HOWTO - GPT/UEFI install with full disk encryption: BTRFSonLUKS with separate root, home and pkg subvolumes; hibernation with a swapfile; auto-snapshots with easy system rollback (GUI); boot into snapshots

Well - not being conversant with crypt, it seems to me that:

cryptsetup luksFormat /dev/sda2
cryptsetup open /dev/sda2 zotacroot

formatted a partition. and opened an identifier for the resultant volume. So - whatever you named your LUKS volume replaces zotacroot.

The rest of the rEFInd menuentry looks normal to me, and even handles the ucode correctly (assuming the matching processor - amd-ucode.img=AMD and intel-ucode.img=INTEL unsurprisingly)

Assuming the assumption about how cryptsetup is used is correct, that’s all it seems to be referencing.

I was under the assumption that rEFInd actually works out of the box. Did you try this?
During my tests I only had to make sure that rEFInd booted with efibootmgr on a tricky device.


to get the UUID of your cryptdevice, run
sudo cryptsetup luksUUID /dev/sda2

sudo blkid | grep mapper
should return your root device. The part after /dev/mapper/ is your substitute for zotacroot.
You can also check with sudo cat /etc/crypttab which should also return the substitute for zotacroot under <name>.

Installing it the normal way works… To boot into grub. I was hoping to completely replace grub. Is that possible?

AFAIK, with the type of setup proposed in this thread (encrypted /boot), rEFInd needs to “chainload” grub which then essentially unlocks the encrypted partitions. I don’t think you’ll be able to “replace” grub, sorry.

I can’t answer that definitively at the moment, but I suspect you have to create a menuentry specifically for it - to enable the decryption. It SHOULD be possible…

While rEFInds menuentries can point to specific kernels and such, in this case the kernel(s) and initramfs are encrypted, so how would rEFInd decrypt to get to these files? I don’t think rEFInd has the ability to decrypt LUKS/dm-crypt on its own in its current version.

[Edit] Just to clarify: You will need to input your keyphrase at some point. I just don’t see why rEFInd would implement this internally if there’s a perfectly viable solution like grub.

Just out of curiosity: Why would you want to get rid of grub?

The current situation:
Boot rEFInd, choose EOS, input password in grub2, continue boot process.

If rEFInd could do what you propose:
Boot rEFInd, choose EOS, input password in rEFInd, continue boot process.

Like I said, I just don’t see why rEFInd would go through the trouble of implementing this. But sure, I personally wouldn’t mind if rEFInd would actually provide this :grin:

There is no need for rEFInd to do anything differently - or to implement the decryption itself. The trick appears to be that your /boot has to be the ESP - initramfs can ask for the password if correctly generated for this setup. It sounds more than a bit convoluted to set up though! Especially trying to get the installer to put things where you want them.

One way to get there apparently involves making a temp partition to hold /boot, mount the ESP as /boot/efi (for now) and the /boot as /boot and the rest as your setup. After booting, do NOT restart. You will be copying vmlinuz-linux and initramfs over to the ESP, chrooting into your new setup to regenerate initramfs, redoing fstab to point to the right things, dumping the temp /boot partition etc.

If trying this - PLEASE do it on a VM, and have it working (reliably!) before trying on the metal! Actually - if I was trying it, I would probably try it from an Arch base install rather than a Calamares install - but that may just be me :grin: (and liking having arch-chroot to keep it simpler)

There are walkthroughs in existence, but they all need mods to match what you’re trying, so knowledge is essential! The payoff, though, would be a rare and secure setup indeed - easily booted with rEFInd, and multi-boot capable as well.

1 Like

I tried rEFInd with this and it didn’t work with dual boot. I didn’t spend anytime trying to figure it out.

May I ask what didn’t work?

  1. rEFInd as boot loader/chooser -or-
  2. decrypting/choosing EOS in rEFInd

I like to keep things minimal where possible. I don’t really like having to choose EOS twice to boot into it, which is how it currently is for me.

As it is right now, the only reason I can think of using rEFInd for, if I can’t use it to decrypt my partition, is to be able to boot into my Win10 install without going through grub 1st. Which isn’t that big of a deal for me.

Yes, bypassing the password check by directly choosing Win10 etc. is much faster than going through grub first.

Why do you have to choose twice? Isn’t EOS the default grub entry that boots automatically after 5 seconds? If that’s too long you could just set it to a lower value.

Hmm. Good point, I’ll just reduce it to something like 2 secs.

1 Like

I have two nvme drives and an ssd. If i install this setup to another drive it won’t find it with grub or refind. I want to be able o boot to another setup with a different desktop on the other drives with grub or refind. But i can’t get it to see it.

@ricklinux., I’d really appreciate your short feedback as I’m thinking of making this dual booting my next project ;-).

Just to clarify,

  • you have 3 drives
  • one of them holds a BTRFSonLUKS (1) setup
  • you are able to boot into (1) via rEFInd

A. You now add a 2nd BTRFSonLUKS (2) setup to one of the other drives and

  1. this doesn’t succeed because you can’t find it on reboot? -or-
  2. run into some other problem? Please describe.

B. After trying out A. you

  1. can still boot (1) via rEFInd?
  2. can’t boot into (1) via working rEFInd?
  3. can’t boot at all via rEFInd?

Currently i have BTRFSonLuks on one NVME drive. I had tried rEFInd and installed another set up the same on it and it doesn’t add it to the grub menu as it say’s it can’t find the partition or something. My goal was to have all three drives loaded as i have done before with multiple boots with rEFInd or grub doesn’t matter. But it won’t add them.

Right now i took rEFInd off and the other drives are blank. I can try rEFInd first on the current drive and see if it works. Then i would have to try adding another setup again to another drive.

I follow you wiki with the copy and paste method as i don’t really understand each step and it would take too long going through it although i would like to do it line by line so i do understand exactly what it is the commands are doing. I understand some! Another day i guess.

I will try rEFInd again now.

Edit: rEFInd is working on the single installation. I will try another install of BTRFSonLUKS with your setup on the other drive.

Okay so i installed another BTRFSonLUKS on the other nvme drive. It is working to boot on rEFInd. What i did find is that it is just grub.efi on rEFInd whereas the other installs that i have done i was using standard installs with ext4 and grub so it give me the grub.efi and the vmlinux-image to boot from which i liked better. So now i’m not sure how to change the image that it shows in rEFInd for each? Maybe @freebird54 knows since he is the rEFInd expert!

Anyway it is working so i’m not sure what i did last time? Probably some error on my part.

Edit: I also wanted to ask what the difference is with LVmonLuks? As compared to BTRFSonLUKS.

:partying_face: Congratulation!

In the end not much; it basically comes down to ext4 (inside lvm) vs. btrfs as filesystem. On a non-btrfs system you’ll just miss out on btrfs-snapshots, which are far superior to lvm-snapshots IMO.
LVMonLUKS is just a proven and quite old way of setting up a separate /home with full disk encryption. It’s what I’ve been using for over a decade - until I (re-)tried btrfs and its snapshots.
So, IMHO, if you don’t trust btrfs’s stability go for ext4 (on lvm); I’m sticking to btrfs for the overseeable future though.

I’m happy with it. I think i tried to install it without the encryption and i didn’t get it right. I can live with the encryption but it’s a bit slow to decrypt. Also if there is an error on decrypt it goes to grub rescue? Any way around that? Then i have to reboot.

Those doubting have never tried btrfs

So all they talk is crap

1 Like

You do have a EFI partition though. It’s where rEFInd’s conf file resides.
So you could just copy a EOS logo to that folder and edit the conf by adding a menu entry for EOS and pointing to your image.