Why not encrypt everything, you think. Well why not?
So you want something that plays nice with btrfs. And you don't feel like touching lvm so soon.
dm-crypt/luks on an entire partition, btrfs inside with subvolumes: almost everything is encrypted.
btrfs on partition, systemd-homed for user:
your user home can be encrypted, nothing else is,
eg: wifi passwords in /etc/wpa_supplicant/ or /var/lib/iwd/,
wireguard passwords somewhere in /etc/
cryptsetup luksFormat /dev/nvme0n1p2cryptsetup open /dev/nvme0n1p2 root last arg is the name to be used in /dev/mappermkfs.fat -F 32 /dev/nvme0n1p1mkfs.btrfs /dev/mapper/rootmount -o compress=zstd /dev/mapper/root /mntmkdir /mnt/archbtrfs subvolume create /mnt/arch/@umount /mntmount -o compress=zstd,subvol=arch/@ /dev/mapper/root /mntmkdir /mnt/bootmount /dev/nvme0n1p1 /mnt/boottimedatectl set-ntp trueiwd station wlan0 connect $networkreflector --save /etc/pacman.d/mirrorlist -f 5 -p httpspacstrap /mnt base base-devel linux linux-firmware intel-ucode btrfs-progs zsh zsh-completions iwd git neovim, minimal set of things to work comfortable after rebootgenfstab -U /mnt >> /mnt/etc/fstab, alternatively edit it to use /dev/mapper/rootarch-chroot /mntpasswd/etc/mkinitcpio.conf set HOOKS=(base systemd autodetect keyboard sd-vconsole modconf block sd-encrypt filesystems fsck), sd-vconsole is optional/etc/crypttab.initramfs with root UUID=..., this will get included in the initramfs so no kernel cmdlines are neededmkinitcpio -p or the foolproof way pacman -S linuxbootctl installecho "default arch\ntimeout 0\nconsole-mode max" > /boot/loader/loader.confroot=/dev/mapper/root is reliable enough since it is mapped from a UUID in our /etc/crypttab.initramfs1title Arch Linux
2linux /vmlinuz-linux
3initrd /intel-ucode.img
4initrd /initramfs-linux.img
5options root=/dev/mapper/root rootflags=compress=zstd:3,ssd,space_cache,subvol=arch/@ quiet rw
The archwiki will at times refer to a boot partition and a efi/esp partition.
UEFI only cares about the bit that is FAT32 and contains efi things it can load: systemd-boot, kernel EFISTUB, grub, ...
Arch cares about the "boot partition" because by default hooks will dump the resulting files into /boot
The lazy way mounts the efi partition at /boot, UEFI things are contained in /boot/EFI,
the disadvantages being you need a bigger EFI partition to hold the kernel and stuff and they're not really protected.
The more involved way is the encrypted boot: grub (only grub supports this) is installed onto the unencrypted EFI partition, where it knows how to decrypt the encrypted boot partition and start the kernel from there. Note this doesn't protect against someone modifying your bootloader.
The correct solution is Secure Boot with your own keys: UEFI firmware verifies the bootloader, the bootloader verifies the kernel, the kernel verifies its drivers. It doesn't matter that the bootloader and the kernel sit out in the open unencrypted, they shouldn't have secrets in them and any attempt to tamper with them would invalidate the signature and break the verification chain.
you can either specify the devices to decrypt in the boot cmdline through the bootloader or as a file which gets built into the initramfs, cmdlines will override all file mounts.
/etc/crypttab is not necessary since the root device (our only one) needs to already be unlocked when it is read.
you can use a luks device to back a systemd-homed home, so you can have a luks in your luks...
alternatively you can back it with a btrfs subvolume in your already encrypted system.