HOWTO - GPT/UEFI install with full disk encryption: BTRFSonLUKS with separate root, home and pkg subvolumes; hibernation with a swapfile; auto-snapshots with easy system rollback (GUI); boot into snapshots

Actually, I made the most recent change to the wiki article. I just added a warning to one part. I didn’t review the whole article.

Hi,
I’m following the BTRFSonLUKS and I’m having problem with the installation. In the final step, I get an error message about bootloader installation:

I’m running a UEFI system (Thinkpad x240) and followed the UEFI part of the guide.

grub-install --target=x86_64-efi --efi-directory=/boot/efi --bootloader-id=endeavouros-1148 --force

The full install log can be found here: https://termbin.com/uesd.

Thanks in advance

From your log:

No space left on device

Did you reuse an existing EFI partition?

No, I did a full format on the SSD and created new partition table.
I’m not well versed in UEFI but I saw that efibootmgr can be used to see some info and I get a lot of entries (12 to be exact).

Do I need to clean them up?

Did you use manual partitioning in the installer?

Yes, I did.
Before the install I created a new gpt partition table using gparted and created a 512MB fat32 partition and set then flags (boot, esp). Afterwards I created a new root partition using the manual partition. Followed the setup multiple times to the T. Mount points and everything.

Thanks

My best guess is that you didn’t select this “Format this partition” checkbox in the installer for the efi partition. It is unchecked by default for the efi partition.

Ok, I have now started the install again and checked to format the /boot/efi mountpoint. Thank you for the prompt responses.

Thanks it went OK. I didn’t see that the /boot/efi partition should be formatted. I presumed when you say to keep it it shouldn’t be formatted.

Thanks again.

P.S. Is it possible to create a similar setup on a dual boot system from the same device (win 10 & linux). I currently have another dual boot laptop that doesn’t have FDE.

Hi,

I am i little confused on how to hibernate. I can’t use the desktop shortcuts from the tutorial as there are no desktop icons in GNOME. I did try to use the mentioned command echo disk > /sys/power/state, but it only runs when I am su (sudo is not enough? It’s still permission denied with sudo… I actually have to su first and then run the command).
And secondly, still, hibernation does not work. The system looks like it’s hibernating, but when I turn it back on it just boots regularily and all open programs were killed.
I read something in this thread about checking if I have the line resume=... in my GRUB_CMDLINE_LINUX_DEFAULT in the grub config - I do: https://pastebin.com/nmYmf7zE

How do I check if everything is correct? Can I provide any logs / more files?

I followed the tutorial perfectly and am a bit lost as a noob to hibernation - please help

I just came back to the BTRFSonLUKS guide and would like to ask two questions.

→ Under step “#02 – OPTIONAL – Change default btrfs calamares settings for fstab”
→ It seems that the latest 22_1.iso calamares doesn’t have the compression setting anymore and automatically uses compress=zstd

→ #06 – Create a top-level subvolume for the pacman cache
→ Calamares now automatically creates @, @home, @cache, @log, @swap to I guess there is no need to manually setup the pacman cache subvol anymore.

→ Is the new installer an automatic fde setup?
→ It seems that the luks partition now contains /boot with initfamfs-linux.img etc. so this should be fde by default I guess?

→ Should it be possible to skip grub2 install and use systemd-boot? This would allow to change the cryptsetup luks2 with argon2id?
→ Currently luks1 with pbkdf2 is used. As far as I am aware grub (2.6-05) doesn’t support it yet, only 2.11 will supports luks2 and argon2i as well.
Therefore using systemd-boot might be an good alternative. Is there any easy way to just turn off the installation of grub in calamares and also set luks2/argon2id?
Edit: It seems I am wrong. systemd-boot does support luks2/argon2id but only on an unencrypted /boot partition therefore the fde setup wouldn’t work with it?

→ Use luks2 + argon2id and keep /boot unencrypted?
→ As far as I can tell placing /boot inside the luks partition has the only benefit of avoiding the evil house maid attack, where an attacker who has physical access to your system, i.e room m8, could add a keylogger to the /boot partition and then steal your password / key to /, /home. Therefore I guess it would be sufficient to enable luks2 + argon2id and then manually install the system to the ssd and the boot loader separately on a separate usb stick that you then use to boot your system.

Thanks.

Regards Artur

Hi Artur (@S0PEX),
yes, a lot of that howto is now redundant as calamares has now adopted most of these as default settings when using btrfs.

I still think the information could be useful, for instance when setting things up the arch way but as it isn’t needed for an encrypted-btrfs-EndeavourOS anymore it probably just confuses users at this point. We should probably remove it from the wiki. (@joekamprad ?)

But thanks for your interest and feedback
2k

Do you might know by any change how to enable luks2 on the installer?
I already ran grep -broi "luks1" in /etc/calamares/, /usr/share/calamares/ without any luck.

It is in the C++ code, you would have to build a custom version of Calamares for that.

According to this ArchWiki entry grub (still) has limited support for luks2. Calamares will probably stick to luks1 for the foreseeable future.

But, you can conveniently convert luks1 into luks2 quite easily though:

1. Backup your existing luks1 header just in case:
   sudo cryptsetup luksHeaderBackup <yourLuksDevice> --header-backup-file luks1header.bak
   With <yourLuksDevice> being something like /dev/sda2.

2. Convert an existing luks1 device to luks2:
   sudo cryptsetup convert <yourLuksDevice> --type luks2

The now converted luks2 device will not automatically use Argon2id (cryptsetup default) for your old password. Luks1 probably used pbkdf2 as password hash. You don’t need to convert your password but if you want to…

3. Convert your password to argon2id
   sudo cryptsetup luksChangeKey <yourLuksDevice> --pbkdf argon2id
   You can reuse your old password as the new one; it simply gets rehashed with argon2id.
   Notice: According to the link given above, argon2id and grub don’t work together.

@2000
Yeah, argon2id will only be support on v2.11
I am unsure if just converting the partition or doing a manual install with grub + lilo or systemd-boot is the way to go.

There is an issue on github that proposed the idea to allow luks2 as an option and then maybe use a different boot-loader.

yes i think we should make this too unlisted in the wiki ,
and adding a warning here at the first post?

–

done that…

Hard choices .

For me personally, systemd-boot and it’s requirement for an unencrypted boot partition holding the kernel(s) isn’t an option as I always go the full disk encryption route. I can live with the ~20 second decryption delay caused by grub.

At this point, converting to luks2 doesn’t really benefit me. I’d still have to use the “old” luks1 default pbkdf2 password hash; I don’t need the extra keyslots; memory requirements are much higher for luks2; …
So given that luks1 is still absolutely secure as long as the iteration count is reasonably high and your passwords have good entropy I personally don’t see me trying this on any of my productive systems.

It could still be fun from an “academic” standpoint though; I just lack the time at the moment.
If only someone was interested in trying out some different combinations and maybe report back to the community … (Hint @S0PEX)

I will checkout grub + lilo, as this is the same setup used by fedora for example.
Just need to do some research and then setup everything. Are u (@2000) aware how I could use the installer to just install inside my unlocked luks2 partition? So basically just formatting /dev/mapper/cryptdata, to that the subvolumes etc. are handled automatically?
When I open the partition I can select it inside calamares but once the install starts it will un-mount it or something, although use existing partition is selected (so no format flag).

Then I would see how we can setup grub + lilo.