Hi everyone!
I’m new to Manjaro (not new to Linux in general, though). Now that my system is up and running, I’d like to implement full disk encryption with DM-CRYPT/LUKS2 + Argon.
Am I right in assuming that this is currently only achievable by using a patched GRUB that supports Argon? I tried the encryption option provided by the installer, but that seems to use LUKS1 only.
Grub is not the only available boot loader.
I take the easy route and have an unencrypted /boot - in that case, the grub limitations don’t matter.
But there are other ways which I have not explored myself.
I explored (and tested) a couple of options to achieve this myself before migrating to Manjaro about two years ago.
In the end, I went with UKIs, which seemed like the most elegant solution back then. Has been working great (without any major issues) ever since.
What is a UKI if I may ask??
You may find the answer here:
An UKI basically is a single file which contains everything needed to boot Linux (kernel image, initramfs image, microcode patches, etc.).
UKIs are EFI binaries by nature that are stored on the ESP (EFI system partition) and can be loaded/executed directly by UEFIs (i.e. no bootloader like GRUB is required). One major upside is that they integrate perfectly with Secure Boot.
If you’re interested in going that route, I just recently cleaned up the scripts and hooks I’m using to automate UKI configuration/creation and uploaded them to GitHub.
Those UKIs actually seem like a quite interesting approach. Had never heard about that before.
Could you post the link to your repo? I think I’ll might give it a try. What exactly do your files automate?
If you must use grub then yes
That is also correct.
I have been investigating how to work around this limitation in grub.
From what I found - one could try to update the encrypted filesystem to use luks2 PKBDF as grub only supports this variant.
To create a fully encrypted system using luks2 and argon - you will need to do it from scratch and resort to use limine, systemd-boot or a UKI (unified kernel image) efi-stub.
Manjaro has chosen GRUB as bootloader and I don’t see this change in the near future.
If you are not afraid of the terminal it is easy to do by hand.
I have been playing a lot with encrypted installs - I also created a topic which also involves verifying the loader using TPM and Secure Boot.
Feel free to abuse my notes and the script if so inclinded
[root tip] [Utility Script] Encrypted Manjaro Linux using Verified Boot
Our friends at EndeavourOS has implemented luks2 + argon + systemd-boot in the installer.
Here’s the link to the repo:
There’s a detailed description in the repo’s README, but in short this hooks pacman to configure and generate UKIs whenever kernel packages are installed/updated and it provides an mkinitcpio hook for zero-config unlocking of multiple encrypted volumes during boot.
Originally, I created this for Arch but then later switched to Manjaro (which I’m now using). Thus, this was mainly tested on Manjaro, but should work on Arch as well.
There’s a bit of a learning curve to this, but the instructions (also in the README) should get you started.
Thanks, I’ll probably test this as well! Currently I’m reading up on the UKI thing.
Thanks! I’m quite surprised, seems like you went all out with this, like with detailed instructions, config file, commented code and all that. I kinda expected a couple of rough scripts with little to no info tbh. Kudos.
One question though:
You mentioned this integrates nicely with Secure Boot, but there seem to be no instructions on how to actually set that up?
From the same author… 
For more help regarding Secure Boot — which, I should point out, Manjaro itself does not support! — please peruse our Tutorials category and/or the Arch Wiki section on Secure Boot.
yes, you need package from aur. you will also need to specify the correct modules when running grub install.
the list of modules will depend on which hash function you plan to use. this is a list of all the modules you may need, if you are sure that something you don’t need, you can remove it from the list
grub-install --modules=“gcry_sha256 gcry_sha512 gcry_whirlpool argon2 btrfs crypto cryptodisk disk gfxmenu gfxterm gfxterm_menu hashsum luks luks2 part_gpt part_msdos all_video gcry_rijndael gzio zstd fat password_pbkdf2 video video_bochs video_cirrus video_colors video_fb acpi boot bufio cat chain configfile cpuid datetime echo efi_gop efi_uga efifwsetup efinet ext2 extcmd font fshelp gcry_crc gcry_dsa gcry_rsa gettext halt jpeg keystatus loopback lsefi lsefimmap lsefisystab help linux loadenv ls memdisk minicmd mmap net normal play png priority_queue probe reboot regexp relocator search search_fs_file search_fs_uuid search_label sleep terminal tpm video video_bochs video_cirrus video_colors video_fb” --target=x86_64-efi --efi-directory=/boot/efi --bootloader-id=Manjaro --recheck
also important to set correct argon parameters otherwise you may have problems when trying to decrypt the partition from uefi
sudo cryptsetup luksConvertKey --pbkdf argon2id --hash hash name /dev/partition name --pbkdf-force-iterations 4 --pbkdf-memory 1049000 --key-file luks key file
grub config
# Preload both GPT and MBR modules so that they are not missed
GRUB_PRELOAD_MODULES="cryptodisk part_gpt part_msdos luks luks2"
# Uncomment to enable booting from LUKS encrypted devices
GRUB_ENABLE_CRYPTODISK=y
when I changed the version of luks I was guided by this instruction. but it has inaccuracies, so you can read it but not follow it exactly I brought corrected commands
Unfortunately the grub developers are not interested in fully adding luks2, even after the support was ported to the old library. discussion open since 2018 and hardly anything will change, grub is practically not developed, but unfortunately there are no good alternatives. of course you can use an unencrypted boot, but it’s not too safe.
before converting luks and changing its settings I recommend making a copy of its headers.
hope you didn’t add a key file to mkinitcpio.conf, otherwise your encryption is useless
P.S: Secure Boot is very questionable, I wouldn’t trust it
I assume you’re asking how to set up Secure Boot in a way that it works with UKIs, right?
Well, that’s the beauty of it - you really don’t have to do anything. Simply follow the few steps described in the Arch Wiki to set up Secure Boot itself and that’s it. UKIs will get signed automatically as sbctl installs a hook for that.
That’s why I opted to implement this using mkinitcpio as the basis, I was aiming for the least intrusive way which requires as few changes or extra steps as possible.
Yeah that’s what I was asking, thanks for clarifying.
So, I successfully tested the @fonic UKI approach. Works surprisingly well and the instructions really helped with setting it up. Feels a bit weird at first, not using GRUB like I did for so many years… 
I’ll test @linux-aarhus script next.
There is an update to script I have been meaning to do for quite some time.
It is time… and done 0.7 - wonky/secure-boot-setup - Codeberg.org
A reminder:
@snapshot subvolumeFor ideas on how to get a complete Manjaro Desktop
I tested @linux-aarhus script and it worked well, but it does way more than I want and need, as I already have a fully working/configured installation and mainly just looked for a solution to solve the LUKS2 bootstrap issue.
I decided to go the UKI route with the hooks created by @fonic, just slightly altered to fit my needs. That solution integrates well overall and “just works”, which I was hoping for.
Thank you both!! 
Topic closed as a resolution was found, however, it would have been nice to mark the most appropriate post as the Solution. 