Installation with btrfs, hibernation and encryption and booting

Support
, , , ,
7

May be you can make it smarter in the future. It keeps away a lot of trouble and problems for the user. :rofl:

8

Have you made a feature request to the project and explain that to the project developers, to implement smart modules ? Calamares (official repo) · GitHub

9

There is the partition manager in Calamares installer, you can use it to create and manage multiple partitions manually.

When you have a single disk 500 GB, 16GB RAM and UEFI:

You choose one:

Fast boot (Kernel is unencrypted) without the ability “boot off any snapshot via GRUB menu”:

  1. partition ~100 MB FAT32 for /boot/efi
  2. partition ~600 MB Ext4 or Btrfs for /boot
  3. partition ~460 GB Btrfs for / with LUKS encryption
  4. swap partition 16 GB is the same as the size of your RAM for hibernation with LUKS encryption or without encryption.

OR

Slow boot (Kernel is encrypted) and the ability “boot off any snapshot via GRUB menu”

  1. partition ~300 MB FAT32 for /boot/efi
  2. partition ~460 GB Btrfs for / with LUKS encryption
  3. swap partition 16 GB is the same as the size of your RAM for hibernation with LUKS encryption or without encryption

OR

Fast boot (Kernel is unencrypted) and the ability “boot off any snapshot via GRUB menu”, but with partial encryption, not full encryption.

  1. partition ~300 MB FAT32 for /boot/efi
  2. partition ~80 GB Btrfs for / , no LUKS encryption
  3. partition ~400 GB Btrfs for /home with LUKS encryption.
  4. swap partition 16 GB is the same as the size of your RAM for hibernation with LUKS encryption or without encryption.
10

This solution sounds great, because the data on root itself are not critical to be “public” / not encrypted.
Probably it is not possible to make /home as an encrypted subdirectory of / (root) without encryption?
I have my data on a separated, encrypted hard disk. Thus I can keep /home smaller.
I have read somewhere that hibernation file would work for hibernation mode better than a swap partition. What do you think about it also regarding to your solution?

11

You download any packages from the repos or AUR and install them into your system in /, they are “public” and not your data, you do not need encrypt them. But :arrow_down:

Maybe you need to encrypt some things in the system if:

  • Do you create your own private packages for your system?
  • Do you use Docker containers including your private data?
  • Do you use and manage any database e.g postgres including your private data?

That depends on your decision.

My idea would be to move docker data and postgres data from the unencrypted partition /var/lib/XXX to the encrypted partition /home/XXX and mount them with their same specific directory /var/lib/XXX in the system. :+1:

That is possible, you mean systemd-homed, but I would not recommend using it for Btrfs, which causes multiple “copy” of the single systemd-home-file when creating multiple snapshots. :-1:

/home and / should be separated in two different partitions and two filesystems. :+1:

The definition “better” is very general, but you don’t know what “better” means.

My theory would be what advantages and disadvantages between Swap file and Swap partition:

Swap file

:heavy_plus_sign: More flexible than Swap partition, you can change size of swapfile and config.
:heavy_minus_sign: It needs to run on the filesystem, maybe less stable than Swap partition.
:heavy_minus_sign: Maybe slower

Swap partition

:heavy_plus_sign: Maybe faster than Swap file.
:heavy_plus_sign: More stable, completely independent of Btrfs.
:heavy_minus_sign: Inflexible config

12

I do not use any of them mentioned so far but bottles. But Docker may be an option in the future. First part of your description sounds clear but how can I mount them XXX with their same specific directory?

  1. I thought of swap file because I understood some time ago that btrfs swap partition does not work encrypted. But it seems from my experience so far it works neither with swap file.
    Do I need an encrypted swap partition if home is encrypted? Does it work?

  2. Or personally which of your versions would you recommend for btrfs together with encryption? Maybe I have to forget swap and hibernation mode at all.

13

For example: All Docker data is stored in /var/lib/docker in the unecrypted partition.

  1. Move all docker data from /var/lib/docker to any encrypted partition e.g. /home/encryption/docker.

  2. This directory /var/lib/docker should be empty.

  3. Edit /etc/fstab to add a line of the mount bind:

home/encryption/docker  /var/lib/docker  none  bind  0 0
  1. Reboot, done.

I did not test the encrypted swap partition if it has some issues.
In your experience, the encprypted swap file works fine for you, then OK.

I do not use hibernation mode, but use sleep/standby mode for my laptop. The sleep/standby mode does not put all workings-data from RAM to swap on the disk.
That is why I leave the swap partition unencrypted.

Think, the encryption does not protect your data when your PC is online and hackers would be logged in with your credentials or root access.

The encryption only protects against data theft when your PC is offline, but not online.

14

When I have time for a complete new installation I will try out your combination. Hopefully it works proberly with the manual installation. The calamares installer is not state of the art. If I have time I will also place a feature request in Github.
I will let you know.

What would you recommend regarding online security? Maybe you like to open a seperated topic for “online security recommendations working with Linux Manjaro” or sth like this.

15

It depends on your use and choice. Just do not use any unknown or untrusted binary file (Closed Source app) if you do not know what 's in it.

16

How much is roughly the risk of getting such a file via pamac from official repository, AUR, flatpak, (snap)? Are they checked in a way?

17

Hi,
What is the reason why you can’t boot off any snapshots via GRUB, in this case ?
I understand that /boot partition is unencrypted and / is encrypted, but i do not understand why.

I mean, when you boot on your computer normally, you boot on @/, so, why can’t you boot on any snapshot ?

Thank you

18

This case is a separation between /boot partition and / partition.
All initramfs images/Kernel versions are in /boot for GRUB.

If you boot off any snapshot @/ on the / partition, but the kernel/initramfs (in the /boot partition) no longer match the kernel modules in the snapshot @/. You need to chroot into your system via Live ISO to reinstall the version of the kernel that matches your kernel modules.

1 Like
19

That is a good point indeed !

20

Yes right now here:
Calamares-manjaro installer configuration options should be restricted to what really works

21

You did it on our calamares modules, not on the main project.

22

What I should do then exactly? Where should I place the request? Can move or delete the old request?

23

Before using the auto calameres installer I formatted all partitions of my OS hard drive completely to one partition in btrfs. Maybe you have to reboot with USB-live-stick before you do the main installation.

I have tried out the configuration above and could not make it work, also with the manual configuration of the installer. It took my whole weekend to set up my computer again.
Only 2 solutions completely worked finally so far both with auto-installer part within calamares:

  1. Unencrypted
    Delete Partition
    swap with hibernation and btrfs
  2. Encrypted
    Delete partition
    no swap and btrfs
    encryption activated
24

It seems Calamares installer has some functional limitations.

25

Definitely it has. Also quite some inconsistencies as you can choose settings in the “auto-installer” which do no work.

26

This topic was automatically closed 2 days after the last reply. New replies are no longer allowed.