Install Manjaro with LUKS and LVM with encrypted /boot

I want to install Manjaro with LUKS and LVM. Reading through LVM_on_LUKS arch wiki I got this page that says we can encrypt the full disk (including /boot).
I wonder how does this work. How does GRUB get loaded if it is encrypted in the first place? Is it feasable?
Do we need a extra USB with GRUB on it, for this setup to work?

No. Because grub is installed to the MBR or EFI Partition. Both can’t be encrypted. You need to configure grub with GRUB_ENABLE_CRYPTODISK=y , create the config and install it again after that. The Wiki linked a Blog post with more information.
https://www.pavelkogan.com/2014/05/23/luks-full-disk-encryption/

If I’m not mistaken the Calamares installer handles it automatically without additional user intervention. And I think architect does too.

You enter the password at early boot, and /boot is decrypted.
From then a key is used to decrypt the rest of the system so you don’t have to enter the password twice.

The installer handles encrypting Grub, it is an easy process. However, what I found is after backing up my system using Timeshift and then doing a restore, resulted in grub errors each and every time. I don’t think Timeshift was able to put grub where it was suppose to go, or something. I have done this same setup with Debian Testing, doing a Timeshift restore, and never had an issue reinstalling with a LUK system. I gave up and did a complete wipe without any encryption. What is the point if you can’t back it up and restore?

If you plan on doing backups, I would do an install, then back it up, and try to reinstall if from Timeshift as a test. Luckily I also backup my data via the cloud which saved my butt.

1 Like

Does architect or calamares set up luks with lvm?
Thank you

There are many ways to set up luks. I want it with LVM and /boot partition encrypted (full disk encryption).

Common guys, are gonna leave me without a reply?
@xabbu @torvic9 @rodneyck

Yes they do.
EDIT: If you’re unsure on how to proceed, do a test run in a virtual machine (VBox etc.).

Thank you @torvic9. One final question (sorry):
Is /boot also included in the encryption with luks and lvm on calamares or manjaro architect?

Can’t someone give me a last answer before I can leave this thread?
@xabbu @torvic9 @rodneyck

Depends on how you partition your install and the type of installation it is (ie UEFI / MBR).

Calamares doesn’t support LVM installations, fully encrypted installs are purely LUKS. Do you really need LVM?

By default the /boot directory is contained within the root partition, which is encrypted, but the efi partition is a separate unencrypted partition mounted to /boot/efi. This means your LUKS password must be entered before getting to the grub menu.

Manjaro Architect allows you to configure LVM, LUKS and your partioning however you want … but it requires knowledge to use.

Best way for you to proceed is to work out exactly what you want and practice your installation it in a virtualbox vm. Practice it many times. Then use if for a while to determine if you are happy with its usage.

There are pros and cons for an unencrypted /boot partition, there is no right or wrong answer, only personal preference.

2 Likes

I’ll go with Manjaro Architect. Yes, I need LVM.
I’ll test this in a virtual machine, thanks @sueridgepipe

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.

Forum kindly sponsored by