Installation with btrfs, hibernation and encryption and booting

Because since last bigger update something is not working properly I will reinstall KDE Plasma Manjaro.
My question, does this installation with the installation manager meanwhile really work in the combination of btrfs hard disk / SSD, encryption and hibernation file?

Last year I have installed it this way but it it has been claiming hibernation file not found on booting. Swap definitely does not work at all in this combination. I have tried many times.
It would be great if at least the requested combination works meanwhile. And the combination which do not work at all should not be available with the installation manager routine.

  1. Still beside the password for the OS SSD I also have to enter always the encryption password for my second data disk on the booting routine. It would be great if the password for the second drive is read from the main OS drive on booting. I do not know, if anything has changed so far?

Check this for that

For that check dm-crypt/Device encryption - ArchWiki

Thanks for your answer. But your answer is for swap with btrfs without encryption. Even I worked for hours following suggestions in the forum I never could make it work swap with btrfs and encryption together. Somewhere I found it cannot work but for btrfs with hibernation file and encryption it should work. Still I could not make it neither. May be I am simply not professionell enough. :smiling_face_with_tear:

But my original question was actually different. I asked if meanwhile the manjaro installation manager for new installation of manjaro can make it work letting install btrfs with hibernation file and encryption?

My bad.
There was also discussion here

To me sounds like is not a good mix yet, hence the installer will not do it automatically, if manually doing it fails … Personally i’m not a big fan of btrfs and encryptions is pointless in my case, and i never put my system on hibernate or sleep :laughing:

Thanks. But if the installer cannot make something it should not be shown as an option but it is.

The installer is not that smart, there are no dynamic modules to detect not working scenarios from the modules enabled in it.

May be you can make it smarter in the future. It keeps away a lot of trouble and problems for the user. :rofl:

Have you made a feature request to the project and explain that to the project developers, to implement smart modules ? Calamares (official repo) ¡ GitHub

There is the partition manager in Calamares installer, you can use it to create and manage multiple partitions manually.

When you have a single disk 500 GB, 16GB RAM and UEFI:

You choose one:

Fast boot (Kernel is unencrypted) without the ability “boot off any snapshot via GRUB menu”:

  1. partition ~100 MB FAT32 for /boot/efi
  2. partition ~600 MB Ext4 or Btrfs for /boot
  3. partition ~460 GB Btrfs for / with LUKS encryption
  4. swap partition 16 GB is the same as the size of your RAM for hibernation with LUKS encryption or without encryption.

OR

Slow boot (Kernel is encrypted) and the ability “boot off any snapshot via GRUB menu”

  1. partition ~300 MB FAT32 for /boot/efi
  2. partition ~460 GB Btrfs for / with LUKS encryption
  3. swap partition 16 GB is the same as the size of your RAM for hibernation with LUKS encryption or without encryption

OR

Fast boot (Kernel is unencrypted) and the ability “boot off any snapshot via GRUB menu”, but with partial encryption, not full encryption.

  1. partition ~300 MB FAT32 for /boot/efi
  2. partition ~80 GB Btrfs for / , no LUKS encryption
  3. partition ~400 GB Btrfs for /home with LUKS encryption.
  4. swap partition 16 GB is the same as the size of your RAM for hibernation with LUKS encryption or without encryption.

This solution sounds great, because the data on root itself are not critical to be “public” / not encrypted.
Probably it is not possible to make /home as an encrypted subdirectory of / (root) without encryption?
I have my data on a separated, encrypted hard disk. Thus I can keep /home smaller.
I have read somewhere that hibernation file would work for hibernation mode better than a swap partition. What do you think about it also regarding to your solution?

You download any packages from the repos or AUR and install them into your system in /, they are “public” and not your data, you do not need encrypt them. But :arrow_down:

Maybe you need to encrypt some things in the system if:

  • Do you create your own private packages for your system?
  • Do you use Docker containers including your private data?
  • Do you use and manage any database e.g postgres including your private data?

That depends on your decision.

My idea would be to move docker data and postgres data from the unencrypted partition /var/lib/XXX to the encrypted partition /home/XXX and mount them with their same specific directory /var/lib/XXX in the system. :+1:


That is possible, you mean systemd-homed, but I would not recommend using it for Btrfs, which causes multiple “copy” of the single systemd-home-file when creating multiple snapshots. :-1:

/home and / should be separated in two different partitions and two filesystems. :+1:


The definition “better” is very general, but you don’t know what “better” means.

My theory would be what advantages and disadvantages between Swap file and Swap partition:

Swap file

:heavy_plus_sign: More flexible than Swap partition, you can change size of swapfile and config.
:heavy_minus_sign: It needs to run on the filesystem, maybe less stable than Swap partition.
:heavy_minus_sign: Maybe slower

Swap partition

:heavy_plus_sign: Maybe faster than Swap file.
:heavy_plus_sign: More stable, completely independent of Btrfs.
:heavy_minus_sign: Inflexible config

I do not use any of them mentioned so far but bottles. But Docker may be an option in the future. First part of your description sounds clear but how can I mount them XXX with their same specific directory?

  1. I thought of swap file because I understood some time ago that btrfs swap partition does not work encrypted. But it seems from my experience so far it works neither with swap file.
    Do I need an encrypted swap partition if home is encrypted? Does it work?

  2. Or personally which of your versions would you recommend for btrfs together with encryption? Maybe I have to forget swap and hibernation mode at all.

For example: All Docker data is stored in /var/lib/docker in the unecrypted partition.

  1. Move all docker data from /var/lib/docker to any encrypted partition e.g. /home/encryption/docker.

  2. This directory /var/lib/docker should be empty.

  3. Edit /etc/fstab to add a line of the mount bind:

home/encryption/docker  /var/lib/docker  none  bind  0 0 
  1. Reboot, done.

I did not test the encrypted swap partition if it has some issues.
In your experience, the encprypted swap file works fine for you, then OK.


I do not use hibernation mode, but use sleep/standby mode for my laptop. The sleep/standby mode does not put all workings-data from RAM to swap on the disk.
That is why I leave the swap partition unencrypted.

Think, the encryption does not protect your data when your PC is online and hackers would be logged in with your credentials or root access.

The encryption only protects against data theft when your PC is offline, but not online.

When I have time for a complete new installation I will try out your combination. Hopefully it works proberly with the manual installation. The calamares installer is not state of the art. If I have time I will also place a feature request in Github.
I will let you know.

What would you recommend regarding online security? Maybe you like to open a seperated topic for “online security recommendations working with Linux Manjaro” or sth like this.

It depends on your use and choice. Just do not use any unknown or untrusted binary file (Closed Source app) if you do not know what 's in it.

How much is roughly the risk of getting such a file via pamac from official repository, AUR, flatpak, (snap)? Are they checked in a way?

Hi,
What is the reason why you can’t boot off any snapshots via GRUB, in this case ?
I understand that /boot partition is unencrypted and / is encrypted, but i do not understand why.

I mean, when you boot on your computer normally, you boot on @/, so, why can’t you boot on any snapshot ?

Thank you

This case is a separation between /boot partition and / partition.
All initramfs images/Kernel versions are in /boot for GRUB.

If you boot off any snapshot @/ on the / partition, but the kernel/initramfs (in the /boot partition) no longer match the kernel modules in the snapshot @/. You need to chroot into your system via Live ISO to reinstall the version of the kernel that matches your kernel modules.

1 Like

That is a good point indeed !

Yes right now here:
Calamares-manjaro installer configuration options should be restricted to what really works