Make ZFS encryption optional with interactive prompt

Add get_encryption_choice() to ask user whether to enable encryption
during interactive install. Remove --no-encrypt CLI flag in favor of
config file NO_ENCRYPT option for unattended installs. Update tests
to rely on config file setting instead of flag.

Also: fix ISO label to ARCHZFS for stable GRUB entries, add TODO items.

5 files changed, 57 insertions, 13 deletions

diff --git a/TODO.org b/TODO.org
index be69f7b..1194fea 100644
--- a/TODO.org
+++ b/TODO.org
@@ -27,6 +27,16 @@
 - Mount dataset for build artifacts and cache
 - Snapshot before/after builds for easy cleanup
 
+** TODO [#B] Consider Avahi for USB boot disk discoverability
+Make the live ISO discoverable on the network by name (e.g., archzfs.local) when booted.
+This would make SSH access easier without needing to find the IP address.
+
+Already have avahi package installed - just need to configure/enable it.
+
+** TODO [#C] Add date/timestamp to install-archzfs.log
+Add a date/timestamp header to /tmp/install-archzfs.log when the installer starts.
+This helps identify when an installation was run when reviewing logs later.
+
 ** TODO [#B] Consider adding bootable archzfs ISO to GRUB boot menu
 Store the archzfs ISO on disk and add a GRUB menu entry to boot it directly - no USB drive needed for recovery/reinstall.
 
diff --git a/build.sh b/build.sh
index 2971948..7b0f97d 100755
--- a/build.sh
+++ b/build.sh
@@ -210,6 +210,8 @@ info "Updating ISO metadata..."
 ISO_DATE=$(date +%Y-%m-%d)
 sed -i "s/^iso_name=.*/iso_name=\"archzfs-vmlinuz-${KERNEL_VER}-lts\"/" "$PROFILE_DIR/profiledef.sh"
 sed -i "s/^iso_version=.*/iso_version=\"${ISO_DATE}\"/" "$PROFILE_DIR/profiledef.sh"
+# Fixed label for stable GRUB boot entry (default is date-based ARCH_YYYYMM)
+sed -i "s/^iso_label=.*/iso_label=\"ARCHZFS\"/" "$PROFILE_DIR/profiledef.sh"
 
 # Create airootfs directories
 mkdir -p "$PROFILE_DIR/airootfs/usr/local/bin"
diff --git a/custom/install-archzfs b/custom/install-archzfs
index e19498f..0f1e45f 100755
--- a/custom/install-archzfs
+++ b/custom/install-archzfs
@@ -2,13 +2,13 @@
 # install-archzfs - Arch Linux ZFS Root Installation Script
 # Craig Jennings <c@cjennings.net>
 #
-# Installs Arch Linux on ZFS root with native encryption.
+# Installs Arch Linux on ZFS root with optional native encryption.
 # Designed to be run from the custom archzfs ISO.
 #
 # Features:
 # - All questions asked upfront, then unattended installation
 # - Optional WiFi configuration with connection test
-# - ZFS native encryption (passphrase required at boot)
+# - Optional ZFS native encryption (passphrase required at boot)
 # - Pre-pacman ZFS snapshots for safe upgrades
 #
 # UNATTENDED MODE:
@@ -73,16 +73,11 @@ parse_args() {
                     error "--config-file requires a path argument"
                 fi
                 ;;
-            --no-encrypt)
-                NO_ENCRYPT="yes"
-                shift
-                ;;
             --help|-h)
                 echo "Usage: install-archzfs [OPTIONS]"
                 echo ""
                 echo "Options:"
                 echo "  --config-file PATH  Use config file for unattended installation"
-                echo "  --no-encrypt        Skip ZFS encryption (for testing only)"
                 echo "  --help, -h          Show this help message"
                 echo ""
                 echo "Without --config-file, runs in interactive mode."
@@ -196,6 +191,7 @@ gather_input() {
     get_disks
     get_raid_level
     get_wifi
+    get_encryption_choice
     [[ "$NO_ENCRYPT" != "yes" ]] && get_zfs_passphrase
     get_root_password
     get_ssh_config
@@ -572,6 +568,29 @@ get_wifi() {
     fi
 }
 
+get_encryption_choice() {
+    step "ZFS Encryption"
+    echo ""
+    echo "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━"
+    echo "ZFS native encryption protects your data at rest."
+    echo ""
+    echo "  - Passphrase required at every boot"
+    echo "  - If forgotten, data is UNRECOVERABLE"
+    echo "  - Recommended for laptops and sensitive data"
+    echo "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━"
+    echo ""
+    prompt "Enable ZFS encryption? [Y/n]:"
+    read -p "> " encrypt_choice
+
+    if [[ "$encrypt_choice" =~ ^[Nn]$ ]]; then
+        NO_ENCRYPT="yes"
+        warn "Encryption DISABLED - data will not be encrypted at rest"
+    else
+        NO_ENCRYPT="no"
+        info "Encryption enabled - you'll set a passphrase next"
+    fi
+}
+
 get_zfs_passphrase() {
     step "ZFS Encryption Passphrase"
     echo ""
@@ -662,7 +681,11 @@ show_summary() {
     echo "  RAID Level:   ${RAID_LEVEL:-single (no RAID)}"
     echo "  WiFi:         ${WIFI_SSID:-Not configured}"
     echo "  SSH:          ${ENABLE_SSH:-yes} (root login)"
-    echo "  ZFS Pool:     $POOL_NAME (encrypted)"
+    if [[ "$NO_ENCRYPT" == "yes" ]]; then
+        echo "  ZFS Pool:     $POOL_NAME (NOT encrypted)"
+    else
+        echo "  ZFS Pool:     $POOL_NAME (encrypted)"
+    fi
     echo "  Boot:         EFI on all disks (redundant)"
     echo "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━"
     echo ""
@@ -1321,7 +1344,11 @@ print_summary() {
     echo "System Configuration:"
     echo "  Hostname:     $HOSTNAME"
     echo "  Timezone:     $TIMEZONE"
-    echo "  ZFS Pool:     $POOL_NAME (encrypted)"
+    if [[ "$NO_ENCRYPT" == "yes" ]]; then
+        echo "  ZFS Pool:     $POOL_NAME (not encrypted)"
+    else
+        echo "  ZFS Pool:     $POOL_NAME (encrypted)"
+    fi
     echo ""
     echo "ZFS Features:"
     echo "  - Genesis snapshot: pristine post-install state"
diff --git a/custom/install-archzfs.conf.example b/custom/install-archzfs.conf.example
index 813b359..0060cc0 100644
--- a/custom/install-archzfs.conf.example
+++ b/custom/install-archzfs.conf.example
@@ -47,8 +47,13 @@ RAID_LEVEL=
 # This will be required at every boot to unlock the pool
 ZFS_PASSPHRASE=changeme
 
-# Disable ZFS encryption (optional, for testing only)
-# Set to "yes" to skip encryption - NOT recommended for real installs
+# Skip ZFS encryption (optional, default: no)
+# Set to "yes" to create an unencrypted pool
+# Use cases:
+#   - VMs or test environments
+#   - Systems with hardware encryption (SED drives)
+#   - Data that doesn't require encryption
+# WARNING: Without encryption, anyone with physical access can read your data
 #NO_ENCRYPT=no
 
 # Root password (required)
diff --git a/scripts/test-install.sh b/scripts/test-install.sh
index 2f9c62d..fa5c431 100755
--- a/scripts/test-install.sh
+++ b/scripts/test-install.sh
@@ -232,8 +232,8 @@ run_install() {
     sshpass -p "$SSH_PASSWORD" scp -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null \
         -P "$SSH_PORT" "$config" root@localhost:/root/test.conf 2>/dev/null
 
-    # Run the installer
-    ssh_cmd "install-archzfs --config-file /root/test.conf --no-encrypt" || return 1
+    # Run the installer (NO_ENCRYPT is set in the config file, not via flag)
+    ssh_cmd "install-archzfs --config-file /root/test.conf" || return 1
 
     return 0
 }