Archlinux full-disk encryption with SSH unlock

This is a short guide on how to set up full disk encryption on an Archlinux system. Assumes a system installed with the archinstall script, using an encrypted root partition. I use this setup on my personal server (works on a Raspberry Pi as well). If SSH does not work for some reason, you should still be able to enter the password for the rootfs via keyboard. Otherwise, boot from archiso and make these changes in chroot.

This is mostly intended as a reference for future me, but maybe someone else might find this useful.

Setup

Install packages:

sudo pacman -S mkinitcpio-dropbear mkinitcpio-netconf mkinitcpio-utils lvm2

Add to commandline (“options”) in /boot/loader/entries/XXX_linux.conf:

# unlock this device, name it luksdev
cryptdevice=UUID={PARTITION_UUID}:luksdev:allow-discards
# use luksdev as root
root=/dev/mapper/luksdev
# simple device names
net.ifnames=0
# set static IP address and hostname, no DHCP
ip={IP_ADDRESS}::{IP_GATEWAY}:{IP_MASK(255.255...)}:{HOSTNAME}:eth0:none

Add hooks in /etc/mkinitcpio.conf

HOOKS=(base udev autodetect keyboard keymap modconf block lvm2 netconf dropbear encryptssh filesystems fsck)
# modules only needed on raspberry pi, usually empty
MODULES=(g_cdc usb_f_acm usb_f_ecm smsc95xx g_ether)

Generate hostkeys

cd /etc/dropbear
# remove old keys
rm *host_key*
# generate new key
dropbearkey -t rsa -f dropbear_rsa_host_key
dropbearkey -y -f dropbear_rsa_host_key > dropbear_rsa_host_key.pub
# Add your public SSH keys
echo "ssh-rsa <XXX> you@laptop" >> root_key
echo "ssh-rsa <XXX> you@desktop" >> root_key

Update Initramfs

sudo mkinitcpio -p linux

Unlock additional drives automatically

Add to /etc/crypttab

# name (in /dev/mapper), identifier, keyfile, options
data   UUID=1241f46b-b005-4993-a09e-ac858eb4d5fc        /etc/key_nasdrive  discard

Add to /etc/fstab

/dev/mapper/data  /data  ext4    defaults,noatime,discard  0       2