HOWTO - GPT/UEFI install with full disk encryption: BTRFSonLUKS with separate root, home and pkg subvolumes; hibernation with a swapfile; auto-snapshots with easy system rollback (GUI); boot into snapshots

General system EndeavourOS installation
242

Deleting data the “normal” way won’t work for you anymore! If you just delete data, it will leave chunks partially filled and therefore allocated. What you really need is unallocated space. The only way of getting more unnallocated space is through balancing, which doesn’t work for you anymore, or by adding storage to the pool.

I don’t know what went wrong but you should see about 4GB added to the device size and about 4GB unallocated after adding your 4GB ramdisk.

This didn’t happen! You still have only 1.00MiB unallocated. So all following balancing tries have to fail.

You should double check the ramdisk creation and addition to the pool. Maybe you should just try adding flash media; any usb-stick etc. will do. This will be slower but also more straightforward.

I created a systemd timer but a standard cronjob will also work.

[Edit]
I just reread your commands; you’ve only mounted the subvolume @ from /dev/mapper/cryptdata to /mnt and later on try to add the ramdisk to / in a chroot environment.

Maybe try creating the ramdisk and adding to /mnt without chrooting instead.

  1. Try mounting without the subvol parameter instead:
    sudo mount -o defaults,ssd,noatime,compress=zstd /dev/mapper/cryptdata /mnt

When you now run ls /mnt you should see this:

~$ ls /mnt
@ @home

  1. Now create and add your ramdisk to /mnt (from the “outside”, not from within a chroot environment)
    sudo btrfs device add /dev/loop6 /mnt

  2. Balance (I suspect this also needs to be run from the “outside”). You’ll probably need to balance /mnt (or /mnt/@), but I’m not quite sure.

1 Like
243

Although when I last posted my efforts seemed not to have worked, when I was about to try the extra steps you outlined in your edit I noticed I suddenly had ~ 40 GiB free and I have been reallocating chunks regularly - thank you for your help and happy new year! :slightly_smiling_face:

I do not like that I am operating at the moment with no existing Timeshift backups, and no new backups being taken, but the 2TB m.2 SSD I mentioned I thought was lost in the post has finally arrived, so in the coming weeks I want to start a fresh install of BTRFSonLUKS with the full Timeshift setup on it.

Once I have the new drive configured I would like to install Windows 10 on the existing SATA SSD and use rEFInd according to https://endeavouros.com/docs/installation/how-to-install-refind/

I understand that rEFInd should automatically detect any installed OS. My goal is that when I turn on my system I see the reEFInd menu, and from there I either boot to the passphrase prompt before GRUB for Ubuntu, or VeraCrypt passphrase prompt for Windows. Could you please tell me if the following plan should work:

  1. Install Ubuntu BTRFSonLUKS on the new drive as before using this guide and Willi Mutschler’s for reference
  2. Install rEFInd according to the linked forum article
  3. Install Windows 10 on old drive and setup full disk encryption with VeraCrypt

The reason I install Windows 10 last is so that if I have any issue with the new drive install I can fall back to the currently installed system on the old drive. Are there any special or extra steps I need to take to make this work?

From past experience I know that I can configure the Windows install so that VeraCrypt will prompt me for my passphrase and then log me into my desktop without a password prompt. Ideally I would just have to enter one passphrase/prompt to enter my desktop, whether booting Ubuntu or Windows, but I think when I last checked this to keep the BTRFSonLUKS install secure I must continue to have one passphrase prompt before the GRUB menu and then another at my Ubuntu login screen - please let me know if that is not the case.

244

Should work as planned. rEFInd should pick up all the OS’s automatically. If not, note that rEFInd can be tweaked quite a lot, both functionally and visually; so don’t be turned off by it’s default look.

I’d advise to “hide” the drives from each other (BIOS? or simply unplug) during installation of Windows and EndeavourOS. With rEFInd as your boot loader you don’t really need the OS’s seeing each other. You could also add GRUB_DISABLE_OS_PROBER=true to your /etc/default/grub later on to stop Grub from probing and adding Windows.

This is not the case! You only need your passphrase for the first unlock, after that everything can be “chain-unlocked” (through crypttab and a second key). Most Window Managers allow automatic login too. This is the way our BTRFSonLUKS sets up the system. So, only one password at boot necessary.

1 Like
245

That is great news, I did have auto login set on Ubuntu at some point but I was then soon prompted to unlock the gnome keyring. Is there any part of that guide you linked in particular I should use instead of some part of Willi’s guide, or in addition to Willi’s guide, to set the chain-unlock up?

246

@2000 Sent your guide to the offial archinstaller devs on github

And it seems like they want to implement a btrfs setup compatible with snapper.

5 Likes
247

What are people’s current thoughts on BTRFS mount options in /etc/fstab?

For my BTRFS subvolumes I’ve gone with:

rw,noatime,ssd,discard=async,compress=zstd,space_cache=v2,autodefrag,subvol=@
rw,noatime,ssd,discard=async,compress=no,space_cache=v2,subvol=@swap
rw,noatime,ssd,discard=async,compress=zstd,space_cache=v2,autodefrag,subvol=@home
rw,noatime,ssd,discard=async,compress=zstd,space_cache=v2,autodefrag,subvol=@var-cache-pacman-pkg

I’m not sure on the benefits of noatime vs relatime mount options. I’ve read conflicting advice related to this. An interesting piece on the matter can be found in the BTRFS manpage.

For the space_cache version, I’ve seen some guides specify a version and others not. When not specified, the default is space_cache=v1. Should there be a space_cache in use for the /swap subvolume?

In the way of possible additional subvolumes, would it also be beneficial to setup /tmp & /srv as subvolumes? I’m not sure of the benefit of including /tmp in timeshift backups.

NB: I note that grub-btrfs is available in the community repo now, so it could be installed via pacman instead of yay.

248

Hey !
Thanks for that wonderful guide.

May I ask if it is still valid with the last Endeavour release (endeavouros-2021.04.17-x86_64.iso) ?

Cheers !

Edit:

And would it be safe to enable fstrim timer with this install ? (if my SSD support it of course)

249

To be honest, I haven’t checked with the newest release but I assume there would have been some flags raised on the forum if not. :grimacing:

Yes, you should definitely run fstrim from time to time. Maybe also balance and scrub the btrfs filesystem once in a while.

1 Like
250

Hey ! Thanks a lot for the answer, i’ll try on an new install and report back :slight_smile:

May I ask how ?

Cheers !

251

Hi guys

Thought I would like you know if you don’t already - BTRFS is now an installable option on calamares. If you edit /usr/share/calamares/modules/partitions while in the live installer and change the default partition type from EXT4 to BTRFS, start the installer, you have the option to do a fresh install with BTRFS as default AND… it allows you to choose a swap partiton or swapfile!.

Hope this helps

3 Likes
252

Thanks. Hopefully this will be added to the installer with snapper

253

They just a quick question is this luks or luks2? I am not sure which version is the default in the installer.

254

This does it on LUKS1.

255

@jiibus Thanks for fast reply.
Would there be any reason to use luks2? I have seen people who have luks1 for boot and luks 2 doe the system, because of Grub not supporting luks2, although I am not sure how update this statement is.

256

See in the Arch wiki:
https://wiki.archlinux.org/title/GRUB#Encrypted_/boot
Still not solved.

257

just performed all updates and having a n error message after timeshift updated. rebooted and attempting updates produces same error…

EDIT - this may be relevant - https://forum.garudalinux.org/t/timeshift-autosnap-not-working-and-pacman-is-not-installing-anything/8882

Total Installed Size:  262.82 MiB
Net Upgrade Size:        4.87 MiB

:: Proceed with installation? [Y/n] 
(1/1) checking keys in keyring                     [----------------------] 100%
(1/1) checking package integrity                   [----------------------] 100%
(1/1) loading package files                        [----------------------] 100%
(1/1) checking for file conflicts                  [----------------------] 100%
:: Running pre-transaction hooks...
(1/1) Creating Timeshift snapshot before upgrade...
E: ts: Failed to get partition list.
E: System disk not found!
Unable to run timeshift-autosnap! Please close Timeshift and try again. Script will now exit...
error: command failed to execute correctly
error: failed to commit transaction (failed to run transaction hooks)
Errors occurred, no packages were upgraded.
258

Is it the same problem as this:

259

Maybe in the upcoming version of GRUB:

https://www.phoronix.com/scan.php?page=news_item&px=GRUB-2.11-Next-Year

260

Fixed the issue by removing timeshift-autosnap, updating packages (timeshift package then gets updated), and then reinstallng timeshift-autosnap…

  1. remove timeshift-autosnap
yay -R timeshift-autosnap
  1. Update all packages (this will let the timeshift package upgrade)
yay
  1. Reinstall timeshift-autosnap
yay timeshift-autosnap
2 Likes
261

Hi,
what if I want 2 separate partitions, root and home. And use timeshift snapshots of root and store them on separate home partitions . What I need for that ? I am confused with mounting and creating subvolumes xD