore, I have included an optional sub-procedure in all my Arch installation guides to address the needs of those who desire to have the additional layer of security provided by correctly configuring and installing an encrypted /boot.
First of all, I'd like to extend my appreciation for this guide. Really!
I have Arch as the single OS and this time around went the extra mile and tried to encrypt /boot, as per your guide.
The system still boots successfully, though.
Using systemctl status for the systemd-cryptosetup service, I'm presented with the following:
ls - l /dev/disk/by-uuid/MY-BOOT-UUID returns my boot partition successfully.
It looks like I'm missing something, but still haven't figured out what.
Thanks a lot in advance
Update: It seems that the LUKS partitions are being setup without the passphrase. Any password/empty will allow me to boot. I've gone the steps quite a few times and so far haven't figured out what went wrong.
Thank you very much for your kind words and important feedback!
Yes, I saw the exact same error set you pasted above. It took me many hours of deep dives into many Archwikis to figure out why the /boot encryption was failing. The senior Arch dev I had been working with on support for encrypted /boot has largely disappeared of late, so finding the solution was all on me!
It turns out there are two major issues occurring, and they involve Grub and how we use LUKS to encrypt our root /, swap and /boot filesystems.
I have come to learn that Grub ONLY supports decrypting an encrypted /boot if the root / filesystem is initially encrypted using LUKS Type 1 encryption, whereas the default encryption used by LUKS is Type 2, which IS EXACTLY why both of our encrypted /boots failed to properly encrypt or decrypt /boot.
So others are not led astray, I have removed the Optional Encrypted /Boot section from all of my guides. As you can also see, I have changed the opening paragraphs of this guide, above.
I have created a new dedicated encrypted /boot installation guide, which I now have working properly on two laptops.
That new, and correct, encrypted /boot installation guide lives here:
I have also warned installers, above, that it is NOT POSSIBLE to convert an existing system with encrypted root / and swap into an encrypted /boot system!!
Sorry to tell you this, exah-io, but that statement also applies to you!! A clean install will be necessary if you want a properly working encrypted /boot system!
As always, NEVER INSTALL ARCH on a production rig without first VERIFYING you have clean, compressed. encrypted, and RESTORABLE backups, PRIOR TO PROCEEDING!!! I ONLY use duplicity from my terminal to ensure my backups are done correctly.
If you don't have time for a clean install at the moment, let me at least show you how to get back to a secure encrypted / and swap system:
Become root, then:
Comment out your FILES statement and save it, then:
mkinitcpio -P linux
Now, re-run grub:
grub-mkconfig -o /boot/grub/grub.cfg
And you will back to booting from a secure encrypted / and swap system.
Feel free to leave me additional feedback either here, or under the Comments for my new encrypted /boot guide!