How can I resize an Encrypted btrfs filesystem

Support
1

Hello,
I basically installed manjaro using the architect installer, BTRFS with encryption. I basically followed a guide up on youtube by sheridan computers…
Now I am in need of a NTFS volume since I need install windows 10 because of some work reasons. Here is how the drives look

NAME               MAJ:MIN RM   SIZE RO TYPE  MOUNTPOINT
nvme0n1            259:0    0 476.9G  0 disk  
├─nvme0n1p1        259:1    0   512M  0 part  /boot/efi
└─nvme0n1p2        259:2    0 476.4G  0 part  
  └─cryptroot      254:0    0 476.4G  0 crypt 
    ├─vg0-root--lv 254:1    0   470G  0 lvm   /home
    └─vg0-swap--lv 254:2    0   6.4G  0 lvm   [SWAP]

Please if anyone can assist me with this. I have actually tried using gparted in a ive iso and it of course doesn’t work( encryption was unlocked)

2

The general steps are
1. boot with a live USB
2. open the encrypted LVM volume vg0-root
3. back up the data
4. shrink the btrfs partition in it with GParted
5. shrink the LVM volume vg0-root (Resizing LVM-on-LUKS - ArchWiki)

  1. Follow this guide:
    Resizing LVM-on-LUKS - ArchWiki
  2. install Windows on free space.

PS: I wonder who recommended you to combine LVM with btrfs. Do you really need 6.4 GB encrypted swap?

3

LVM makes an encrypted setup complicated and gives a performance penalty. (I haven measured it though.)

If you don’t need encrypted swap I would just reinstall with just LUKS and a btrfs partition on LUKS. If you really need swap, you can create a swap file on a btrfs partition since Linux 5.0.
https://wiki.archlinux.org/index.php/Btrfs#Swap_file

1 Like
4

yea i am definitely gonna reinstall soon. Thanks for the instructions ill follow them.

5

Hello Guys,

I just wanted to tell what is the source, the guide we followed: Its on Youtube with this title: " How to install Manjaro Linux using Architect installer with full disk encryption and btrfs."
But this forum platform does not allow me to insert any links or screenshots of my own issue… :frowning:

I am also noob 1 day old on Manjaro and right now I am sitting here on my clean install wondering how could I shrink my 38GB encrypted swap on LVM to just 8GB… I want everything encrypted on the disk. I guess now I am reinstalling Manjaro right away… I am still not sure how these Timeshift snapshotting will work with my Btrfs encrypted disk and how am I supposed to partition the disk for all this…

1 Like
6

If you want the whole disk encrypted (for whatever purpose) forget about Timeshift and use Clonezilla from a live USB to clone the whole disk.

You need LVM on LUKS only if you want to use an encrypted swap partition. If you are OK with just a swap file then just install on a LUKS encrypted partition spanning the whole disk (extept EFI partition). Then later create a swap file. The filesystem doesn’t need to be btrfs, because you will create backups with Clonezilla.

1 Like
7

Thank you so much for the help. At the beginning every bit of help matters a lot.

On Win10 I always used full disc encryption with Veracrypt with triple layer with Twofish+Serpent+AES+, mouse movemenet generated hash etc, so I was wanted this feature here on Linux as well and sadly it can be done only during install and I have no clue how to setup the Twofish and multi layer encryption etc here on Linux so for my its already a big downgrade with this plain American gov AES…
Its double or nothing in my eyes, if you encrypt than you do encrypt at ultimate level or you just dont do it at all otherwise whats the point if anyone can break it… if not today than years or a decade later…

Thanks for mentioning Clonezilla, I know that from 2010 or so when I used in on my Windows system and I loved it, had it on a Live CD! It worked flawlessly, but that is not automated process but a fully manual backup. I really want a fully auto recovery solution like Timeshift with its sophisticated schedule settings. Also, Clonezilla supports only LUKS2 not LUKS1 (if that matters to me) and doesnt support incremental but full backups only so its slow and a hassle to use it compared to Timeshift as far as I can tell yet based on forums and Youtube…

Finally I already successfully shrinked my oversized 38GB swap partition on this LVM LUKS setup by inactivating, unmounting it than resizing and after an hour of errors during boot I edited the fstab file based on Googling :smiley: Now I have 3GB swap only and it auto mounts without error. So I am happy with this for now and I did not have to reinstall the OS bec of this.

Timeshift is still an issue, It works perfectly with Rsync now for me, backuops are there after boots, per hour and per day and mount too. Btrfs backup is not working for me, it cannot sense my Btrfs volume on my root partition…

For teh LVM with LUKS part, I did not want it or stick to it as I do hate swap files in general and it was disabled on my Wion10 too qwith 16GB RAM and blazing fast Samsung OEM nvme SSD, but most forums and guides says that you must have a swap file or partion on Lunux systems if you wanna avoid troubles. While I also did read that swap file is NOW working within a LUKS after kernel 5.0+.

To answer your suggestion, now I am thinking on following that advice. So maybe I could just reinstall my Manjaro without the complicated LVM and set a swap file later within my main root partition, still have all (except boot) encraypted but can I still have it Btrfs for Timeshift and other possible advantages by time? If yes, I am reinstalling manjaro right away as you said. Juts to eliminate the LVM…? Whats the advantage of this now?

FYI:
There is an intzeresting link at: linux DOT com
training-tutorials/how-full-encrypt-your-linux-system-lvm-luks/

1 Like
8

This goes beyond the purpose of this thread, but I can tell you that it is possible to use a different cypher than AES. Triple layer of encryption is a funny idea, but not available with LUKS. But you can use veracrypt on Linux. ArchWiki only documents Truecrypt, but the commands should be the same. VeraCrypt - ArchWiki
I will link my post to how to install an encrypted system from CLI:
Manjaro Architect Full Disk Encryption? - #28 by eugen-b
There are links to two methods, the second one (with systemd-boot, but you don’t need systemd-boot) is more detailed.
You don’t need to eliminate LVM if you don’t mind the possible slowdown it causes. But now you are using AES encryption. (AES is faster by design and should be secure enough even against government agencies. But Serpent and Twofish are more conservative and have a higher security margin by design.)
If you use rsync it is fine, just remember to rsync to an encrypted device as well.
But if you are so much security oriented the you might be better off on a different Linux distro like Qubes and Whonix.
You don’t need swap on Linux if you have enough RAM. You need swap twice the size of RAM if you want to use the hibernate feature.
Or you can just go the opposite way and use LVM snapshot feature instead of btrfs:
LVM - ArchWiki
Create root filesystem snapshots with LVM - ArchWiki

1 Like
9

Hi Eugen,

I do not want to rob more of your time on this case, so here is just a quick reply:

Thank you again for your detailed, meaningful answer, help.

I did think on all this and have read after some and come to the conclusion (also based on others response here) that I am reinstalling, I do not need LVM at all (only Btrfs with snapshots with will have only OS date not sensitive) and I do not want it ever due to its low speed performance (BTRFS performance compared to LVM+EXT4 with regards to database workloads | Official Pythian®® Blog) and in general I do not need any volume extension ever, I do not need any swap partition (so nothing to encrypt there) or worst case if a must (if 16Gb is not enough) than I will can add a swap file in the future within my Btrfs partition. And I no longer want full disk encryption on Linux (as I had on Win10) because of many issues like realtively weaker encryption platform and mainly becvuase Linux cannot handle the special characters, non US keyboard layout at boot and thus my password is forced to be thousand times weaker than it normally would be. I will rather encrypt my home, possibly with VeryCrypt (triple layer Serpent/Twofish+Aes with Whirpool) and try to have it auto mount on boot… for a non programmer noob like me it will take like a month and will have to Google for a week :smiley: :smiley: :smiley:

So I sacrifice some leaking meta data from the not encrypted OS for an ultimately encrypted storage home drive. :slight_smile:

Thank you!

1 Like