Using lsblk -f /dev/nvme0n1
, identify the partition used for the root filesystem. This should present as a btrfs file system with the label fedora
. In the example below, /dev/nvme0n1p6
is the Fedora root filesystem that will be encrypted in place:
[root@fedora ~]# lsblk -f /dev/nvme0n1
NAME FSTYPE FSVER LABEL UUID FSAVAIL FSUSE% MOUNTPOINTS
nvme0n1
├─nvme0n1p1 apfs 4ccf344c-1842-4ed2-98f7-d34a509f5a88
├─nvme0n1p2 apfs dbb4789e-c51d-46bf-8332-90a43b4e4fa7
├─nvme0n1p3 apfs b98ec259-629b-4aee-9f26-02c5098abcee
├─nvme0n1p4 vfat FAT32 EFI-FEDORA B01E-2641 419.8M 16% /run/.system-efi
├─nvme0n1p5 ext4 1.0 BOOT 5b094e58-d15f-4be2-85ff-147859c7b118
├─nvme0n1p6 btrfs fedora dd08a2bf-ae63-44e1-881d-fbb8928af4fb
└─nvme0n1p7 apfs b465c845-eaef-4bcb-aac9-865c42260844
Shrink the btrfs filesystem to make room for the LUKS header. The recommended minimum is 32 MiB, twice the size of a default LUKS 2 header:
mount /dev/nvme0n1p6 /mnt
btrfs filesystem resize -32M /mnt
umount /dev/nvme0n1p6
LUKS encrypt the root filesystem partition in place. This will destroy everything on the partition; please be careful!
cryptsetup reencrypt --encrypt --reduce-device-size 32M /dev/nvme0n1p6
You must confirm with YES
and then enter your disk passphrase twice. The output should look like this:
[root@fedora ~]# cryptsetup reencrypt --encrypt --reduce-device-size 32M /dev/nvme0n1p6
WARNING!
========
This will overwrite data on LUKS2-temp-fb593537-72d7-4337-a1ae-64c064d7d8e7.new irrevocably.
Are you sure? (Type 'yes' in capital letters): YES
Enter passphrase for LUKS2-temp-fb593537-72d7-4337-a1ae-64c064d7d8e7.new:
Verify passphrase:
Finished, time 14m10s, 925 GiB written, speed 1.1 GiB/s
Open the LUKS encrypted partition:
cryptsetup open /dev/nvme0n1p6 fedora
cryptsetup status fedora
Mount root and home filesystems from the btrfs filesystem on the LUKS mapping device:
mount -o subvol=root /dev/mapper/fedora /mnt
mount -o subvol=home /dev/mapper/fedora /mnt/home
Mount boot and efi filesystems (these should be the two partitions immediately preceding the one encrypted with LUKS):
mount /dev/nvme0n1p5 /mnt/boot
mount /dev/nvme0n1p4 /mnt/boot/efi
Store the LUKS UUID in a variable for later use.
export LUKS_UUID=$(cryptsetup luksUUID /dev/nvme0n1p6 | tee /dev/stderr)
Enter chroot to update grub, initramfs, etc
arch-chroot /mnt /bin/bash
Update crypttab
touch /etc/crypttab
chmod 0600 /etc/crypttab
echo "fedora UUID=${LUKS_UUID} none" >> /etc/crypttab
cat /etc/crypttab
Update /etc/default/grub
appending rd.luks.uuid=LUKS_UUID
to the value for GRUB_CMDLINE_LINUX_DEFAULT
perl -i -pe 's/(GRUB_CMDLINE_LINUX_DEFAULT)="(.*)"/$1="$2 rd.luks.uuid='"${LUKS_UUID}"'"/' /etc/default/grub
cat /etc/default/grub
Rebuild initramfs:
grub2-mkconfig -o /boot/grub2/grub.cfg
kver=$(ls /lib/modules| grep 'arch' | sort -V | tail -n 1)
dracut -f --kver $kver
Exit the chroot jail, then reboot.
To connect to a wireless network, use the following sytanx: nmcli dev wifi connect network-ssid
An actual example: nmcli dev wifi connect your-ssid-here password supersecretpassword