Since you already have EndeavourOS installed with Btrfs, adding LUKS encryption requires converting your existing setup into an encrypted one. Unfortunately, you can’t directly encrypt an existing partition without reformatting, but you can migrate your system using the following approach:
⚠️ Important:
- Backup your data! This process involves moving data, and any mistake could result in data loss.
- You need a Live USB of EndeavourOS or another Arch-based distro.
- Ensure you have enough free space to create an encrypted container.
Steps to Encrypt Your Existing Btrfs Setup with LUKS
1. Boot into a Live USB
- Boot from an EndeavourOS/Arch Live USB.
- Open a terminal and check your existing partitions:
2. Unlock Your Existing Btrfs Setup
If your root partition is /dev/sdX, mount it:
(Substituting /dev/sdXn with your actual partition)
3. Create a LUKS Encrypted Partition
You’ll need to format and encrypt the current root partition:
4. Create Btrfs Subvolumes
Recreate your Btrfs layout:
5. Restore Your Data
- Mount the encrypted volume:
- Restore your backup (
rsyncorbtrfs send/receiveif you backed up with snapshots).
6. Update Fstab & Initramfs
- Generate
/etc/fstab: - Edit
/etc/mkinitcpio.conf, addingencryptto the hooks: - Rebuild the initramfs:
7. Configure GRUB for LUKS
Edit /etc/default/grub:
Then update GRUB:
8. Reboot into Your Encrypted System
After unmounting and rebooting, you should now be prompted for a LUKS password.
Alternative Approach: Fresh Install
If this process seems too complex, the easiest option is to reinstall EndeavourOS and enable LUKS encryption during installation.
Mr. Arch Brooks, Software Engineer, Brooks Computing Systems, LLC authored this article.