Why not encrypting your whole server ?

To install with LUKS encryption using physical volumes -> #

modprobe dm-crypt
modprobe dm-mod
cryptsetup luksFormat -v -s 512 -h sha512 /dev/sda3
cryptsetup open /dev/sda3 luks_root
mkfs.ext4 -L root /dev/mapper/luks_root
mount /dev/mapper/luks_root /mnt
...
### then also create a swap file using dd inside root dir of luks_root. then pacstrap. ... 

vim /etc/default/grub > GRUB_CMDLINE_LINUX=”cryptdevice=/dev/sda3:luks_root”
vim /etc/mkinitcpio.conf > HOOKS=(base ... block encrypt ...)
### add encrypt resume between block and filesystems
### move the keyboard hooks before encrypt ( so that you can type the passphrase :p )
mkinitcpio -p linux
grub-install --boot-directory=/boot --efi-directory=/boot/efi /dev/sda2
grub-mkconfig -o /boot/grub/grub.cfg
grub-mkconfig -o /boot/efi/EFI/arch/grub.cfg

### Now exit out of chroot.

reboot

### You should be prompted for your LUKS encryption password.

To install with LUKS encryption using logical volumes -> #

cryptsetup luksFormat --type luks1 --use-random -S 1 -s 512 -h sha512 -i 5000 /dev/sda3
cryptsetup open /dev/sda3 cryptlvm

pvcreate /dev/mapper/cryptlvm
vgcreate vg /dev/mapper/cryptlvm

lvcreate -L 8G vg -n swap
lvcreate -L 32G vg -n root
lvcreate -l 100%FREE vg -n home

mkfs.ext4 /dev/vg/root
mkfs.ext4 /dev/vg/home
mkswap /dev/vg/swap

mount /dev/vg/root /mnt
mkdir /mnt/home
mount /dev/vg/home /mnt/home
swapon /dev/vg/swap

### after mounting the efi and formatting it to mkfs.fat as usual , use pacstrap to install 
mkfs.fat -F32 /dev/sda2
mkdir /mnt/efi
mount /dev/sda2 /mnt/efi
pacstrap /mnt base linux linux-firmware mkinitcpio lvm2 vi dhcpcd wpa_supplicant
...
vim /etc/fstab >
    # /dev/mapper/vg-root
    UUID=xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx / ext4 rw,noatime 0 1

    # /dev/mapper/vg-home
    UUID=xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx / ext4 rw,noatime 0 1

### then chroot and do as usual ,

vim /etc/mkinitcpio.conf > HOOKS=(base udev autodetect keyboard modconf block encrypt lvm2 filesystems fsck)
### add encrypt resume between block and filesystems

sudo blkid
vim /etc/default/grub > 
GRUB_ENABLE_CRYPTODISK=y
GRUB_CMDLINE_LINUX="... cryptdevice=UUID=xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx:cryptlvm root=/dev/vg/root ..."

### Embed a keyfile in initramfs
mkdir /root/secrets && chmod 700 /root/secrets
head -c 64 /dev/urandom > /root/secrets/crypto_keyfile.bin && chmod 600 /root/secrets/crypto_keyfile.bin
cryptsetup -v luksAddKey -i 1 /dev/nvme0n1p3 /root/secrets/crypto_keyfile.bin

vim /etc/mkinitcpio.conf >
FILES=(/root/secrets/crypto_keyfile.bin)

vim /etc/default/grub >
GRUB_CMDLINE_LINUX="... cryptkey=rootfs:/root/secrets/crypto_keyfile.bin"

chmod 700 /boot

[link](https://gist.github.com/huntrar/e42aee630bee3295b2c671d098c81268)

To Encrypt a Filesystem with LUKS Passphrase -> #

sudo cryptsetup -v luksFormat /dev/sdb
sudo cryptsetup -v open /dev/sdb data
sudo mkfs.ext4 -L data /dev/mapper/data
sudo mkdir -v /data
sudo mount /dev/mapper/data /data
sudo umount /dev/mapper/data
sudo cryptsetup -v close data
sudo cryptsetup -v luksChangeKey /dev/sdb

### check the results with :
cryptsetup luksDump device

To backup LUKS header file -> #

sudo cryptsetup luksDump /dev/sda3
sudo cryptsetup luksHeaderBackup /dev/sda3 --header-backup-file luksHeaderFile
sudo file luksHeaderFile
sudo stat luksHeaderFile