I need an encrypted / without encrypting /boot

Hi,

I want to decrypt my system using a smartcard, which is why I need an unencrypted /boot partition. Grub cant handle pgp encrypted keyfiles as far I understand. Unfortunately calamares (the installer) is refusing to install manjaro to an unencrypted /boot. It always fails at the initcpio step. It seems like its simply not supported/implemented: System can't boot when doing manual partitioning with encryption · Issue #1712 · calamares/calamares · GitHub

So as far as I understand there still is the option to use manjaro-architect. But unfortunately the gnome profile is broken right now because of “manjaro-gnome-tour” I think. I don’t see a way to fix that and I don’t know if there are people working on architect right now at all.

Does any of you have an idea about what I could do or try? I am on this for too long already ^^ I tried so many different ways of installing with calamares, and I simply dont know how to force architect to do what I want :slight_smile: Plz help - I dont want to use ubuntu :sweat_smile:

You mean like YubiKey?

I’ve seen this on AUR, I don’t have any info on it though. I don’t know if that helps at all.

The maintainer of GNOME ISO Profile has to fix it.

Exactly. I have a different Key though, so I am not sure this will work like that. Anyway the problem is the encrypted /boot itself. To decrypt the keyfile you need to boot up the initramfs, because the tools to connect to the smartcard is in there. To do that you need to decrypt /boot though. You see the problem? :slight_smile:

Oh OK! I will see if I can reach them.

@Yochanan I see that you did the last commit to the gnome profile. Are you the Maintainer? ^^ Sorry if direct mentioning you is rude.

How is it broken? We only used that for GNOME 3.38 and discontinued it. It’s no longer in the repos.

Fix what?

Hi! when I did “profile-validate” or smth similar it showed me that the profile for gnome is not working because of this package. I also couldnt see gnome in the architect DE screen. Does that help?

Does not compute. Please see How to Post

Manjaro Architect is currently unmaintained and I have no idea if profile-validate is functional. manjaro-gnome-tour is no longer part of the profile. What ISO did you download?

Ok, sorry. I dont really have a clue about the whole process architect is using. I didnt use a specific Architect iso because I could not find any. Instead I ran the latest manjaro Gnome iso and installed architect via pacman. Then I could not see gnome in there. So I searched around until I saw somebody mentioning profile-validate, so I tried it on the live system that was running architect. And thats all the info I can give you I think. It said that the gnome profile did not pass the test because of this package.

Ah, that explains it. Architect still thinks manjaro-gnome-tour should be there. I think someone on the forum spun up a newer ISO. If I find it, I’ll let you know.

Thanks! I thought it checks the actual git.

Also I got it to work by faking the encrypted boot, kind of. But its not an easy solution and I want to do more installs without /boot encrypted so I am happy to have an ISO I can play around with properly :slight_smile: I had so many problems with the limitation of calamares in the past, so happy to know that there is another way with architect. And also maybe its useful for other people who are looking for a way to do what I did.

Alternatively, you could install default GNOME via Manjaro architect. It should be under Install Custom SystemInstall Unconfigured Desktop Environments. The Install Custom System section goes in order, so it helps you install a complete system.

And you can check the GNOME ISO Profile packages to see what other packages from the Manjaro profile you might want to install.

It’s more work, but you get your own custom installation. I’ve only tried it a few times for fun. Been meaning to try it again to do my personal Openbox installation for my laptop.

2 Likes

Thanks for letting me know about the gnome profile, I’ll sort it out.

Okay, I updated the manjaro-architect branch in iso-profiles repo to match the master now. Gnome profile should probably work again

4 Likes

So nice, thanks :slight_smile:

I did - iso.uex.dk/nix-architect - the ISO still requires the manjaro-architect branch of the iso-profiles to validate. This is what profile-validate does - it checks the packages in the Packages-Desktop file against the pacman databases - if a package is not there the profile cannot be installed.

Great tool by @Chrysostomus

1 Like

Yes, I reported about this 2 years ago, and the issue still exists. Since I had the same problem as you and the only suggested solution at the time was to use Manjaro Architect (and this solution doesn’t work now because Architect is not available anymore), I found a way to still install Manjaro the way you want. You will need 2 separate boot partitions (/boot/efi and /boot for that), while it was enough to have one partition (for EFI) when using Architect.

Please be aware I’m not expert in Linux, and I only found this way after dozens of different attempts, so I can’t comment how good or bad this setup is (maybe someone else will). This is what you need to do:

Use Calamares to setup new GPT
Create new FAT32 partition, mount it to /boot/efi and set boot flag
Create new ext4 partition and mount it to /boot
Create encrypted ext4 partition and mount it to /
Create remaining partitions as needed.

Once you click Next, Calamares will show a warning that your /boot is not encrypted but root is encrypted. Click YES to continue and you are done; it will work just fine (just tested 2 times)