Dual boot LUKS encrypted Manjaro installations, UEFI/GPT


I want to dual-boot my Manjaro Gnome with another Manjaro installtion (KDE), Manjaro Gnome (sda1) is LUKS encrypted and the second Manjaro system should also be LUKS encrypted. I have UEFI / GPT. EFI partition is sda2. I installed Manjaro KDE on sda4 (with the graphical installer from a live USB; could not find an option to not install GRUB btw). Bootet a Manjaro live USB afterwards, then mounted both Manjaro installations (sda1 & sda4), mounted the EFI partition (sda2), manjaro-chmodded into Manjaro Gnome (sda1) and reinstalled GRUB with:

$ sudo grub-install --target=x86_64-efi --efi-directory=/boot/efi --bootloader-id=Manjaro --recheck
$ sudo update-grub

GRUB reinstalls, but does not find the System on sda4; I tried

$ sudo os-prober
ERROR: mkdir /var/lock/dmraid

from within manjaro-chroot (I don’t have a raid system?!).

After booting Manjaro Gnome and mounting sda4,

$ sudo os-prober
/dev/sda2@/EFI/Microsoft/Boot/bootmgfw.efi:Windows Boot Manager:Windows:efi

So it finds an old Microsoft bootmanager on the EFI partition, but unfortunately not Manjaro KDE.

Important: when I install Manjaro KDE on sda4 unencrypted, then the process above succeeds!

Does somebody maybe have a hint for me what to do?

Both your systems are encrypted - fully encrypted.
os-prober can probe as much as it wants to, it will not find the other OS
because it is encrypted - there is nothing for it to probe for and find and add to the menu.
No recognizable signatures - because of encryption.

I suppose you could

  • boot one of the two OS’s
  • open the encrypted container that contains the other
    and then it might be found by update-grub

But I’m not at all sure whether this will work or what additional things might be needed
in order for one of the two grub installations
to be able to boot either one OS

Just one grub - not two …

That is my understanding of the (rather complicated and certainly non standard) situation.

Of course it does - now there is something for os-prober to find
without you having to open the encrypted container containing the second OS first

I always prefer (and go for) encryption with the /boot (and EFI) partition unencrypted

Calamares (the installer used by Manjaro and other distributions as well) cannot do that.
It’s a bit of manual work to achieve it.

@Nachlese many thanks for your reply. You are rigtht that for os-prober to find a bootable OS it must be decrypted; I did that from the linux live system either with the filemanager or with

$ sudo cryptsetup luksOpen /dev/sda1 mnt
$ sudo mount /dev/mapper/mnt /mnt

and I did it with both LUKS encrypted Manjaro partitions (sda1 and sda4). GRUB installer apparently finds sda1 and the existence of an OS there, but not the other one, that’s what is weird.

I’m not sure what you mean with “container” - I think the whole partitions are LUKS encrypted (afaik one can create encrypted containers with LUKS, but I don’t think that’s the case here).

The EFI partition is not encrypted, I think. Don’t have to unlock it with cryptsetup for mounting it. But /boot is not separate and therefore on the encrypted partitions.

and yes, situation certainly is not standard :slight_smile:

yes - I just realized that you did
… decrypt it

That is what I meant by “opening the container”

There is a partition - which is encrypted
and inside that encrypted partition there is then the filesystem(s)

Making the filesystems inside accessible is what “opening the encrypted container” does.

I think it is.

You may still have an unencrypted one - from the previous states of your system.
A leftover - unused by now.

But when you install fully encrypted - this as well is.
It’s a remnant - not the same as is used by either encrypted OS’s.

I just wanted to give some pointers, but I see you are aware of the problems involved.

I don’t know how to resolve your issue.
Never tried - no need.
and thus: no pertinent experience

Best of luck! - someone else might be able to help.


but the reverse isn’t true

If you boot that unencrypted KDE installation
I am pretty sure that it will not be able to pick up the already existing encrypted installation
and successfully add it to the boot entry.