Encrypt whole system on fresh install with custom partitions

Hello everyone,

yesterday I did a test-run, installed the newest stable Manjaro Gnome on my x220 Thinkpad without encryption. I did that to make sure that my new SDD partitioning works out. (As I merged some partitions and got rid of my dual-boot windows.)

So my new setup is the following:

  • /boot (1gb, ext4)
  • / (100gb, ext4)
  • swap (20gb, linuxswap)
  • /home (~360gb, ext4, all remaining space)

What I want to achieve: Fresh Install & encrypt all the things, not just root.
But I also want to keep using this setup as I want to keep root and /home seperated in case I need to upgrade or re-install in the future. Don’t want to lose my data on /home then.

Now when I try to install the same Manjaro again, I run into the following problem:
Which option shall I choose in the partitioning part of the installation?
I want the installer to just sort everything in its right partition and then encrypt the whole disc.

When I choose replacing a partition and choose what is now /, it seems as if the installer would install all the things (including home and boot) in there and encrypt that partition. But it would leave the other 3 partitions as is and ignore them. So not what I want.

When I choose custom partitions and go through the 4 existing partitions, I can encrypt them (if I reassign them) by setting a checkmark in the respective boxes. But then I have to encrypt them one by one? Wouldn’t that mean that I have to decrypt 4 things on each startup? Also this didn’t seem to work as the installer just gave up and quit without a warning after I started the installation process.

Choosing custom partitions and setting a checkmark for “please encrypt” before I go to the custom screen – and then don’t encrypt each partition individually – nothing gets encrypted in the end.

I feel like I am missing something here.
Unfortunately I couldn’t do a proper screenshot so I hope I explained well enough what my trouble is.
Maybe someone went through this ordeal already and can assist me?
I might just be missing some understanding of how partitioning or harddrive-encrption works :sweat_smile:.

I did search a lot for the solution but all answers I could find where people either missing the encryption-checkbox for being tiny or having some more complex needs (dual boot, not wanting to encrypt /boot or similar). My desired setup seems so vanilla compared to that that I am certain there must be an easy solution.

PS: I wouldn’t mind re-partitioning again or something if it is needed. There is no data on my old x220 that I still need. I’d just like to keep this / a similar 4-part-partition layout with swap and / separated from /home.

Thanks in advance for reading through my novel

https://wiki.archlinux.org/title/Dm-crypt/Encrypting_an_entire_system#LVM_on_LUKS

Read the user guide on live usb, it explains how to install with encryption.

Hi @maycne.sonahoz,
thanks for the hint. Now I know a new word and concept (LVM).
I did follow all steps on 3) LVM on LUKS.
Unfortunately neither that nor some more searching helped me with the next step:
How do I get the calamares installer to actually recognize my new shiny new partitions?

When I run the installer it only has the option to choose nothing or to choose manual partitioning. (And set an encryption password if I’d like.)
When I click continue I will see the partition-dialog but cannot proceed, the button is disabled. So the installer wants me to do something but idk what.

You need to tell the installer which partitions to use as which mount points, using Manual partitioning mode. This is detailed in the guide @eugen-b pointed.

1 Like

Were is your ESP (EFI System partition), or are you not using an UEFI-BIOS?
Keep in mind that your ESP can not be encripted because your UEFI-BIOS won’t be able to read it then…
Maybe my featured article in my profile might help you understand certain parts of this whole a bit more…

1 Like

I would love to read that guide but I have to admit that my google-fu is really weak this week. I’m not yet familiar with the lingo/conventions on this forum it seems.
I neither found that guide on this board nor on docs.manjaro.org nor on the arch wiki or by general search-enining. Would you mind dropping the link? :see_no_evil:

Thanks @TriMoon, it’s great to have this background information to understand what I am fiddling with around here, when I try to get Calamares to please accept my wishes. It’s very much possible that I completely forgot to even consider EFI/UEFI/Grub… ^^; So I might now more after the read.

1 Like

Meh, they moved the link again. It isn’t up-to-date, but that part should still be relevant.

1 Like