2 encrypted Linux distros as dualboot

Hello guys,

I’m watching the EndeavourOS project since the beginning, but still didn’t try it. Now is the time, that i plan to start it in the near future, but ran into a problem.

I bought a samsung 970 EVO Plus NVMe (1 TB) and would like to install on it:

• encrypted EndeavourOS
• encrypted Xubuntu

The problem is, i need xubuntu for home office now and I have no idea, how i could install xubuntu encrypted on my NVMe, so that i can install EndeavourOS 1 month later, too. I mean without formatting and set everything up again.

I’m not so experienced in linux under the hood. I mean all the distro stuff

Can someone help me to manage it?
Is there any tutorial for such an encrypted dual boot? I didn’t find any simple explained.

Hello @SoraWhiteDragon
The next ISO release is currently being worked on but won’t be released until April sometime and it should include full luks encryption i think. The only guide that i know of for encryption is quite advanced and i don’t think it’s what you are after. Are you thinking that the whole disk would be encrypted with both distros installed but only having to decrypt the single disc to access either one? I don’t have an answer on that as i haven’t tried it myself but maybe the user that wrote the guide will be able to answer those questions.

I’m always on the lookout for this type of information and have yet to see a tutorial that meets your needs, sorry.

But it can be done!
The problem is that it probably will require a lot of manual interaction (partitioning, the boot part, …) and depending on how Xubuntu sets up the encryption (encrypted or unencrypted /boot) you’ll maybe even want/need to set up a third installation just to easily choose your system at boot time.

Given your experience level, you may be in for a world of hurt.

Is Xubuntu a company, school or university requirement?
If it is just your personal preference, why not just try an encrypted EndeavourOS? Can*t imagine anything running on Xubuntu you couldn’t set up on Arch.

If you prefer LVMonLUKS there’s a tutorial here, but I would recommend you try the easier to install (~15m) beginner friendly BTRFSonLUKS setup described here.

One alternative (before real instructions are available) is to use a virtual machine for one of those distros.

It is of course not the best in terms of performance and certain (graphics) features, but better than nothing, and quite easy to set up. And the bonus is you can run both distros simultaneously.

Sounds good, I will check it, when it’s being released.

No, I was thinking more in the way, that both distros are separatly encrypted with different encryption keys.

It’s not hard for me to follow a good explained tutorial. I mean in most cases it’s just copy&paste, but I didn’t find any in detail explained tutorial suiting what I would like to have.

I’m not completly unexperience in linux. But I think I have just the basic knowledge in using it. I can change configs, write simple bash commands and just work with it. But I have a lack of knowledge in the filesystem and all the bootloading stuff itself. I would like to improve it, because im seriously interested in learning what’s under the hood.

Why would I need a third installation?

Xubuntu is no requirement at all. I’m just used to debian based distros. Since the sysadmin of my company suggested to use it, I got used to it. So i can set everything up i need for home office very easily and ask him for help, if something doesn’t work at all. (He uses Xubuntu himself)
I could’ve set up arch, too, but I would run into beginner problems and I’ve got no time for that, when I have to do home office x) But yeah, I’m more interested in arch.

The second one looks great. Especially the auto snapshots are quite interesting. I’m gonna check it out more in details later.

That’s my current solution x)
I’ve set up a Xubuntu VM that day, because I had no time anymore.

Well… after all I would like to explain my imaginary holy grail setup I would like to use in the future:

• I need 2 separated distros on the same NVMe which are encrypted with different keys.
• When I come into the bootloader menu, I need the choice of which one of the 2 distros I want to boot. When I chose one, I have to decrypt it with it’s own password
• I need a possiblity to SSH into my computer into the bootloader menu or something similar to it, so I can choose a distro and decrypt it via SSH. (Usefull for wake on lan uses-cases) I saw a solution for that some time ago. I just don’t remember the name atm.
• I would like to have an automated snapshotting system. Would be nice, if I still can decide when exactly the snapshot should be done, too.
• It should be easy to add another distro the way I added the second one, too. Maybe via a bash script or so

This is the direction I would like to go
For now my problem with the home office is solved via Xubuntu VM. It’s not perfect, but it’s fine for now to work with. I would like to move it to the explained setup.

edit:
After rethinking the plan I cannot find any benefits of decrypting 2 different distros separatly with different passwords
I guess decrypting the whole drive would have the same benefits? quite unsure

Have a nice day guys!

@2000
I finally installed xfce again using BTRFS without encrytion using your copy & paste method on an MBR system. Seems to be working correctly but i guess i’ll see.

So on my other computer which is UEFI i have installed 3 different desktops of EndeavourOS with BTRFSonLUKS using rEFInd. They are all on separate drives and work individually without any issues so far. Each has it’s own grub menu after using refind to select the desktop and decrypt the drive. rEFInd is using the grubx64.efi because of having grub intertwined in the setup. I created a folder in each with it’s own name for the desktop and copied the grubx64.efi file into it from the EndeavourOS folder. Then i copied image files into the rEFInd folder that is installed on the first OS and renamed them accordingly to match the folders.

I did use the same password for each for Luks. Is there anyway to change these passwords or not?
Everything works well. Wish i could understand it better.

Yes, easily. Let’s assume your /dev/sda2 is encrypted.

• Get encrypted device info; a luks device can contain up to 8 different keys (passphrases). E. g.
  sudo cryptsetup luksDump /dev/sda2
  -or-
  sudo cryptsetup luksDump /dev/sda2 | grep Slot

• Change existing key; you’ll be prompted to enter in the existing passphrase first, then to enter in your new passphrase and confirm the new passphrase.
  sudo cryptsetup luksChangeKey /dev/sda2

• Add new key to empty slot
  sudo cryptsetup luksAddKey /dev/sda2

• Add new key to specific slot, e. g. slot 5
  sudo cryptsetup luksAddKey /dev/sda2 -S 5

• Delete a existing key. You don’t have to specify the slot number but instead specify the key to be deleted.
  sudo cryptsetup luksRemoveKey /dev/sda2

• Delete a specific key slot (for example slot 5);
  sudo cryptsetup luksKillSlot /dev/sda2 5

There are more commands regarding LUKS devices but the above should do the trick.

Well, it didn’t work when i tried. I changed the existing password and it said it accepted it but it wouldn’t work. I tried to delete the one i changed it to and it said it didn’t exist. Originally it was slot zero. Then when i changed it, it said slot two. So i tried to remove it and now it say’s slot one and it is my original password. I’m confused.

[ricklinux@eos-xfce ~]$ sudo cryptsetup luksDump /dev/sda2 | grep Slot
[sudo] password for ricklinux: 
Key Slot 0: DISABLED
Key Slot 1: ENABLED
Key Slot 2: DISABLED
Key Slot 3: DISABLED
Key Slot 4: DISABLED
Key Slot 5: DISABLED
Key Slot 6: DISABLED
Key Slot 7: DISABLED
[ricklinux@eos-xfce ~]$ 

Me too.

Is the password to decrypt rejected during boot? Is your keyboard layout other than US?
If yes, the core of the issue could probably be the keyboard layout at the LUKS password prompt. It is by default in US keymap. So if special characters are included in the LUKS password, you’ll have to input them as US keymap.

Other than that I don’t know what could have gone wrong. Maybe try with adding and deleting a simple password, e. g. “test”, first.

The keyboard is a cooler master mechanical rgb gaming. It’s US and the password is just all lower case word. So i don’t know.

Edit: My old password works.

@2000
Strange it accepts the original passphrase and say’s it’s opening slot 0 but yet it won’t accept the passphrase to change it and it reports it has slot 1 enabled.

Edit: I ended up reinstalling the unencrypted version as i need the practice.

Use GNOME Disk utility

I have multiple encrypted OSes booting from the EOS grub.

I installed each OS on a single encypted LUKS partition, manually configured with a swapfile post install.

Some non Arch based distros may require separate EFI, /boot and root partitions on encrypted installs (ie Fedora). Change as necessary.

I manually partition first using gparted, EFI + root partition, then install into the root partition. All other personal data is kept on separate encrypted disks.

NAME                 
sdb                                             
├─sdb1                                          300M  FAT32
├─sdb2                                          50G  LUKS
├─sdb3                                          300M  FAT32
├─sdb4                                          50G  LUKS
├─sdb5                                          300M  FAT32
├─sdb6                                          50G  LUKS
├─sdb7                                          300M  FAT32
├─sdb8                                          50G  LUKS

sdb2 has EOS, sdb4 has vanilla Arch, sdb6 has Artix, sdb8 has Debian 10.5 (but this changes frequently, Fedora 33 next ).

I installed EOS, Artix and Debian using the Calamares option to replace existing installation, chose the correct root partiton, and selected encrypt install with no swap partition. Add swapfile post install.

The Arch install was done manually.

After completing all the installs ensure EOS is first in the boot order using efibootmgr -o, or configure boot order in BIOS settings. Or just install EOS last.

When a new distro is installed, or when grub is re-installed in any distro (manually or automatically)

sudo grub-install --target=x86_64-efi --efi-directory=/boot/efi --bootloader-id=[Distro-Label] --recheck

Re-check the boot order to ensure EOS boots first.

To boot other encrypted distros EOS grub you cannot rely on os-prober to find them and add automatically. She don’t. You’ll have to add them manually.

For the sake of simplicity I chainload grubs instead of manually creating bootable grub entries, which is a PITA with crypto related setup (see your /boot/grub/grub.cfg for details).

These entries are added into /etc/grub.d/40_custom.

/etc/grub.d/40_custom

#!/bin/sh
exec tail -n +3 $0
# This file provides an easy way to add custom menu entries.  Simply type the
# menu entries you want to add after this comment.  Be careful not to change
# the 'exec tail' line above.

menuentry "Arch" {
set root="hd1,gpt3"
chainloader /EFI/Arch/grubx64.efi
}

menuentry "Artix" {
set root="hd1,gpt5"
chainloader /EFI/Artix/grubx64.efi
}
submenu "Other" {
    menuentry "Debian" {
    set root="hd1,gpt7"
    chainloader /EFI/Debian/grubx64.efi
    }
    
    menuentry "EndeavourOS Rescue" {
    set root="hdX,gptY"
    chainloader /EFI/EndeavourOS2/grubx64.efi
    }
}

Root is the efi partition, chainloader is the path to the grub efi stub. HdX is a zero based disk number, gptY is non zero based partition number.

Each entry in 40_custom wll have an EOS grub menu item, selecting will launch grub for the particular OS. Proceed as usual.

Was looking for a way to boot multiple OSes encrypted , thank you @otherbarry

Get it working in Virtualbox first, make any mistakes there.

@ricklinux
Sorry, didn’t want to ghost on you but it was 2AM here and sadly Monday is a workday …

All very strange indeed.

Here’s some background info:
Due to the “full disk encryption” scheme your /boot folder was encrypted too. During the early boot stage grub asks for a passphrase to unlock the LUKS1 encrypted partition to access /boot. But the partition unlock is not passed on to the initramfs. Hence, you would have to enter the passphrase twice at boot: once for grub and once for the initramfs.
This is why a second key (/crypto_keyfile.bin) is added to the luks device and the initramfs. The system is now able to “chain-unlock” by entering just one password.

So you started out with two keys:

1. Slot 0 - The passphrase you chose during the calamares setup
2. Slot 1 - The keyfile that was generated and added automatically by calamares

If you now add a new key it would be automatically assigned to the next free key-slot, here slot 2.

If you change a key the following happens:
If a key-slot is specified, the passphrase for that key-slot must be given and the new passphrase will overwrite the specified key-slot. If no key-slot is specified and there is still a free key-slot, then the new passphrase will be put into a free key-slot before the key-slot containing the old passphrase is purged. If there is no free key-slot, then the key-slot with the old passphrase is overwritten directly.

So, by changing your original passphrase (slot0) the new key would be added to slot2 followed by a purging/deletion of slot0.
Reading your description I think this actually worked as it is supposed to.

You then manually removed the key in slot2, which left you with the key-file in slot1 you had all along.

I just don’t get why this was your “original password”, though? Slot1 should have held your original key-file which should be different from your first chosen password and you didn’t touch slot1.

Well, it’ll most likely stay a mystery seeing that you’ve moved on …

That’s okay because i do still have two that are encrypted and i wipe the computer off all the time because for me it’s just learning something new. Sometimes it’s hard to wrap your head around all of this but every time it gets a little easier. I might play around with the other two changing the password and reading this over to see if i understand it.

Again thanks for time I know it’s invaluable. I still haven’t tried the verbose method because it still seems complicated as i still don’t have a full understanding of the depths of it. The quick copy and paste is nice.

All this I never knew why there was two slots enabled in LUKS . Thanks @2000

Now emerges a question , does using Gnome Disk Utility change both key slots or just one ?

Actually there is 8 I think from the info.

I’ve never used anything other than cli to manipulate a luks device but after a quick search I assume it just changes one key and leaves the key-file intact.
This is because Gnome Disk Utility asks for a current and then a new passphrase; the same that luksChangeKey does. It adds a new key to a free slot and removes the old key from its former slot. [Edit] Unless all 8 slots are full; it then would simply overwrite the old passphrase.