Dual boot luks encrypted Manjaro

Hey there,

i need two identical manjaro installations on the same system, both luks encrypted and with btrfs filesystem.

I installed manjaro two times on two different btrfs partitions, sharing one Efi-partition. Everything worked quite well, but as soon as i try to reinstall them both luks encrypted, the first installation becomes unbootable.

How to fix this?

not enough information

and: why would you want to reinstall

where they not encrypted before but now you want to have two separate (but identical) encrypted systems?

unclear

Yes sorry you are right.
I tried it not encrypted the first time and everything worked well. But how can i dualboot two encryped manjaro systems?

What else information do you need?

From what I know what the installer (Calamares) is capable of:
this can’t be done with one singe EFI partition for both systems

why?
because Calamares can only do full encryption
including the efi partition
… the whole thing is encrypted - including the efi partition
(meaning: it can’t be easily shared)

Grub unlocks the container - and then it goes from there.

You’d have to invest manual labor to achieve what you want.

… my understanding of it …

thanks a lot! so simply create two separate efi partitions will do the job?

EDIT:

As i’m thinking of it i got more and more confused. Because i manually create all the partitions during the install process. And i encrypted both the root partitions, but not the efi-partition. So efi partition is definitely not encrypted.
And i can boot the system, but only the last installed one. It doesn’t detect the first one. So how to fix this?

I don’t know enough of this to render an opinion that would be taken as advice.
So: I rather don’t.

It would be an option, I think, to create a system (or two …) with /boot
and/or /boot/efi
unencrypted.

… EFI can also be completely separate (see the Arch wiki)

But I don’t think you can achieve this kind of thing using the standard Calamares installer.
… from what I know, that is
It is definitely possible - just not using Calamares. IMO

You are free to try. :slightly_smiling_face:

That’s right, an efi partition is never encrypted per se.
But the path with using grub is right. You can install one encrypted system and then another, skipping the grub installation. Next, you can add boot entries for your second system.
I don’t know how much of the second install can be done with calamares.

yep - this would probably my way to reach the goal.
two separate systems - then later come in and amend it all
but this involves quite a lot of manual intervention - and knowledge

actually no, I lied
this would not be the way I’d go.

I’d simply install without Calamares.
… how to do that can be found …

all right thank you guys. but i can create manually all types of partitions with all types of filesystems within calamares. I just don’t know how to partition my drive exactly. So what would be different if i don’t use calamares? I still would have to partition the drive, without knowing what types of partitions i need for encrypted dualboot.

For now i have 3 partitions. The first one is a shared 512MB Efi partition. The second and third one are encrypted btrfs root partitions for installation A and B.
What kind of partition scheme would you recommend?

Your system has one efi partition, and the dual-boot shares a separate /boot partition. It may also share a swap partition, up to you. Next the btrfs partitions you choose to create. To have the systems separate, you need at least two. But you may think of another partition to share data (e.g. your music to be accessible from both).

For sure you can also install your one encrypted Manjaro as usual, then start an installation procedure from within the running system. I’ve used methods from the following Arch article before, I know it’s technical (if you use method in section 3.2.2 you may also be able to use Arch’s text-guided installer, perhaps). Have a look if it helps you:

https://wiki.archlinux.org/title/Install_Arch_Linux_from_existing_Linux

  • In btrfs it is possible to mount the root partition of one volume and the data (or home) partition of another

    This way you don´t need a third partition

  • It is even possible to have 2 separate systems in one volume

    But then the second system can’t use “/@” as the root subvolume, it has to use “/@2” (or something like that) and grub has to show both systems to select at boot. This seems to be a lot of manual work :wink:

Maybe my featured article in my profile can help, which explains some needed info regarding the whole boot process, it is meant for usage with encryption :wink:

The OP might use that info when preparing his/her setup.
(It’s up to him/her to leave out the password file to force a prompt.)

When it comes to mounting / from a volume, that’s also something the OP might choose to change into something different.
fe. I mount /@Kubuntu as / on this system. :wink:

When it comes to $ESP:

  1. You need one per drive if you have an external drive that you want to use on different computers.
  2. You can use a single one, if your other drive is internal and stays in your computer.
  3. You must use the same $ESP if you want to boot from different partitions on the same drive, because the UEFI-Bios will only recognize the first $ESP per drive…

Oh PS:
You could start with installing your system on one drive without encryption:

  1. Then create an encrypted container on the other drive’s partition (or whole disk).
  2. Then create a filesystem inside that container.
  3. Use rsync -vaAX to copy your system from the un-encrypted partition to the encrypted filesystem in(2).
    • :thinking:
      Does this command also duplicate special files like block-device nodes?
      If not use extra flags to enable that also…
  4. Make neccesary changes as in the tutorial i made (link above).
  5. Check by booting the installation on the other drive using the encrypted container.
    Repeat step 4 until you are able to successfully boot this encrypted version.
  6. When you are confident, you could repeat the steps to duplicate your system from the encrypted version into the first unencrypted drive’s version, so you end-up with two (almost) identical encrypted versions.
    • :warning::bangbang: I explicitly say (almost) because the UUID’s + encryption keys for the containers will differ unless you take extra steps to duplicate those also…

I am interested in doing something like this: two manjaro installs, one for work, one for play. A sort of poor man’s Qubes. My laptop probably isn’t up to running an encrypted system or btrfs, so I was thinking of encrypting the /home directories only in ext4. Thus there would be:

  • a /boot/efi fat32 partition
  • a work ext4 root install
  • a play ext4 root install
  • a luks-encrypted work ext4 /home
  • a luks-encrypted play ext4 /home

Would this sort of thing be possible to set up in calamares? Or is encryption not the real problem as far as calamares is concerned, but the pair of manjaros?

Thanks!

Are you really sure you need two separate installations instead of two users in one installation?

I would add different programs to the two installs, keeping “risky” programs away from work environment and “protected” programs for work away from the play environment. I don’t think you can do that with different users.

Maintaining two different installation is double the work, so I’m suggesting different users.
However, your approach works just as fine.

Check first for your work environment if a bleeding-edge, rolling release distro is the right choice.

Using systemd-homed defaults to a luks encrypted using btrfs.

It is fairly simple and painless to convert your home to systemd-homed.

read more Converting Existing Users to systemd-homed

@mithrial I’m replacing Windows 10 with the second manjaro, so it’s a wash as far as workload. But I don’t have the kind of knowledge I’d need to run the Arch installer on the second one. Thus my question about using calamares for both.

Calamares is for a default install type, what you are planning is more like advanced stuff, which needs manual steps…

Hey guys,

here so is an update:
I’ve tried it again and again the last few weeks, but unfortunately it’s a bit too complicated for me to encrpt everything. I’ve already installed several Linux distros side by side, but when it comes to encryption, only one distro is bootable, if the /boot directory is encrypted too. So it worked to encrypt root and home, but not for the /boot directories.
But I would like to thank you again for all the advices and I am sure, if I had a little more experience in this area, it would have worked with your suggestions.

Best regards