i am looking for the best way to install EOS on a individual (non-calamari-standard) configured LUKS2 partition with BTRFS (BTRFS on LUKS). So that you don’t think I wouldn’t try to find a solution myself, I’ve collected my results so far.
First: I don’t know yet whether a LVM layer could be useful between LUKS and BTRFS like in this guide. Perhaps someone can say something about this, why LVM may be useful or even necessary is this case?
I’ve readed some threads around the web for change cryptsetup settings in combination with the calamari-installer. I’ve learned a lot while reading (and hope understand it correctly), but it looks not easy, because there are some obstacles:
1.) Calamares seems to use cryptsetup default settings, there is no config file or another way to edit parameters before installation. So you just get LUKS1 with pbkdf2 (LUKS1 can handled by GRUB2 and systemd-boot).
2.) I previously manually created an encrypted partition in the live environment with LUKS2, but it seems there is no way to use it for calamares, because the installer did not show mapped devices like “/dev/mapper/xxx”. If you choose the decrypted but unmounted pre-encrypted partition directly, calamares overwrites the LUKS-layer.
3.) There’s a way I don’t like, because it puts a lot of stress on the ssd or lasts hours on an HDD:
You choose LUKS in calamares and install EOS on it, and then you reencrypt the LUKS layer with
cryptsetup reencrypt and your desired changed parameters. I simulated it once - here the entire partition will be reencrypted, regardless of whether there is data on it or not.
4.) Perhaps the best way is to manually create an encrypted partition like in 2., create a temporary partition, install EOS on it and manually move it to the encrypted partition similar to this guide.
This guide is great, but it did not use the newest tools, i am not sure how to handle it in the new combination of LUKS2, BTRFS, subvolumes, systemd-boot and Dracut.
It would be nice to gather knowledge and experience together and create a new and up-to-date HowTo, so it possibly later could moved to the EndeavourOS-Wikipage - Encrypted Installation