LUKS encryption

Set up new encrypted volume

Format

cryptsetup luksFormat --type luks2 /dev/<dev>
cryptsetup luksDump /dev/<dev>

Note the UUID.

Open

cryptsetup luksOpen --allow-discards /dev/<dev> <name>

Creates new device /dev/mapper/<name>.

Format

mkfs.btrfs /dev/mapper/<name>

Note UUID.

Boot from unencrypted boot partition into encrypted root

Update GRUB configuration

In /etc/default/grub:

GRUB_CMDLINE_LINUX_DEFAULT="bgrt_disable loglevel=4 rd.luks.uuid=<LUKS UUID> rd.luks.allow-discards"

Update boot configuration

Make sure /boot and /boot/efi are mounted:

mount -a

Update initramfs:

xbps-reconfigure -f linux6.6

Update grub:

update-grub

(Re)install grub; make sure /sys/firmware/efi/efivars is bound if using chroot:

grub-install /dev/<dev>

Where <dev> is the main device (not partition).

Check that grub had good configuration:

 cat /boot/grub/grub.cfg | egrep 'crypt|luks'

Verify that root=UUID point to FS UUID and rd.luks.uuid= to LUKS UUID.