This how-to helps you to install Arch Linux on a Raspberry Pi, using an encrypted root filesystem. You will need to enter the passphrase every time you boot the device. Write speed will be slower, we got around 6-8MB/sec sequential write throughput.

• Linux host computer, we're using Fedora 25 here.
• Raspberry Pi 3.
• SD Card

• The steps in this section were taken from: https://archlinuxarm.org/platforms/armv8/broadcom/raspberry-pi-3
• Partition the SD card:

  p1 = 200M    # /boot, set bootable flag, FAT32 (LBA)
  p2 = 4G      # /, Linux
  
  Example fdisk output:
  /dev/mmcblk0p1        2048  411647  409600  200M  c W95 FAT32 (LBA)
  /dev/mmcblk0p2      411648 8800255 8388608    4G 83 Linux

• Create the /boot filesystem.

  mkfs.vfat /dev/mmcblk0p1

• Create an encrypted block device for the / (root) filesystem:

  cryptsetup luksFormat /dev/mmcblk0p2
  
  WARNING!
  ========
  This will overwrite data on /dev/mmcblk0p2 irrevocably.
  
  Are you sure? (Type uppercase yes): YES
  Enter passphrase: 
  Verify passphrase: 

• Open the encrypted block device:

  cryptsetup open /dev/mmcblk0p2 sdroot

• Create an EXT4 filesystem on the encrypted block device:

  mkfs.ext4 /dev/mapper/sdroot

• Mount the /boot and / (root) filesystems:

  cd /mnt
  mkdir boot root
  mount /dev/mmcblk0p1 /mnt/boot
  mount /dev/mapper/sdroot /mnt/root

• Download Arch Linux, and copy it to the SD card.

  wget http://os.archlinuxarm.org/os/ArchLinuxARM-rpi-2-latest.tar.gz
  bsdtar -xpf ArchLinuxARM-rpi-2-latest.tar.gz -C root
  sync
  
  mv root/boot/* boot
  
  umount /mnt/boot
  mount /dev/mmcblk0p1 /mnt/root/boot

The next steps will modify the Arch Linux install on the SD card. So it can use the encrypted root filesystem.

• Install QEMU.

  dnf install qemu

• Enter the chroot:

  cd /mnt/root
  systemd-nspawn --bind /usr/bin/qemu-arm-static -b -D /mnt/root
  
  # exit when finished with 'poweroff'

• Log in with root:root or alarm:alarm.
• You might need to configure /etc/resolv.conf manually.

  rm /etc/resolv.conf #symlink
  vi /etc/resolv.conf

• Update Arch Linux:

  pacman -Suy
  poweroff

• Enter the chroot again:

  systemd-nspawn --bind /usr/bin/qemu-arm-static -b -D /mnt/root

• Install LVM and cryptsetup:

  pacman -S lvm2 cryptsetup

• Add lvm2 and encrypt to HOOKS in /etc/mkinitcpio.conf:

  HOOKS="base udev autodetect modconf block lvm2 encrypt filesystems keyboard fsck"

• Generate a new initramfs, you can find the current kernel version in /usr/lib/modules/:

  mkinitcpio -k 4.9.28-2-ARCH -g /boot/initramfs-linux.img

• Modify the /boot/cmdline.txt file:

  Add:
  root=/dev/mapper/crypt_sdcard cryptdevice=/dev/mmcblk0p2:crypt_sdcard rootfstype=ext4
  
  Example:
  root=/dev/mapper/sdroot cryptdevice=/dev/mmcblk0p2:sdroot rootfstype=ext4 rw rootwait console
  =ttyAMA0,115200 console=tty1 selinux=0 plymouth.enable=0 smsc95xx.turbo_mode=N dwc_otg.lpm_en
  able=0 kgdboc=ttyAMA0,115200 elevator=noop

• Poweroff the chroot and unmount the SD card:

  poweroff
  umount /mnt/root/boot
  umount /mnt/root

Insert the SD card in the Raspberry Pi, power on and configure it!

• Change the default hostname:

  hostnamectl set-hostname archpi

• Configure the time zome:

  timedatectl set-timezone Europe/Amsterdam

• Configure the locale:

  vi /etc/locale.gen
  locale-gen
  localectl set-locale LANG=en_US.UTF-8

• Add, delete users and change passwords.
• Configure WiFi:

  wpa_passphrase SSID PASSPHRASE  > /etc/wpa_supplicant/wpa_supplicant-wlan0.conf

• Prepend the new file with:

  ctrl_interface=/run/wpa_supplicant
  ctrl_interface_group=wheel
  update_config=1
  country=NL

• Modify rights and enable WiFi:

  chmod 600 wpa_supplicant-wlan0.conf
  systemctl enable wpa_supplicant@wlan0
  systemctl enable dhcpcd@wlan0

• Configure time synchronisation:

  pacman -S chrony
  vi /etc/chrony.conf
  systemctl start chrony
  systemctl enable chrony
  chronyc sources

• Configure a firewall:

  pacman -S ufw
  ufw default deny
  ufw allow SSH
  
  ufw enable
  systemctl enable ufw
  ufw status

• Now is a good time to test if everything works after reboot. You need to enter the passphrase during reboot.

• If you want to test from the initramfs shell add break=premount to /boot/cmdline.txt. You can resume booting by exiting the shell.