If you have a setup where your luks-encrypted device is a LVM partition which includes all mount points listed in /etc/fstab, you may be asked to enter your passphrase twice during boot: once by grub and again by systemd.
To have the system only prompt once, first get the correct device path and UUID with the following command:
$ eval $(lsblk -npfl | awk '$2 == "crypto_LUKS" {print "DEVPATH=" $1 " DEVUUID=" $3}')
$ sudo cryptsetup luksDump $DEVPATHNOTE: If no output is returned, it's best to stop here and double-check your setup before continuing.
Now create a keyfile
$ sudo dd bs=512 count=4 if=/dev/urandom of=/crypto_keyfile.bin
$ sudo chmod 000 /crypto_keyfile.binAdd the newly created keyfile using the device path from the lsblk command above:
$ sudo cryptsetup luksAddKey $DEVPATH /crypto_keyfile.binCreate an entry in /etc/crypttab that reflects your mapped device name (replace VolGroup00 with your actual LVM group using the vgs command):
$ cat - <<-EOT | sudo tee -a /etc/crypttab
VolGroup00 UUID=$DEVUUID /crypto_keyfile.bin
EOTInclude the keyfile by adding it to the FILES=() array in /etc/mkinitcpio.conf:
FILES=(... /crypto_keyfile.bin ...)
NOTE: Be sure to add encrypt and lvm2 to the HOOKS=() array after block but before filesystems!
Generate a new initial ramdisk environment using the linux preset from the default ARCH kernel:
$ sudo mkinitcpio -p linux