I recently performed a dual-boot installation of Manjaro and I have encrypted my root partition. When I boot, I am asked to enter the passphrase for this partition before I reach the Grub. If possible, I want to change this, so that the passphrase is requested after selecting to boot into Manjaro (not Windows).
During installation, I specified the existing boot partition with 512MB to have a mount point of /boot/efi, and if I recall correctly I flagged this as boot.
You have to switch to SystemD Boot, or create a separate non-encrypted boot partition to house the kernel and initramfs, if you wish to continue using Grub.
If you go the route of SystemD Boot, keep in mind you need a large enough FA32 EFI partition to hold the kernels and initramfs’es.
The Manjaro installer can’t do that for you, currently.
You’ll have to do that on your own.
The key feature is
an unencrypted /boot partition
I can elaborate - but it is easily found
in the way an encrypted Arch linux installation is described.
… the stock Manjaro installer can’t do that for you
It will just encrypt everything, /boot included
I have an existing non-encrypted boot partition. I edited this partition during manjaro installation and made the mount point /boot/efi.
Can I move the kernal and initramfs to this partition in order to decrypt the root partition after Grub?
Yes, you can. But you should be careful to configure it correctly.
There are a few ingredients.
first know whether the machine is booted with UEFI or with Bios - I assume it is UEFI
then you need not only a /boot partition
but an EFI system partition as well - this has to be a FAT filesystem and of Type ESP
and be mounted to /boot/efi
Mount your unencrypted soon to be /boot partition somewhere
mount the EFI partition to it
then copy the contents of your current /boot to that location
Then adjust /etc/fstab - so that the unencrypted /boot and /boot/efi is mounted
You will probably need to boot the live system, chroot and re-install grub afterwards.
It is all a bit confusing - it certainly was for me.
for reference my layout:
lsblk -f
NAME FSTYPE FSVER LABEL UUID FSAVAIL FSUSE% MOUNTPOINTS
sda
├─sda1 vfat FAT32 EFISYS ACDE-A3C7 510,7M 0% /boot/efi
├─sda2 ext4 1.0 boot ef07ba8b-8853-4d17-bce2-e86737b35aaa 291,6M 33% /boot
└─sda4 crypto_LUKS 2 7b4bb6e5-f2e3-435d-834e-8c3ee34f3865
└─encr ext4 1.0 305afbd2-b8a3-4e18-8828-34c6d1ead4d1 801,3G 14% /
cat /etc/fstab
# /etc/fstab: static file system information.
# ...
#
# <file system> <mount point> <type> <options> <dump> <pass>
UUID=ACDE-A3C7 /boot/efi vfat defaults,noatime 0 2
UUID=ef07ba8b-8853-4d17-bce2-e86737b35aaa /boot ext4 defaults,noatime 0 2
UUID=7b4bb6e5-f2e3-435d-834e-8c3ee34f3865 / ext4 defaults,noatime 0 1
/swapfile none swap defaults 0 0
HTH
ps:
I did it the other way around.
I first installed normally, unencrypted.
Then I later moved everything but /boot to an encrypted partition I had also created.
Then I got rid of the original unencrypted partition and grew the encrypted partition to use all the space.
This above is the result of that procedure.