HOWTO - GPT/UEFI install with full disk encryption: BTRFSonLUKS with separate root, home and pkg subvolumes; hibernation with a swapfile; auto-snapshots with easy system rollback (GUI); boot into snapshots

Thanks for your feedback. I was able to complete the setup. Now I have a sort of minimal Manjaro install with an unencrypted boot and an LVMonLUKS. The Manjaro grub is in charge with the custom entry I posted before in order to boot to EOS. By selecting this entry I am prompted for the password in order to boot the EOS grub. So basically it just another “enter” in a grub menu. Very good, very satisfying. Thanks for your great tutorial!

Regards,

Christoph

2 Likes

Thanks! The custom entry may come in handy sometime.
You got me thinking about installing something like “Tiny Core Linux” for the sole purpose of dualbooting EOS & Windows. Probably wouldn’t need more than 60-80MB.

Now that is really an interesting Idea.

@2000, this is outright brilliant! I have my system tuned 99% to what I want, but your guide really makes me want to start all over again :smirk:

And by the way, the part of the script which creates the swapfile could be a tutorial on it’s own. I failed setting this up and havent figured out why yet. I will try that part of your script as soon as I am in front of my laptop again.

Once the core linux idea has been figured out I’ll start all over again with your setup.

2 Likes

Instead of Tiny Core would’'nt it be enough to use rEFInd for this Task? AS far as I know it can reside completely on an efi partition.

AFAIK, rEFIind needs an unencrypted /boot, so no, it wouldn’t work. But it would certainly be a nicer solution, if.

Are you really sure in this? According to the the Installation instructions the Install ist solely on the ESP?!?

:thinking: Not at all.
I just haven’t gotten it to work in the past.

rEFInd yes, but our kernels and initrd/initramfs reside in the encrypted partition and this needs to be unlocked. Grub2 does this, but can rEFInd?
So far I have only gotten rEFInd to chainload unencrypted /boot partitions.

But don’t get me wrong, I’d really prefer using rEFInd.

Unfortunately I can’t tell you, because it simply does not not work on my current machine at all :cry:. I guess I stick to my current and perfect running setup.

One thing does not seem to work:

sudo sh -c 'echo disk > /sys/power/state'

yields

sh: Zeile 0: echo: Schreibfehler: Kein passendes Gerät gefunden.

Like “no device found”. What am I missing here?

Regards,

Christoph

1 Like

Found it! I have another swap partition which was included in fstab and grub. After removing it worked.

3 Likes

Great write up! Curious, because of the luks encryption, would there be any extra steps if i wanted to do a raid1 setup following these instructions? Maybe i’m looking in the wrong places, but having a hard time finding relevant info. Thanks!

1 Like

Hi @geekvine, welcome to the forum.

The tutorial was meant as a newbie friendly and most important, calamares (the EndeavourOS GUI installer) compatible way, of setting up an encrypted btrfs system with some additional backup related software.

AFAIK, although often being requested, calamares can’t handle raid installs. It doesn’t seem to be able to see created raid drives. So unfortunately there isn’t just an additional step or two followed by the rest of this howto, sorry.
You’ll have to go the ‘arch way’ or try some other distribution.

I know that Manjaro’s architect installer can provide you with RAID 0,1,5,6, or 10 through mdadm as an extra volume or bootable. The architect installer was also designed with nested configurations in mind. For an example, deploying LVM or a LUKS volume on top of an mdadm array does not break the installer.
So you should be able to set up btrfs on luks on raid1; but you’d end up with Manjaro … :scream:

2 Likes

Short update on dual/triple booting with rEFInd:
@csteinforth initial thought about rEFInd being able to boot the fully encrypted system turns out to be right! I had no problems setting this up (see here). Sorry for first doubting.

1 Like

lol well we can’t have that…i think i might be able to make it work post install, i’ll chime in if i do.

Hi,
I am running both Ubuntu and Manjaro with root on btrfs inside luks in a Raid 1 setup. For Manjaro, I pretty much followed the guide in this thread, whereas for Ubuntu I used steps similar to 01 Installing Ubuntu1804 with btrfs, raid and encryption - YouTube

Here are (more or less) the required post-install steps, i.e. after you set up your root on btrfs inside luks system (as described in the above guide in this thread):

Step 1: Make identical partitions on second harddrive for raid 1

Use parted to have the same partition layout on your second harddisk, including your efi, boot and luks partition, so something like that:

#Assume vda is your harddisk with the btrfs operating system
parted /dev/vda
unit b
print
# write down all begin and end sectors of your harddisk
q

# Aussme vdb should be used for raid1
parted /dev/vdb
unit b
print
#repeat the following command to clone vda
mkpart primary begin_some_number end_some_number
#you might also want to change the name
q

Step 2: Create luks partition

cryptsetup luksFormat --type=luks1 /dev/vdb3
cryptsetup luksOpen /dev/vdb3 vdb3_crypt
blkid #write down your uuid

If you use keyfiles to unlock your lukspartition add it. By default the keyfile is stored in /crypto_keyfile.bin:

cryptsetup luksAddKey /dev/vdb3 /crypto_keyfile.bin

Step 3: Create raid 1

swapon # any swapfiles? if so deactivate these with swapoff and remove the files as swapfiles are not compatible with btrfs-raid1

btrfs fi show /
btrfs device add /dev/mapper/vdb3_crypt /
btrfs fi show /
btrfs balance start -dconvert=raid1 -mconvert=raid1 /
btrfs fi show /
btrfs fi usage / #check that there is no single or DUP left, otherwise rerun balance with -dusage=90 and -museage=90 or some other high number

Step 4: Create additional hook encrypt2 and add cryptdevice2 to grub

This is taken from blog.wohli.org and Dm-Crypt Arch Wiki

Add additional hook that will be used by the initramfs to unlock the second root partition:

# copy the original hook
cp /usr/lib/initcpio/install/encrypt /etc/initcpio/install/encrypt2
cp /usr/lib/initcpio/hooks/encrypt  /etc/initcpio/hooks/encrypt2
# adapt the new hook to use different names and to NOT delete the keyfile
sed -i "s/cryptdevice/cryptdevice2/" /etc/initcpio/hooks/encrypt2
sed -i "s/cryptkey/cryptkey2/" /etc/initcpio/hooks/encrypt2
sed -i "s/rm -f \${ckeyfile}//" /etc/initcpio/hooks/encrypt2

Now, add encrypt2 hook to mkinitcpio.conf BEFORE encrypt hook (because encrypt hook deletes the key file at the end) and include the keyfile:

nano /etc/mkinitcpio.conf
# Add the following
# FILES="/crypto_keyfile.bin"
# HOOKS=" ... udev encrypt2 encrypt ... " #(before "filesystems")

Generate the initramfs:

mkinitcpio -o linux

Adapt your GRUB_CMDLINE_LINUX in /etc/default/grub and make sure that you have the following:

nano /etc/default/grub
# GRUB_CMDLINE_LINUX="cryptdevice=UUID={UUID_of_vda3}:vda3_crypt cryptdevice2=UUID={UUID_of_vdb3}:vdb3_crypt"
GRUB_ENABLE_CRYPTODISK=y

Step 5: Add cronjob for scrub

crontab -e
#Add the following line to your crontab
#0 12 * * * /bin/btrfs scrub start /

#Do a manual scrub if you like
btrfs scrub start /
btrfs scrub status
sudo btrfs device stats /

Step 6: Reboot and hope for the best

Note that at boot you insert your password for the first luks partition first and then for the second one to decrypt /boot and close it again, however the keyfiles are then used to decrypt / on both luks paritions. If you want to have only one pass-phrase, you should put /boot on its own luks1-encrypted partition without RAID1.

Hope that helps :wink:

1 Like

Thanks!

(Edit: @geekvine could be interested in this too)

Ever tried to unlock the RAID disks with one password by storing a key to unlock the root filesystem in the initramfs?

Is that safe? Usually one unlocks the root partition and uses luks keys to open other partitions as these are stored in some folder on /, e. G. /etc/luks-keys/. Is it secure to have keys in initramfs?

1 Like

With full disk encryption including an encrypted /boot this should be safe.

Actually, in the above howto, calamares already sets this up automatically; otherwise we’d always have to provide two passwords to unlock the system.

For the proposed raid layer you’d probably just need to add an additional hook that would be used by the initramfs to unlock the second luks partition.
Edit: Check here for instructions.

Awesome! You’re right! I will give it a spin this week and report back. Thanks for the suggestion!

1 Like