You have different choices to setup encryption. This chapter describes LVM on LUKS with encrypted boot partition. Because we want to unlock all volumes at once.
List your disks with lsblk and run gdisk /dev/[your disk] e.g. gdisk /dev/nvme0n1. You can take a look at the
gdisk Arch Wiki en / de
It's crucial to use
gdiskbecause GPT is needed for UEFI boot.
Please create 4 partition like described in the Arch Wiki above with gdisk. Use the codes for the partition type.
Don't format the partitions at this time, you will do it later with the YubiKey. It should look similar like this.
Number Start (sector) End (sector) Size Code Name
1 2048 4095 1024.0 KiB EF02 BIOS boot partition
2 4096 1232895 600.0 MiB EF00 EFI System
3 1232896 2461695 600.0 MiB 8300 Linux filesystem
4 2461696 2000409230 952.7 GiB 8E00 Linux LVM
The second partition contains the EFI System and must be of type FAT32.
Format the second partition (replace [device 2nd partition] with the 2nd partition of your device e.g. /dev/nvme0n1p2) with:
mkfs.fat -F32 /dev/[device 2nd partition]
Great, one step closer for your fully encrypted system. The next chapter describes how to prepare the YubiKey.