00-setup-vault.sh

First-time creation of a LUKS2-encrypted BTRFS loopback container for securing source code and secrets. The vault lives at ~/.vault.img and mounts at ~/Code. Run this script once on a fresh install.

Usage

bash

bash scripts/00-setup-vault.sh [--dry-run] [--help]

The script is interactive — it prompts for vault size and LUKS passphrase.

Flag	Description
`--dry-run`	Preview all actions without modifying the system
`--help`	Show usage information and exit

What It Does

Preflight checks — verifies cryptsetup and btrfs-progs are installed, confirms no existing vault image or mount
Size selection — displays available disk space and prompts for vault size (default: 60 GB)
Image creation — allocates a fixed-size file via fallocate (falls back to dd)
LUKS2 encryption — formats the image with aes-xts-plain64, 512-bit key, SHA-512 hash, Argon2id KDF
BTRFS formatting — creates a BTRFS filesystem labelled CODE_REPOS inside the encrypted container
Mount and own — mounts at ~/Code and sets ownership to the current user
Verification — confirms the mount succeeded and displays LUKS container details

LUKS2 Parameters

Parameter	Value
Type	LUKS2
Cipher	`aes-xts-plain64`
Key size	512 bits
Hash	SHA-512
KDF	Argon2id

Files Modified

Path	Purpose
`~/.vault.img`	Encrypted container image (created)
`~/Code`	Mount point directory (created)

Prerequisites

cryptsetup — sudo pacman -S cryptsetup
btrfs-progs — sudo pacman -S btrfs-progs
Sufficient disk space for the chosen vault size

Input Validation

Size must match [1-9][0-9]*[GgMm] — values like 0G are rejected
Mount detection uses findmnt instead of parsing mount output

Source

View the full source on GitHub.

00-setup-vault.sh ​

Usage ​

What It Does ​

LUKS2 Parameters ​

Files Modified ​

Prerequisites ​

Input Validation ​