Hi all, I recently tested Manjaro a bit and I look forward to switching to it! (coming from Linux Mint Cinnamon)
Of course I first managed to step into the encrypt system trap set by the Calamares installer, which also encrypts boot and leaves you with veeery long decryption times at boot, as GRUB apparently cannot make use of hardware acceleration(?) and thus takes much longer to decrypt than the kernel. (Reducing luks iterations is obviously not the solution as I do not want to weaken the encryption of my data at rest. I do not care about encrypted boot (and as far as I understand it is mostly snake oil anyway?) as I mainly want to encrypt to protect against theft.)
Can anybody tell me how to get the Calamares installer (ideally, if possible) not to encrpyt boot? I already tried a couple of combinations. E.g., following suggestions like [in this post](ugh, cannot include links: forum.manjaro.org/t/which-guide-do-i-follow-for-pre-boot-encryption-that-isnt-the-slow-one/112798), I used gparted to generate a fat32 partition sda1 for boot (with boot and esp flags) and left the rest, sda2, unpartitioned (optionally then already created either ext4 or luks w/ ext4 there before starting the installer), pointed the installer to the sda2 partition (and the installer recognizes sda1 as the place for the bootloader). But then the installer does not seem to care about the existing partitions and just seems to recreate them and either encrypt both or neither, depending on whether you select the option
Potentially important: I have Win10 on a seperate SSD and would like to keep a dual boot system. In principle everything works with the installer but I do not want to wait a minute every time I switch on the PC (and be thrown into grub rescue mode (after one minute!) if I have a typo in the password).
I am a bit surprised that I cannot find the concrete solution to this issue, despite the many reports of the issue with GRUB decrypting super slowly – did my search foo fail me? – I did see the guide to manually install(forum.manjaro.org/t/root-tip-do-a-manual-manjaro-installation/12507) and also the hints to use systemd-boot (altough so far w/o guide, just suggestions to “do it”) but as there are also some replies that mention “use a seperate boot partition” and that sounds quite simple, I was wondering how to do it precisely.
you could use the manjaro architekt install method and iso - not sure how well it is supported currently
or you could do a lot of work circumventing this limitation of Calamares
essentially, in my opinion, it’s just way easier to just use something that does support your wanted way of layout
any distro using Calamares will have the same issue - can’t do it, not easily
I know that Archlabs can.
(not an advertisement - just sharing knowledge and a statement of fact)
But when Manjaro with this setup is your goal - you have a lot of work to do.
There is a wiki post on how to do it, if I remember correctly.
Hi @Nachlese thanks for your reply! By wiki do you mean here in the forum? (“tutorial”?) Or in the Manjaro wiki? Searching for encrypt root and other combinations did not yield any results there
About architect, they warn that " Do note that Manjaro Architect is [currently unmaintained!] (https://forum.manjaro.org/t/maintainer-s-wanted/19502) You may need to resolve a package conflict" – before I take a gamble there, I would just “simply” (haha) go with above-mentioned guide on how to install manually.
I created this post to find out how exactly you would achieve my goal with “just create a seperate boot partition” that people sometimes advise but never explain in more detail – or are they just wrong and it is not possible with Calamares after all?
I second @Nachlese’s post, but with additional considerations:
You could technically just install a fully encrypted system (using Calamares without any tweaking), but make sure to have a decently sized EFI System Partition (at least 300 MiB). Then afterwards, you switch to using systemd boot instead of Grub.
It will require more knowledge, manual maintenance, and user intervention, however.
In the case of systemd boot, your plain (non-encrypted) EFI System Partition (FAT32) will house your boot files, kernels, and initramfs’s.
No, they are not wrong.
You’ll need that later in the conversion process you’ll need to do.
… the tedious one I mentioned, to circumvent the limitation of the Calamares installer.
… in the end, you want to have a separate, unencrypted /boot partition
It’s just in preparation for that next step. … and quite a few more …
When you locate that guide, you’ll see that following it is not trivial.
If you are nor familiar with commands and command line, if don’t know what the process does that is described, you might fail.
AFAIR it was not exactly a - (excuse the term, no “downtalking” intended) recipe.
But it tells you what needs to be done.
If you can (and do) pull this off
you’ll not have any trouble to do a pure Arch install
where this is very easy, btw …
Yes - previously the decryption phase was a long wait - I think this has been resolved with the latest iteration of the grub boot loader.
On my playground - I installed a system yesterday using btrfs - swap and hibernate using full disk encryption - and yes the unlocking takes a little time but that is expected and it is nothing compared to what I remember.
There was one small caveat with my test though - which has been reported
Hi @linux-aarhus – thanks a lot! Especially for the clear instructions (see my OP: from the “make extra boot”, which people sometime advised, I did not understand that you need both efi and boot partition and therefore ONLY created an efi partition w/ boot flag in my attempts… I assumed that this was meant by boot partition).
It is faster now than with encrypted boot(/efi?), though still “kinda slow” compared to the, e.g. POP!_OS that I installed w/ encryption on an older computer. On my current PC, booting Manjaro with only encrypted root now still takes some 15 s longer than booting unencrypted Mint
Yes - previously the decryption phase was a long wait - I think this has been resolved with the latest iteration of the grub boot loader.
Cannot confirm. Just checking the “encrypt system” option of the installer added a 50 s wait time only for decryption (directly at the POST screen), compared to ~5 s when decrypting the same disc with a live system (i.e. not with GRUB). Thus my post here
Is it possible that the maintainers of the Manjaro Cinnamon edition did not implement these changes that resolve the issue yet? Not sure whether this is helpful but the disk was encrypted with luks1 when using the option of the installer.
And make sure you are not comparing apples and oranges - the content are not the same. There is a marginal difference between the decryption of a device when the system has loaded and decryption when the device is needed to continue.
I build the ISO myself using a default base Manjaro with a custom selection for the desktop.
Perhaps your system is different than mine - for an encrypted system the load time will be longer - my reference system
I downloaded the cinnamon edition from the manjaro website directly – so supposedly yes?
Anyway, I must have either made a mistake in the manual installation or it is not the same as what Calamares does when you set up the partitions as you mentioned above. → I redid the installation with Calamares as you suggested and lo and behold: Almost instant GRUB menu (as I was used to from before), then very quickly asked for passwort to decrypt root, which then only takes 2 s (I might actually increase the iter-time w/ a new key now ), and after that just another few s until I am (auto-)logged into my user account.
So thanks a lot again! I will mark your post above as the solution
PS, also @Nachlese, @winnie note that it is the solution to what I asked, so maybe you have some out-of-date info?
Systemd boot only works when kernels and initrd is stored within the efi partition and that is what our friends suggested.
And that is what I call the long way home - because the manjaro-tools used to build the ISO does not support sd-boot.
With custom partitioning you accomplish the same goal - as end result being the kernel and initrd stored outside the encrypted system.
Whether you decide to take long way home or you decide to use the shortcut (custom partitioning) the result is - measured by functionality - the same - only the colour is different.
That is good to know - and I shall try it out in a VM.
I last tested this more than a year ago
and, probably more importantly,
used Grub as the bootloader, instead of systemd-boot
… not because I have a need for it, just out of habit
)
– I did see the guide to manually install(
– or are they just wrong and it is not possible with Calamares after all?
), and after that just another few s until I am (auto-)logged into my user account.