EOS on individual configured LUKS partition and BTRFS

Hi all,

i am looking for the best way to install EOS on a individual (non-calamari-standard) configured LUKS2 partition with BTRFS (BTRFS on LUKS). So that you don’t think I wouldn’t try to find a solution myself, I’ve collected my results so far. :slight_smile: :wink:

First: I don’t know yet whether a LVM layer could be useful between LUKS and BTRFS like in this guide. Perhaps someone can say something about this, why LVM may be useful or even necessary is this case?

I’ve readed some threads around the web for change cryptsetup settings in combination with the calamari-installer. I’ve learned a lot while reading (and hope understand it correctly), but it looks not easy, because there are some obstacles:

1.) Calamares seems to use cryptsetup default settings, there is no config file or another way to edit parameters before installation. So you just get LUKS1 with pbkdf2 (LUKS1 can handled by GRUB2 and systemd-boot).

2.) I previously manually created an encrypted partition in the live environment with LUKS2, but it seems there is no way to use it for calamares, because the installer did not show mapped devices like “/dev/mapper/xxx”. If you choose the decrypted but unmounted pre-encrypted partition directly, calamares overwrites the LUKS-layer.

3.) There’s a way I don’t like, because it puts a lot of stress on the ssd or lasts hours on an HDD:
You choose LUKS in calamares and install EOS on it, and then you reencrypt the LUKS layer with cryptsetup reencrypt and your desired changed parameters. I simulated it once - here the entire partition will be reencrypted, regardless of whether there is data on it or not.

4.) Perhaps the best way is to manually create an encrypted partition like in 2., create a temporary partition, install EOS on it and manually move it to the encrypted partition similar to this guide.
This guide is great, but it did not use the newest tools, i am not sure how to handle it in the new combination of LUKS2, BTRFS, subvolumes, systemd-boot and Dracut.

It would be nice to gather knowledge and experience together and create a new and up-to-date HowTo, so it possibly later could moved to the EndeavourOS-Wikipage - Encrypted Installation :wink:

This is useful if you want to have multiple partitions that are luks encrypted. For example, if you want a swap partition. Putting all those partitions on a single luks volume using lvm makes it so you only have to unlock one partition.

This is especially useful when using systemd-boot where you would otherwise need to put your password in for each partition.

Of course, if you are only going to have one partition, this isn’t needed.

I don’t think that is possible to do in calamares. It just fundamentally doesn’t support it.

You could do this but that guide isn’t the way. Not only is it out of date but with btrfs you could send and receive the subvolumes, you wouldn’t need to rsync the data.

The high level steps would be:

  • Install into a small partition using btrfs with no swap
  • Boot into the new system
  • Create the luks/lvm setup you want
  • Put a btrfs filesystem on the partition where your data will be stored
  • Send/receive your subvolumes to the new filesystem
  • Mount the new system
  • Modify /etc/fstab for the new setup
  • If you have more than one encrypted partition, modify /etc/crypttab
  • Modify /etc/kernel/cmdline with the new disk information
  • arch-chroot into the new system(from the system you installed)
  • Run reinstall-kernels
  • Reboot into the new system
  • Delete the partition with the old install

It isn’t really a paint by numbers exercise so I am not sure how much of a good idea a guide would be.

There is a 5th option. If all you want is to change the luks options, you could fork calamares, make the changes to the code and then rebuild calamares from the ISO.

1 Like

Thanks a lot! :slight_smile: :slight_smile: :slight_smile:
i would create swap as file later - the easier way for now.
I will try your steps in a VM (in UEFI mode) and see if my knowledge is enough - because i know for your option 5 my knowledge is not good enough. :innocent:
If it works i will mark this as solved later.

1 Like

Hey @dalto
please excuse the late response.
I’m just trying to understand btrfs’s subvolume “root”, to snapshot, send and receive it properly from the temporary btrfs partition to the final btrfs partition.

You need to send all the subvolumes. Take a snapshot of each subvolume and then send each one over to the root of the new btrfs partition. If you used the default layout, you should have 4 subvolumes.

1 Like

you can convert LUKS1 to LUKS2 after installing EOS just boot from the iso and then

cryptsetup convert /dev/sda3 --type luks2

I have done it several time with no issues, but I’m not sure if GRUB supports LUKS2, but if you have your /boot partition unencrypted then it should work with systemd-boot as well.

this is how I have my partitions on my laptop currently

├─nvme0n1p1                                   vfat        FAT32 NO_LABEL 8B0E-FC0E                                 4G     7% /efi
└─nvme0n1p2                                   crypto_LUKS 2              82af832c-53b6-460f-ba8e-71ddda9abb51                
  └─luks-82af832c-53b6-460f-ba8e-71ddda9abb51 btrfs                      baf5c3de-5e40-4f3b-9a7b-6505752f1286    1.7T     4% /var/log