Phase 2.8: Add LUKS encryption for btrfs

- Add LUKS functions to btrfs.sh (create/open/close container)
- Add crypttab configuration for boot
- Add encrypt hook to mkinitcpio HOOKS
- Add cryptdevice parameter to GRUB cmdline
- Add get_btrfs_encryption_choice and get_luks_passphrase prompts
- Add LUKS_PASSPHRASE to config variables
- Update show_summary and print_btrfs_summary for encryption status
- Add btrfs-luks.conf test config

VM test pending.

2 files changed, 90 insertions, 1 deletions

diff --git a/custom/lib/btrfs.sh b/custom/lib/btrfs.sh
index 7da0851..47c6f42 100644
--- a/custom/lib/btrfs.sh
+++ b/custom/lib/btrfs.sh
@@ -3,9 +3,12 @@
 # Source this file after common.sh, config.sh, disk.sh
 
 #############################
-# Btrfs Constants
+# Btrfs/LUKS Constants
 #############################
 
+# LUKS settings
+LUKS_MAPPER_NAME="cryptroot"
+
 # Mount options for btrfs subvolumes
 BTRFS_OPTS="noatime,compress=zstd,space_cache=v2,discard=async"
 
@@ -25,6 +28,91 @@ BTRFS_SUBVOLS=(
 )
 
 #############################
+# LUKS Functions
+#############################
+
+create_luks_container() {
+    local partition="$1"
+    local passphrase="$2"
+
+    step "Creating LUKS Encrypted Container"
+
+    info "Setting up LUKS encryption on $partition..."
+
+    # Create LUKS container
+    echo -n "$passphrase" | cryptsetup luksFormat --type luks2 \
+        --cipher aes-xts-plain64 --key-size 512 --hash sha512 \
+        --iter-time 2000 --pbkdf argon2id \
+        "$partition" - \
+        || error "Failed to create LUKS container"
+
+    info "LUKS container created."
+}
+
+open_luks_container() {
+    local partition="$1"
+    local passphrase="$2"
+    local name="${3:-$LUKS_MAPPER_NAME}"
+
+    info "Opening LUKS container..."
+
+    echo -n "$passphrase" | cryptsetup open "$partition" "$name" - \
+        || error "Failed to open LUKS container"
+
+    info "LUKS container opened as /dev/mapper/$name"
+}
+
+close_luks_container() {
+    local name="${1:-$LUKS_MAPPER_NAME}"
+
+    cryptsetup close "$name" 2>/dev/null || true
+}
+
+configure_crypttab() {
+    local partition="$1"
+
+    step "Configuring crypttab"
+
+    local uuid
+    uuid=$(blkid -s UUID -o value "$partition")
+
+    # Create crypttab entry
+    echo "# LUKS encrypted root" > /mnt/etc/crypttab
+    echo "$LUKS_MAPPER_NAME  UUID=$uuid  none  luks,discard" >> /mnt/etc/crypttab
+
+    info "crypttab configured for $LUKS_MAPPER_NAME"
+}
+
+configure_luks_initramfs() {
+    step "Configuring Initramfs for LUKS"
+
+    # Backup original
+    cp /mnt/etc/mkinitcpio.conf /mnt/etc/mkinitcpio.conf.bak
+
+    # Add encrypt hook before filesystems
+    # Hooks: base udev ... keyboard keymap ... encrypt filesystems ...
+    sed -i 's/^HOOKS=.*/HOOKS=(base udev microcode modconf kms keyboard keymap consolefont block encrypt filesystems fsck)/' \
+        /mnt/etc/mkinitcpio.conf
+
+    info "Added encrypt hook to initramfs."
+}
+
+configure_luks_grub() {
+    local partition="$1"
+
+    step "Configuring GRUB for LUKS"
+
+    local uuid
+    uuid=$(blkid -s UUID -o value "$partition")
+
+    # Add cryptdevice to GRUB cmdline
+    sed -i "s|^GRUB_CMDLINE_LINUX=\"|GRUB_CMDLINE_LINUX=\"cryptdevice=UUID=$uuid:$LUKS_MAPPER_NAME:allow-discards |" \
+        /mnt/etc/default/grub
+
+    info "GRUB configured with cryptdevice parameter."
+}
+
+#############################
 # Btrfs Pre-flight
 #############################
 
diff --git a/custom/lib/config.sh b/custom/lib/config.sh
index 38811fa..358a5f4 100644
--- a/custom/lib/config.sh
+++ b/custom/lib/config.sh
@@ -21,6 +21,7 @@ WIFI_SSID=""
 WIFI_PASSWORD=""
 ENCRYPTION_ENABLED=false
 ZFS_PASSPHRASE=""
+LUKS_PASSPHRASE=""
 ROOT_PASSWORD=""
 SSH_ENABLED=false
 SSH_KEY=""