Hello there! I have dual-boot on my PC and I want to apply LUKS encryption ONLY for my manjaro partition. I tried to do it but the problem I stumbled on was that it asks me for the passphrase on PC boot but not on booting in manjaro. That is not confortable because I need to type the password even if didn’t want to boot into manjaro. Is there any workaround?
The easiest is probably to have an unencrypted /boot partition.
That way, the kernel and initrd are accessible - grub doesn’t need to do the decryption.
But it may be some work to shrink your encrypted / to make room for that.
Perhaps you can take the space for it from the other OS, probably Windows. That might be easier.
Once you have the /boot partition, copy what is in /boot now to the unencrypted partition,
perhaps delete everything that was there, as the new /boot will be mounted over it, making the old contents inaccessible,
adapt /etc/fstab and /etc/default/grub and you should be set.
I think the default Manjaro installation uses LUKS version 1 because Grub can’t decrypt Luks version 2 - but I could be wrong.
I’d consider converting to Luks 2 once all is working.
Yes - that is normal - only your manjaro partition is encrypted - but the grub loader including the operating system selector is inside that partition
This is because grub boot loader is inside the encrypted partition and that is why you must decrypt your Manjaro partition even though you want to boot windows.
So use the firmware boot override - just like you would in an install situation - select windows or manjaro.
Another solution is to use systemd boot - as this also provide a window of selecting the operating system. There is no fancy customisation - simplicity is the keyword.
→ [How To] Convert to systemd-boot
A third solution is to create an installation with an unencrypted boot
→ [root tip] [How To] Use Calamares to install encrypted root using unencrypted boot
1 Like
I will try this a little bit later, just in case: it asked me for a paraphrase for exactly that partition (it printed its number like “enter passphrase for (hd1,gpt4)” or something like this), so, doesn’t it mean that only that partition was encrypted?
I will take a look at your guide, only one question: do I have to create the table again? Or I can do it on my disk without fully erasing it?
I cannot know if that.
Technically it is possible to convert your system from using grub to using systemd-boot - but other factors may be in play - such as the current partition layout and the file system used by your Manjaro installation.
The output from lsblk -f can be helpful in your decision making.
1 Like
I don’t know what “it” means here. 
Without lsblk -f output we can’t know.
All you really need is a separate unencrypted partition to put /boot on (the current contents of it).
It might be better to start over rather than trying to adapt it - but it really is quite a simple process.
Just to clarify: my boot partition is displayed as fat32 partition in partition manager, doesn’t it mean that it is not encrypted?
@linux-aarhus @anon33601770
Here is my lsblk:
nvme0n1
├─nvme0n1p1
│ ntfs B4AC2929FA9B3168
├─nvme0n1p2
│ ntfs CF7EE9A246E213A1
├─nvme0n1p3
│
├─nvme0n1p4
│ btrfs 8e1c0082-ee2c-4d1e-95e1-bb0d0d05c135
├─nvme0n1p5
│ vfat FAT32 E8EE-3254
├─nvme0n1p6
│
└─nvme0n1p7
exfat 1.0 LinuxBackup E23F-9A42
nvme0n1p5 is my boot partition and nvme0n1p4 is my linux rn
I requested - because the size of the partitions are relevant
lsblk -f
But as you are using btrfs it is a little more tricky
Oh, no, I planned to return it back to ext4, treat it as an ext4 partition. Nvm, I tried to create new partition (and reinstalled manjaro with luks, now it is ext4, not btrfs), copied there previous boot content, made old boot partition non bootable and new one bootable, still the same behaviour
Then use the calamares article on unencrypted boot.
… and in
lsblk -f
as well 
But that is not your /boot partition - that is the EFI system partition.
You’d need to create a small partition for /boot - but at this point it’s easier to use the guide that @linux-aarhus linked to.
Omg, I definitely need to learn more about it
Kk, I will do
Ok, that guide turned out to be the solution, now it works as was supposed to. One more question (I hope not that stupid): do I have to use that loader if I want to keep this behaviour or I can (in some way) return back grub that was installed by Manjaro? Sorry if I misunderstood something
I don’t follow - that guide does install and use Grub as the bootloader - the system installation is just slightly modified to allow for an unencrypted /boot partition (no full disk encryption).
Yeah why can’t be the same thing done for efi bootloader? I’m a little bit noob, sorry if it is obvious
I honestly have no idea what you are getting at.
Grub is the boot loader which is used by default.
There are others - but you have to tend to them yourself.
rEFInd is one that I heard of, but never used
systemd-boot another
I also have practically zero experience in dual booting Linux and Windows.
Perhaps @linux-aarhus or someone else might know more than me here.
(… the likelihood of that is nearly 100%)
Ok, then nvm