Dual boot (EnOS + W11) + systemd-boot + encryption

Hi there,
I’d like to prepare myself to fully migrate from Manjaro into EnOS. I’m going to install all from scratch, so no need to worry about destroying something.

What I want to achieve is to have:

  • encrypted W11 installation - C:\\
  • encrypted /home partition
  • encrypted, shared storage ntfs partition - D:\\ = /mnt/MAG
  • booting orchestrated by systemd-boot

I don’t want to encrypt everything because if something goes wrong, I want to have one OS bootable but at the same time, I need to encrypt data as it’s a laptop.

My current setup is like below (last partition is normally encrypted but now I’m testing EnOS, so I decrypted it while doing space for EnOS).

W11 is bitlocker, Linux has dedicated / partition not encrypted and dedicated /home partition encrypted. GRUB orchestrates booting and decrypting /home.

I don’t have any former experience with systemd-boot, so I have a couple of questions:

  1. given what I want to achieve may I simply install both OSes and then encrypt all, step-by-step similar to GRUB (except for /home which I encrypt using calmares while installing EnOS)?
  2. will systemd-boot manage passwd prompt for /home encrypted that way?
  3. AFAIK kernels require to be signed with keys - I found that article https://wiki.archlinux.org/title/systemd-boot but it says that signing is required only if secure boot is enabled in UEFI. Is that right, assuming that i don’t have secure boot, does that mean I can omit that signing process?
  4. What is the best way to manage timeshift snaps with systemd-boot?
  5. Is there a better way to have that common storage partition without using the /etc/crypttab and file-based decryption?

Sorry for that epic post - any guidance appreciated. Cheers.

I would use manual partitioning in this situation and select that you would like encryption for /home

systemd-boot won’t care either way but the dracut image(initrd) will ask for a password to unlock your /home while booting.

Only if you are using secure boot. If you aren’t using secure boot, it doesn’t matter.

If you want to use timeshift snapshots with systemd-boot, after restoring the snapshot, you will need to chroot in and run reinstall-kernels if the kernel has been updated since the snapshot was taken.

I have never investigated the possibility of unlocking a bitlocker encrypted ntfs volume on Linux so I can’t answer this one.

1 Like

Great, thank you @dalto for addressing all the questions. Now I think I can start with moving towards EnOS completely :slight_smile:

2 Likes

This topic was automatically closed 2 days after the last reply. New replies are no longer allowed.