Encrypt BlackArch or Linux after install

Yes, there is a way to encrypt after install. The LUKS cryptsetup utility contains the reencrypt command that you can also use to encrypt your existing unencrypted root partition, i.e. without destroying the existing filesystem.

That said, before performing such a conversion you should still backup your data. Of course, one should always perform backups on a regular schedule, because of possible hardware failure etc. Thus, this is kind of redundant advice.

Switching an existing root filesystem from unencrypted to encrypted requires quite a few steps:

1. backup
2. make sure that the cryptsetup package is installed
3. make sure that your root filesystem has some free space (at least 100 MiB to be on the safe side)
4. identify the partition your root partition is located on: e.g. with df /, lookup the UUID of the filesystem with blkid and store it somewhere
5. boot into a rescue system where you can unmount your root filesystem (e.g. boot from an USB stick which contains - say - Grml)
6. locate your root partition (e.g. with blkid and look for the UUID)
7. if it's ext4 execute a filesystem check: e2fsck -f /dev/sdXY
8. shrink the filesystem to make some room for the LUKS header, e.g. if it's an ext4 filesystem: resize2fs /dev/sdXY $smallersizeinGiB_G (you need to shrink it by at least 32 MiB)
9. encrypt it: cryptsetup reencrypt --encrypt /dev/sdXY --reduce-device-size 32M
10. open it: cryptsetup open /dev/sdXY root
11. enlarge the filesystem to the maximum: resize2fs /dev/mapper/root
12. mount it to - say - /mnt/root
13. mount the boot filesystem on /mnt/root and bind-mount pseudo filesystems /dev, /sys, /proc under /mnt/root.
14. chroot into your system by: chroot /mnt/root /bin/bash
15. update kernel parameters in /etc/default/grub or some equivalent location, e.g. when your distro uses dracut (which is likely) you need to add rd.luks.uuid=$UUID_OF_LUKS_DEVICE (cf. blkid, note that this UUID is different from the root filesystem one), if you have selinux installed you should add enforcing=0 (and later remove it) because of all the edits
16. if your distribution has selinux enabled, configure a relabeling: touch /mnt/root/.autorelabel
17. regenerate grub config: grub2-mkconfig -o /boot/.../grub...cfg
18. regenerate initramfs (to make sure that cryptsetup support is included): dracut -f /boot/initramfs....img kernelversion
19. exit the chroot
20. unmount everything
21. cryptsetup close root
22. reboot

As you see these are many steps, i.e. there is some potential to introduce errors. Thus, arguably it might be simpler to just reinstall and restore your backup (e.g. config files and $HOME).

Also, in my experience as of 2020, cryptsetup reencrypt is relatively slow, thus it may be faster to just cryptsetup luksFormat the device and restore a backup.

If you have an XFS filesystem, you can't just shrink it, because XFS doesn't support this, as of 2020. Thus, you would need to fstransform it before being able to shrink it. With a transformed filesystem you have another uuid to take care of. That means either change the UUID of the new filessytem to the UUID of the old one. Or update the UUID of the filesystem in /mnt/root/etc/fstab.

With a dracut based distribution you don't need to create a /etc/crypttab, other distribution might require it (also before the initramfs update, because it might need to be included there).