Hi, guys.
Thanks to this guide and Arch Wiki I was able to move my existing Arch installation to an encrypted SDD.
parted /dev/sdX
To create a new EFI System Partition, use the following commands (a size of 512MiB is suggested):
(parted) mkpart ESP fat32 1MiB 513MiB
(parted) set 1 boot on
The remaining partition scheme is entirely up to you. For one other partition using 100% of remaining space:
(parted) mkpart primary ext4 513MiB 100%
Encrypt the whole partition with our encryption algorithm of choice:
cryptsetup -c aes-xts-plain64 -s 512 -h sha512 -i 5000 -y luksFormat /dev/sdX2
-c specifies the algorithm (here AES with XTS)
-s specifies the length of the encryption key (XTS uses two keys, therefore the key size here is 256)
-h specifies the hashing algorithm
-i specifies the number of milliseconds to spend with PBKDF2 passphrase processing (our hashing algorithm is stronger than sha1, thus this number should be higher than the default 1000)
-y asks for the passphrase two times (as confirmation)
To check if everything went right, we can dump the header information of the new encrypted partition with
cryptsetup luksDump /dev/sdX2
To open the encrypted partition to start setting up the LVM with
cryptsetup luksOpen /dev/sdX2 crypt
which will make the new partition available as /dev/mapper/crypt.
Initialize the physical volume and create a volume group:
lvm pvcreate /dev/mapper/crypt
lvm vgcreate lvmpool /dev/mapper/crypt
Create root (/) logical volume
lvm lvcreate -L 20GB -n root lvmpool
Create /home logical volume
lvm lvcreate -l 100%FREE -n home lvmpool
In Step 1 we already made sdX1 as ESP(EFI) partition so i just clone my old boot partition to it
dd if=/dev/sda1 of=/dev/sdX1
then format and mount root and home volumes
mkfs.ext4 /dev/mapper/lvmpool-root
mkfs.ext4 /dev/mapper/lvmpool-home
mount /dev/mapper/lvmpool-root /mnt
mount /dev/mapper/lvmpool-home /mnt/home
mount cloned boot partition as well
mount /dev/sdX1 /mnt/boot
I was using rsync to copy files from old disk
rsync -axX /home /mnt/home
rsync -axX / /mnt
#Step 5: Setting up bootloader and editing fstab
Since I cloned my old boot partition I don't have to install it again
You have to edit /mnt/boot/loader/entries/arch.conf
$ cat arch.conf
title Arch Linux
linux /vmlinuz-linux
initrd /initramfs-linux.img
options cryptdevice=UUID=**e99fc375-b62d-4f45-8fd0-baf2370309d3**:**luks-e99fc375-b62d-4f45-8fd0-baf2370309d3** root=/dev/mapper/lvmpool-root rw
The format is cryptdevice=UUID=:
to find out the right and dmname you can use lsblk -f command
NAME FSTYPE LABEL UUID MOUNTPOINT
sda
├─sda1 vfat EFEA-0192 /boot
└─sda2 crypto_LUKS e99fc375-b62d-4f45-8fd0-baf2370309d3
└─luks-e99fc375-b62d-4f45-8fd0-baf2370309d3 LVM2_member KNPfie-1mhh-eRZs-okZ0-CycS-kBsC-08Osxf
├─lvmpool-root ext4 0020cff6-d95a-4afd-921d-5c7faac83a4c /
└─lvmpool-home ext4 b202f5f3-eb1d-4f0a-ba75-bb56af91a2cd /home
└─luks-e99fc375-b62d-4f45-8fd0-baf2370309d3 LVM2_member KNPfie-1mhh-eRZs-okZ0-CycS-kBsC-08Osxf
├─lvmpool-root ext4 0020cff6-d95a-4afd-921d-5c7faac83a4c /
└─lvmpool-home ext4 b202f5f3-eb1d-4f0a-ba75-bb56af91a2cd /home
in my case UUID = e99fc375-b62d-4f45-8fd0-baf2370309d3 and dmname = luks-e99fc375-b62d-4f45-8fd0-baf2370309d3
You have to make a new fstab file with
genfstab -U -p /mnt >> /mnt/etc/fstab
It should look like, make sure UUID is the same as in lsblk -f
# /dev/sda1
UUID=EFEA-0192 /boot vfat rw,relatime,fmask=0022,dmask=0022,codepage=437,iocharset=iso8859-1,shortname=mixed,errors=remount-ro 0 2
# /dev/mapper/lvmpool-root
UUID=0020cff6-d95a-4afd-921d-5c7faac83a4c / ext4 rw,relatime,data=ordered 0 1
# /dev/mapper/lvmpool-home
UUID=b202f5f3-eb1d-4f0a-ba75-bb56af91a2cd /home ext4 rw,relatime,data=ordered 0 2
#Step 6: Configuration
arch-chroot /mnt
Before generating the ramdisk, we have to add the appropriate hooks to the /etc/mkinitcpio.conf
HOOKS="base udev autodetect modconf block keymap encrypt lvm2 filesystems keyboard fsck"
mkinitcpio -p linux
EDIT: Delete /etc/machine-id so that a new, unique, one will be regenerated on boot
Unmount all and reboot