Dual boot (EnOS + W11) + systemd-boot + encryption

General system Installation
1

Hi there,
I’d like to prepare myself to fully migrate from Manjaro into EnOS. I’m going to install all from scratch, so no need to worry about destroying something.

What I want to achieve is to have:

  • encrypted W11 installation - C:\\
  • encrypted /home partition
  • encrypted, shared storage ntfs partition - D:\\ = /mnt/MAG
  • booting orchestrated by systemd-boot

I don’t want to encrypt everything because if something goes wrong, I want to have one OS bootable but at the same time, I need to encrypt data as it’s a laptop.

My current setup is like below (last partition is normally encrypted but now I’m testing EnOS, so I decrypted it while doing space for EnOS).

W11 is bitlocker, Linux has dedicated / partition not encrypted and dedicated /home partition encrypted. GRUB orchestrates booting and decrypting /home.

I don’t have any former experience with systemd-boot, so I have a couple of questions:

  1. given what I want to achieve may I simply install both OSes and then encrypt all, step-by-step similar to GRUB (except for /home which I encrypt using calmares while installing EnOS)?
  2. will systemd-boot manage passwd prompt for /home encrypted that way?
  3. AFAIK kernels require to be signed with keys - I found that article https://wiki.archlinux.org/title/systemd-boot but it says that signing is required only if secure boot is enabled in UEFI. Is that right, assuming that i don’t have secure boot, does that mean I can omit that signing process?
  4. What is the best way to manage timeshift snaps with systemd-boot?
  5. Is there a better way to have that common storage partition without using the /etc/crypttab and file-based decryption?

Sorry for that epic post - any guidance appreciated. Cheers.

2

I would use manual partitioning in this situation and select that you would like encryption for /home

systemd-boot won’t care either way but the dracut image(initrd) will ask for a password to unlock your /home while booting.

Only if you are using secure boot. If you aren’t using secure boot, it doesn’t matter.

If you want to use timeshift snapshots with systemd-boot, after restoring the snapshot, you will need to chroot in and run reinstall-kernels if the kernel has been updated since the snapshot was taken.

I have never investigated the possibility of unlocking a bitlocker encrypted ntfs volume on Linux so I can’t answer this one.

1 Like
3

Great, thank you @dalto for addressing all the questions. Now I think I can start with moving towards EnOS completely :slight_smile:

2 Likes
4

This topic was automatically closed 2 days after the last reply. New replies are no longer allowed.