My older laptop system has encrypted root and swap partitions, setup during Calmares installation, with an unencrypted data disk.
I replaced this data disk with a slightly larger one and wanted to encrypt it at the same time, configuring it to decrypt and mount during boot along with root and swap partitions.
Thought this might be useful to document what I did for anyone wanting to do something similar.
As this was a re-purposed 2.5" HDD first task was to shred old contents. For a new disk this step can be skipped.
sudo shred --verbose --random-source=/dev/urandom --iterations=5 /dev/sdb
This took about 12 hours, running overnight, but if you are really paranoid set iterations to >10 and let it run for 24+ hours. Obviously with an SSD you want to limit iterations, 3 should suffice.
Create partition table and partition using either parted or gparted.
Now encrypt disk partition (sdb1 for me) and add existing Calmares generated dm-crypt keyfile.
sudo cryptsetup -y -v luksFormat /dev/sdb1
sudo cryptsetup luksAddKey /dev/sdb1 /crypto_keyfile.bin
Decrypt and create a file system of your preferred type.
sudo cryptsetup open /dev/sdb1 data
sudo mkfs.ext4 /dev/mapper/data
Mount the new file system.
sudo mount /dev/mapper/data /mnt
FILES= line in
/etc/mkinitcpio.conf contains an entry for the dm-crypt keyfile added above.
If you already have full system encryption via Calmares, it is already there, nothing to do.
Get luks and device mapper UUIDs.
/etc/crypttab, add entry for encrypted data partition.
luks-data UUID=[luks-partition-uuid] /crypto_keyfile.bin luks
/etc/fstab, add entry to automount decrypted luks device mapper.
UUID=[device-mapper-uuid] /media/data ext4 defaults,noatime 0 0
Regenerate initramfs and grub.
sudo mkinitcpio -P
Reboot, enter luks passphrase once, and new encrypted data partition is mounted and ready to go.
sdb 8:16 0 931.5G 0 disk
└─sdb1 8:17 0 931.5G 0 part
└─luks-data 254:2 0 931.5G 0 crypt /media/data