Encryption passphrase is requested before GRUB - move /boot?

I recently performed a dual-boot installation of Manjaro and I have encrypted my root partition. When I boot, I am asked to enter the passphrase for this partition before I reach the Grub. If possible, I want to change this, so that the passphrase is requested after selecting to boot into Manjaro (not Windows).

During installation, I specified the existing boot partition with 512MB to have a mount point of /boot/efi, and if I recall correctly I flagged this as boot.

You have to switch to SystemD Boot, or create a separate non-encrypted boot partition to house the kernel and initramfs, if you wish to continue using Grub.

If you go the route of SystemD Boot, keep in mind you need a large enough FA32 EFI partition to hold the kernels and initramfs’es.

1 Like

The Manjaro installer can’t do that for you, currently.
You’ll have to do that on your own.

The key feature is
an unencrypted /boot partition

I can elaborate - but it is easily found
in the way an encrypted Arch linux installation is described.

… the stock Manjaro installer can’t do that for you
It will just encrypt everything, /boot included

1 Like

I have an existing non-encrypted boot partition. I edited this partition during manjaro installation and made the mount point /boot/efi.

Can I move the kernal and initramfs to this partition in order to decrypt the root partition after Grub?

Yes, you can. But you should be careful to configure it correctly.

1 Like

There are a few ingredients.

first know whether the machine is booted with UEFI or with Bios - I assume it is UEFI
then you need not only a /boot partition
but an EFI system partition as well - this has to be a FAT filesystem and of Type ESP
and be mounted to /boot/efi

Mount your unencrypted soon to be /boot partition somewhere
mount the EFI partition to it

then copy the contents of your current /boot to that location

Then adjust /etc/fstab - so that the unencrypted /boot and /boot/efi is mounted

You will probably need to boot the live system, chroot and re-install grub afterwards.

It is all a bit confusing - it certainly was for me.

for reference my layout:

lsblk -f
NAME     FSTYPE      FSVER LABEL  UUID                                 FSAVAIL FSUSE% MOUNTPOINTS
├─sda1   vfat        FAT32 EFISYS ACDE-A3C7                             510,7M     0% /boot/efi
├─sda2   ext4        1.0   boot   ef07ba8b-8853-4d17-bce2-e86737b35aaa  291,6M    33% /boot
└─sda4   crypto_LUKS 2            7b4bb6e5-f2e3-435d-834e-8c3ee34f3865                
  └─encr ext4        1.0          305afbd2-b8a3-4e18-8828-34c6d1ead4d1  801,3G    14% /
cat /etc/fstab 
# /etc/fstab: static file system information.
# ...
# <file system>             <mount point>  <type>  <options>  <dump>  <pass>
UUID=ACDE-A3C7                            /boot/efi      vfat    defaults,noatime 0 2
UUID=ef07ba8b-8853-4d17-bce2-e86737b35aaa /boot          ext4    defaults,noatime 0 2
UUID=7b4bb6e5-f2e3-435d-834e-8c3ee34f3865 /              ext4    defaults,noatime 0 1

/swapfile none swap defaults 0 0


I did it the other way around.
I first installed normally, unencrypted.
Then I later moved everything but /boot to an encrypted partition I had also created.
Then I got rid of the original unencrypted partition and grew the encrypted partition to use all the space.
This above is the result of that procedure.