I used dual boot Manjaro/Windows on separate physical disks before until I broke Manjaro
The GRUB menu worked flawlessly.
I’m now looking into doing a new dual boot, but with Endeavour instead of Manjaro, and have been smart enough to install it on a virtual machine to test it out beforehand.
Thing is the Manjaro install wasn’t encrypted, while this virtual is, and what I’m planning to have in the real install.
When I boot the virtual machine I get.
“Welcome to GRUB!
Enter passphrase for hd0,msdos1 (kjfldslkjdsf-kjsfdalkjsfd…):”
What comes first? GRUB or encryption?
If I dual boot. Will I have to decrypt the Endeavour disk just to use GRUB and boot the Windows disk, if GRUB is installed on the Endeavour disk?
Or will GRUB start, I choose Endeavour, decrypt prompt comes up/GRUB start, I choose Windows, it boots without prompt?
I’m guessing GRUB comes first and I won’t have to decrypt if I boot Windows since the “Welcome to GRUB” message, but would like to be as confident as possible before I start, and can’t really test that out on my virtual machine.
It depends on if you set up full disk encryption or not. With FDE, a tiny bit of GRUB code is available at boot for unlocking the disk–before even GRUB itself fully starts, or has access to its configuration files–whereas if just the root partition is encrypted, you would get to GRUB and select a boot option, then systemd loads the initramfs and you see a bit of console output before the LUKS prompt pops up.
This is FDE.
If Windows has a separate EFI parition (on its disk) and you are chainloading the Windows boot loader from GRUB, with FDE you will need to unlock the disk first. Or you can boot to Windows directly using the BIOS boot menu.
If the root partition is encrypted but the EFI partition is not, you can just boot normally (like on your Manjaro system) because the LUKS unlock comes later in the boot routine.
I realized the virtualization machine can dual boot.
So tried, and indeed I unfortunately have to decrypt the disk to enter the GRUB menu.
So I tried partitioning at install.
One 1g for boot, and the rest for OS. With “Install boot loader on: Boot Partition (/boot)”
Main partition:
LUKS
Flags: no
Mount point: /
encrypted
Boot partition:
ext4
Flags: boot, bios-grub
Mount point: /boot
not encrypted
I’ve tried put it in the end and the beginning of the disk.
Tried FAT32 instead of ext4.
But the VM BIOS just says “No bootable medium found! Please insert a bootable medium and reboot”
When I accidentally set boot point to the standard /boot/sda it started GRUB, but only said GRUB and a blinking underline, and couldn’t type or do anything.
Am I doing something wrong with the flags?
Is there any other way I can encrypt everything but GRUB and boot?
GRUB works flawlessly if I don’t manually partition the disk and is on same partition as everything else (can choose both Endeavour and Windows).
edit:
Also tried changing VM from bios to EFI.
When set to EFI I can’t set where to install boot loader. But set same flags, and but it in /boot/efi instead.
Then it doesn’t start GRUB at all, it just goes straight to harddrive decrypt and boots Endeavour after that, no GRUB menu before or after. Can’t even F12 in bios to choose OS or disk to boot from. Kinda bricking both installations. Might be VM issue though.
I think I’ve re-installed it 30 times by now.
Just can’t get a separate boot partition to work. At all.
Hmm, I took a look and I don’t think the installer supports an encrypted installation with an unencrypted boot partition. You could set it up after the fact though; just set aside a small partition and after the installer finishes you can copy the files over from /boot. Then update /etc/fstab to mount your new partition at /boot.
It’s just not an option that I was able to find. I don’t know what else to say about it.
You can set the filesystem of the partition to “luks”, but that is obviously not right–there is nowhere to set a passphrase, and no way to define the actual filesystem that will be used when LUKS is unlocked.
Edit:
Here is what I am looking at:
You can set “luks” for the filesystem, but nowhere to set the passphrase or the actual filesystem inside.
Yeah that’s what I was saying, there is no checkbox if you just double-click on a partition and tick the “format” option. But if you delete the partition altogether, then make a new one you get the encryption checkbox.
I’m not sure why I didn’t know that, I guess I have never done it before.
Thank you, I’ll look into this.
Feels like deep water with a lot of risk involved, but I’ll def look into it.
Forgot to try that.
I have PTSD from dualbooting 15-20 years ago, so I was chocked how well it worked with manjaro+GRUB last year when I tried it yet again for the first time in all those years, so got kinda locked in getting the same this time around. Encryption halted the smoothness though.
Tried it now, and yes, the menu does come before decryption but I can’t choose Windows. Am I supposed to be able to do that?
On the other hand, now it boots to HDD-installed Endeavour even with Optic Disk as priority (bootable ISO).
Don’t know if that’s VM issue or not…
But in theory the PC should boot into systemd-boot and show a GRUB-like menu where I can choose what OS to boot?
It feels like there’s always some hidden issue with dual booting, and I actually need to boot some rescue disk and run some commands for it to actually work, after some extra hours of googling without a working computer.
Thank you.
I’m fatigued, so won’t look more into this tonight, I’ll give a new try tomorrow or in the weekend.
