This avoids the tedious process of proving the passphrase on every boot
First generate the key onto /etc:
You may choose
urandomorrandomhowever you like
dd if=/dev/urandom of=/etc/encrypted.key bs=64 count=1Add the key to LUKS:
crypsetup luksAddKey /dev/nvme0n1p3 /etc/encrypted.keyEdit GRUB to include the key:
# /etc/default/grub
...
GRUB_CMDLINE_LINUX_DEFAULT="... rd.luks.name=<UUID>=encrypted rd.luks.key=<UUID>=/etc/encrypted.key root=/dev/mapper/encrypted"
...Configure initramfs to include the key:
# /etc/mkinitcpio.conf
FILES=(... /etc/encrypted.key ...)Finally regenerate GRUB & initramfs:
grub-mkconfig -o /boot/grub/grub.cfg
mkinitcpio -P