How do I install Manjaro MATE with LVM on LUKS and dual boot with Windows?

The default installation method (erase entire drive) will use the following setup if you select encryption:

• 300MB, ESP (FAT32, Grub EFI loader)
• Remainder of drive as a single, large LUKS encrypted partition, which contains everything, including /boot and /home (Ext4, or XFS, or Btrfs, or F2FS)
• Swap will either live as a file in your encrypted root partition, or as a separate partition, depending on which choice you make

You can instead choose to do a manual partition scheme, in which you create a separate /home partition.

Oh God. I’m going to lose all the programs and stuff I have on Windows that I use for music. Not that this laptop is my main workstation, I use it as a secondary machine but it’s going to be a nightmare even just to reinstall Windows. Don’t think I’ll go down that route…

If I delete the existing LVM only, does Manjaro Installer support creating a new encrypted LVM and installing Manjaro on it instead?

Would it be alright if I deleted the LVM on LUKS and created just another big one that will include root, home and boot sections (alongside all the rest) and try to set up the installation with the graphical installer rather than having to do it all manually? I feel like I’m missing something the manual way…

Yes - that is correct but that guide is not on LUKS it is plain installation.

When you need LUKS there is some additional steps.

That is exactly what I must be missing then. I don’t know the steps to be taken, would you be so kind to provide me a guide or something that explains them please? I’m quite at a loss at the moment

I assumed since you wanted to do LVM on LUKS you would have the necessary knowledge to apply before doing the actual install.

The simplest less complicated method I know of uses systemd to boot and it does not involve LVM.

Please bear with me linking to my notepad - while I have published the notes here I cannot remember when or if it was the archived instace - my notepad is there to help me remember.

Direct link to my notepad systemd-boot - LUKS - ext4 | root.nix.dk
Another link using grub Encrypted CLI installation | root.nix.dk
A third - USB stick using grub USB LXDE with persistence | root.nix.dk

While LVM certainly has application in some use-cases - it rarely has application for personal computing - but that is only my personal opinion - and you should use what ever you like - but LVM and RAID I steer clear - instead I have come to appreciate backup, git providers and cloud storage.

I am happy to scrap LVM if I can do without but still the whole installation and personal files encrypted

I did try the 2nd method and it still didn’t work. It still shows me the error about /dev/mapper/ubuntu–vg-root not found. Even though I checked the fstab file and everything seems configured properly. Now this is the guide I followed initially to setup the LVM on LUKS for Ubuntu
https://help.ubuntu.com/community/Full_Disk_Encryption_Howto_2019

As you can see from that guide it creates 2 LVM on LUKS one for root, home and all the rest and the other a LUKS1 for the encrypted boot. Now I don’t think this setup would work for Manjaro, so I thought of asking you, should I just scrap the existing LVMs on LUKS I have at the moment and just create 1 big partition for all the installation that is root, home, boot and everything else in just one big LVM on LUKS and then try to follow these guides again? As having two makes things so much more complicated and seems unnecessary as I think even if the boot partition is in a LUKS2 container it should still succeed in being decrypted at boot by GRUB.

The most simple solution is to wipe Windows and use then entire device.

The following topic is a script which setup the most simple LUKS encrypted system you can imagine.

• [root tip] DIY installer script base (sdboot/LUKS)

The only thing to do afterwards is to put on the toppings - Xorg, desktop, swap, apps etc - but you already expected that since you started the adventure of this thread.

Not really a viable way for me to wipe Windows. I don’t have an image backed up and don’t even know if it will work for me restoring the installation on an encrypted disk. I don’t wish to affect the Windows partitions. I wish to dual boot with it but just have the Manjaro side encrypted like I did for Ubuntu. If I managed to do it for Ubuntu then I should be able to do it on Manjaro right?

You can do that - but your issues and trouble has nothing to do with Manjaro - it is your requirements and lack of experience which is creating obstacles for your progress.

As you begin by trying to apply settings which the Calamares installer cannot handle - the LVM part. Therefore you end with a manual setup which requires a lot more knowledge.

It is much like getting a sedan to do the job of landrover - it may be done but not without great trouble.

systemd-boot willl happily dual-boot Windows - but only Windows.

I can amend the mentioned script so it can be used to create an encrypted Manjaro - dual-booting Windows. It requires the following to be known and set

1. An empty parittion - e.g. /dev/sdy5 - for the encrypted installation
2. The current Windows EFI partition - e.g. /dev/sdy1 - size is important 300-500M.

Which is fine as I said I am prepared to delete my 2 LUKS partitions on /dev/sda5 and sda6 and create just one LUKS on /dev/sda5 for Manjaro to be installed on (manually) and use the existing EFI partition that I have on /dev/sda1. Sorry, I think I expressed myself in the wrong way earlier. I didn’t mean to keep exactly the same setup as the Ubuntu guide but I mainly meant that if there is a way to do it for Ubuntu then surely there has to be a way to do it for Manjaro even if manually or a bit more complicated. I don’t mind if the setup is a bit different to the Ubuntu guide, so long as I can do it. But similarly without having to completely wipe the whole drive that’s all. Cheers btw. I’ll give it a go and say if it works.

The following is a modded version adapted to your situation.

Please review the script carefully - before applying it to your system.

#
#    This program is free software: you can redistribute it and/or modify
#    it under the terms of the GNU General Public License as published by
#    the Free Software Foundation, either version 3 of the License, or
#    (at your option) any later version.
#
#    This program is distributed in the hope that it will be useful,
#    but WITHOUT ANY WARRANTY; without even the implied warranty of
#    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
#    GNU General Public License for more details.
#
#    You should have received a copy of the GNU General Public License
#    along with this program.  If not, see <https://www.gnu.org/licenses/>.
#
# Copyright (c) 2021 @linux-aarhus
#
# This script is based on
#    https://forum.manjaro.org/t/root-tip-diy-installer-script-base-sdboot-luks/88502
#
# MODIFIED TO FIT A SPECIFIC FORUM TOPIC
#    https://forum.manjaro.org/t/how-do-i-install-manjaro-mate-with-lvm-on-luks-and-dual-boot-with-windows/87358
#
#  ! IMPORTANT !
#  ! GREAT CARE SHOULD BE EXCERCISED !
#  ! A lot of assumptions are made - please review carefully !
#
#    The script assumes the system is booted using a recent Manjaro Mate ISO
#    The disk is pre-installed using Windows in EFI mode
#    The Manjaro ISO is booted in EFI mode (firmware Legacy boot disabled)
#    The existing Windows EFI partition ($esp) is located at /dev/sda1
#    An empty partition has been created to hold a Linux filesystem (0x8300) as /dev/sda5
#    systemd-boot is installed as bootloader
#    The root filesystem is using f2fs inside a LUKS container
#
#  ! PLEASE REVIEW THE VARIABLES SECTION !
#  ! AMEND THE VARIABLES AS NECESSARY !
#

if [ "$(id -u)" != "0" ]; then
    echo "Please change to root context using su or sudo"
    echo ""
    exit
fi

#############################################################
#### VARIABLES SECTION

TARGET="/dev/sda"
EFI_PART="/dev/sda1"                         # existing Windows $esp
LUKS_PART="/dev/sda2"                        # root partition to hold LUKS container
TUSER=manjaro                                # first user == wheel group
TDISPLAYMANAGER=lightdm                      # display manager
KERNEL="5.10"                                # linux kernel number
KERNELPKG=$(echo linux$KERNEL | sed 's/\.//')# kernel package name
MIRROR='https://mirrors.manjaro.org/repo/'   # build mirror
BRANCH='unstable'                            # target branch
TKEYMAP='dk'                                 # target keyboard layout
TLOCALE_CONF='en_DK.UTF-8'                   # target locale.conf
TLOCALE_PRIMARY='en_DK.UTF-8 UTF-8'          # target primary locale
TLOCALE_FALLBACK='en_US.UTF-8 UTF-8'         # target fallback locale
TTIMEZONE='Europe/Copenhagen'                # target timezone
THOSTNAME='manjaro'                          # target hostname
ITER_TIME="10000"                            # luks iteration time
RETRIES="3"                                  # luks decryption retries
BASE_PKGS="base $KERNELPKG mkinitcpio networkmanager bash-completion"
TGROUPS='lp,network,power,wheel'
TSERVICES='cronie ModemManager NetworkManager cups tlp tlp-sleep avahi-daemon add-autologin-group haveged apparmor snapd.apparmor snapd'

#### VARIABLES END
#############################################################

# == BARE METAL TEST SETUP ============================
#echo "==> Unmounting $TARGET"
#umount -f "$TARGET"
#echo "==> Preparing disk $TARGET"
#sgdisk --zap-all "$TARGET"
#sgdisk --mbrtogpt "$TARGET"
#### efi
#echo "==> Creating EFI partition"
#sgdisk --new 1::+512M  --typecode 1:ef00 --change-name 1:"EFI System" "$TARGET"
#echo "==> wiping EFI partition"
#wipefs -af "$TARGET"1
#echo "==> formatting EFI partition"
#mkfs.vfat -F32 "$TARGET"1
#### root
#echo "==> Creating root partition"
#sgdisk --new 2::: --typecode 2:8304 --change-name 2:"Linux x86-64 root" "$TARGET"
#echo "==> wiping root partition"
#wipefs -af "$TARGET"2
# == END BARE METAL TEST SETUP ========================

# ===== EXISTING WINDOWS DEVICE =======================
echo "==> Unmounting $EFI_PART"
umount -f "$EFI_PART"
echo "==> Unmounting $LUKS_PART"
umount -f "$LUKS_PART"
echo "==> wiping root partition"
wipefs -af "$LUKS_PART"
# ====================================================

echo "==> ------------------------------------------"
echo "==> Setting up root LUKS container"
echo "  -> WATCHOUT FOR THE UPPERCASE CONFIRMATION"
echo "  -> If using CapsLock remember to toggle back"
cryptsetup --type luks2 --use-urandom luksFormat "$LUKS_PART"

echo "==> ------------------------------------------"
echo "==> Open LUKS container"
cryptsetup open "$LUKS_PART" cryptroot

echo "==> Formatting LUKS using ext4"
mkfs.ext4 /dev/mapper/cryptroot

echo "==> Mounting root partition"
mount /dev/mapper/cryptroot /mnt

echo "==> Creating /boot"
mkdir /mnt/boot

echo "==> Mounting EFI partition"
mount "$EFI_PART" /mnt/boot

echo "==> Setting branch and mirror"
pacman-mirrors --api --set-branch $BRANCH --url $MIRROR

echo "==> Syncronizing pacman databases"
pacman -Syy

echo "==> installing base system"
basestrap /mnt $BASE_PKGS

echo "==> Configure base ..."
echo "  -> Creating file: vconsole.conf"
echo KEYMAP=$TKEYMAP > /mnt/etc/vconsole.conf

echo "  -> Creating file: locale.conf"
echo LANG=$TLOCALE_CONF > /mnt/etc/locale.conf

echo "  -> Creating file: hostname"
echo manjaro > /mnt/etc/hostname

echo "  -> Creating file: hosts"
cat > /mnt/etc/hosts <<EOF
127.0.0.1 localhost
127.0.1.1 $THOSTNAME.localdomain $THOSTNAME
EOF

echo "  -> Creating symlink: localtime"
ln -sf /usr/share/zoneinfo/$TTIMEZONE /mnt/etc/localtime

echo "  -> Setting hardware clock"
manjaro-chroot /mnt hwclock --systohc

echo "  -> Enabling services"
manjaro-chroot /mnt  systemctl enable NetworkManager systemd-timesyncd

echo "  -> Modifying file: locale.gen"
echo $TLOCALE_PRIMARY >> /mnt/etc/locale.gen
echo $TLOCALE_FALLBACK >> /mnt/etc/locale.gen

echo "  -> Generating locale"
manjaro-chroot /mnt locale-gen

echo "  -> Setting up mkinitcpio.conf"
sed -i '/HOOKS=/c\HOOKS=(systemd keyboard keymap sd-vconsole block sd-encrypt autodetect modconf filesystems fsck)' /mnt/etc/mkinitcpio.conf

echo "  -> Generating initrd"
manjaro-chroot /mnt mkinitcpio -P

echo "  -> Installing bootloader"
bootctl --path=/mnt/boot install

echo "  -> Updating entries with device UUID"
devuuid=$(lsblk -no uuid "$LUKS_PART" | head -n1)

echo "  -> Creating loader entry: manjaro.conf"
cat > /mnt/boot/loader/entries/manjaro.conf <<EOF
title   Manjaro
linux   /vmlinuz-$KERNEL-x86_64
initrd  /initramfs-$KERNEL-x86_64.img
options root=/dev/mapper/cryptroot rd.luks.name=$devuuid=cryptroot
EOF

echo "  -> Creating fallback entry: manjaro-fallback.conf"
cat > /mnt/boot/loader/entries/manjaro-fallback.conf <<EOF
title   Manjaro (fallback)
linux   /vmlinuz-$KERNEL-x86_64
initrd  /initramfs-$KERNEL-fallback-x86_64.img
options root=/dev/mapper/cryptroot rd.luks.name=$devuuid=cryptroot
EOF

echo "  -> Setting default loader"
sed -i '/default/c\/default manjaro\*/' /mnt/boot/loader/loader.conf

echo "==> Setting target branch and mirror"
pacman-mirrors --api --prefix /mnt --set-branch $BRANCH --url $MIRROR

echo "==> Set root password"
manjaro-chroot /mnt passwd root

#############################################################
#### ISO SPECIFIC SETUP

echo "==> Installing display manager"
manjaro-chroot /mnt pacman -S $TDISPLAYMANAGER --noconfirm

echo "==> Installing ISO package lists"
manjaro-chroot /mnt pacman -S $(comm -12 <(awk '{print $1}' /rootfs-pkgs.txt | sort) <(awk '{print $1}' /desktopfs-pkgs.txt | sort) | sed '/^grub/d' | sed '/^os-prober/d' | sed '/^kernel-modules-hook/d' | sed '/^kernel-alive/d' | sed '/^linux[0-9][0-9]/d') --needed --noconfirm
echo " --> Done installing ISO packages."

echo "==> Copying ISO specific settings..."
cp /etc/lightdm/lightdm-gtk-greeter.conf /mnt/etc/lightdm
cp /etc/lightdm/slick-greeter.conf /mnt/etc/lightdm
cp /etc/environment /mnt/etc
cp /usr/share/icons/default /mnt/usr/share/icons

echo "==> Setting up wheel group"
cat > /mnt/etc/sudoers.d/100-wheel <<EOF
%wheel ALL=(ALL) ALL
EOF

echo "==> Create new admin user $TUSER"
manjaro-chroot /mnt useradd -mUG $TGROUPS $TUSER

echo "==> Set admin user password"
manjaro-chroot /mnt passwd $TUSER

echo "==> Enable display manager"
manjaro-chroot /mnt systemctl enable $TDISPLAYMANAGER

echo "==> Enable ISO services"
manjaro-chroot /mnt systemctl enable $TSERVICES

#### ISO SETUP END
#############################################################

echo "==> Cleaning up"
echo "  -> Unmounting partitions"
umount -R /mnt

echo "  -> Closing LUKS container"
cryptsetup close /dev/mapper/cryptroot
sync

echo "==> Done! You have succesfully mimicked a Manjaro Mate Edition"
echo "==> TODO: Configure swapfile ..."
echo "  -> Swap configuration <https://wiki.manjaro.org/index.php/Swap>"
echo ""

Ok. That’s fine. I think I’ll give it a go next week when I’m back from my holiday so that if something goes wrong I can access my backup

At the end of the script can I then execute the steps to recreate the live USB settings and packages as described on the normal manual installation guide of yours? Or would that break the installation in any way?

cat /rootfs-pkgs.txt | awk '{print $1;}' > ~/iso-pkglist.txt

cat /desktopfs-pkgs.txt | awk '{print $1;}' >> ~/iso-pkglist.txt

pacman -Syy --root /mnt - < ~/iso-pkglist.txt

There has been a learning process for me in this and I appreciate the opportunity.

This question made me think - there is configuration which are not part of any package and resides only in the desktop overlay. When doing this kind of setup these configs must be copied manually - also the display manager configuration must be done manally.

To be sure everything is there one would consult the relevant iso profile and copy the specifics from the live ISO - in this case the mate iso profile

I have been playing around with the files from the Mate edition and I found they contains duplicates after the merge.

Another thing from the process - grub and os-prober is not needed - systemd-boot - so I have reworked the process into a single line.

I have amended above script

• be sure to use a Mate ISO to boot the system
• amend the variables in the beginning
• put the script on another USB
• mount the USB and use bash to run the commands contained in the file

  bash <filename.txt>
  

Package command break-down

See man comm, man awk, man sort, man sed for more information.

pacman --print -S $(comm -12 <(awk '{print $1}' /rootfs-pkgs.txt | sort) <(awk '{print $1}' /desktopfs-pkgs.txt | sort) | sed '/^grub/d' | sed '/^os-prober/d' | sed '/^kernel-alive/d' | sed '/^kernel-modules-hook/d') 

This part generates a list of packages with their version information stripped of and the result is sorted. This isrepeated for desktopfs-pkgs.txt.

awk '{print $1}' /rootfs-pkgs.txt | sort

This part creates a sorted list from the two files containing only unique files from both sources

comm -12 <(awk '{print $1}' /rootfs-pkgs.txt | sort) <(awk '{print $1}' /desktopfs-pkgs.txt | sort)

The sed parts removes some unnecessary packages (grub, os-prober, kernel-alive and kernel-modules-hook)

sed '/^grub/d' | sed '/^os-prober/d' | sed '/^kernel-alive/d' | sed '/^kernel-modules-hook/d'

Finally the result is fed to pacman - using the --print argument to mimic what would have been done

pacman --print -S

I did mean that. And you are absolute correct - it is even mentioned in the Arch wiki.

So yes - It is possible to mount it on efi but mkinitcpio defaults makes it necessary mount on /boot.

The files in mkinitcpio.d all points to /boot so unless one has the urge to complicate the transition to systemd-boot - one should mount $esp on /boot.

The location of where to mount your ESP is certainly a personal preference and mounting it at /boot is a valid option. However there are more reasons to not mount it on /boot than the opposite.

• If you are using kernel-install, it makes no sense at all since it keeps the kernels and initrds/initrams outside of /boot
• If you are multibooting Linux distros and you mount the ESP directly on /boot you can create kernel conflicts where one distros kernels overwrite another’s
• Mounting it somewhere such as /efi and then symlinking into /boot if that is needed offers more flexibility.

I usually mount mine to /boot/efi. I think that should be alright? I mean mounting the ESP (efi partition on /dev/sda1) to /boot/efi or at least that’s what I seem to remember from the manual installation guide.

Btw seems a bit of a nightmare having to setup all the config files manually especially for me as I never had to deal with that, but will see what I can do. I might try to follow an Arch Wiki about setting the display manager and desktop environment up to as close as possible to the way Manjaro looks by default with some tweaks here and there to suit my preferences. Hopefully I should be ok doing that as I don’t really know what needs to be done as of yet lol.

If you are using grub, that is the most sensible place. If you are not using grub, it can work, but it doesn’t make much sense to put it there.