LUKS on main drive and backup drive

I have SSD disk and HDD in my laptop.
I'm using timeshift to backup my system from ssd to hdd

I would like to reinstall manjaro with lvm and luks
Is it possible in m-a to set this up?
I would like to have:
SSD:
/ {lvm, LUKS}
/home {lvm, LUKS}

HDD
drive for timeshift backups and some of my files. I assume that if SSD is encrypted than HDD must have LUKS enabled bacause without LUKS backup would not be safe.

Can I do this with LUKS settings in m-a?
To be honest I probably don't need dusk encryption. It's mainly for learning purposes :slight_smile:

You can do it with both m-a and Calamares, but m-a offers more flexibility (and maybe also more bugs). You'd probably need a /boot as well.
Best way to test this is to use a virtual machine.

1 Like

So I'm trying but I did this:
in system terminal
lvm -> I have 2 "partitions". lvroot, lvhome
And now.
In m-a there is automatic luks encryption. I need to choose there name for encrypted block device.
As I can see it can be different fot lvroot and lvhome. So... should by different or the same for both "partitions" ?

There is actually no need to reinstall, you can back up your current system, set up encrypted partitions as you like, restore the system from the backup, adjust some options there to meet your encryption parameters, chroot, regenerate initramfs and reinstall bootloader. Read ArchWiki on custom luks setups and you'll be fine.
But of course if you haven't tweaked many files on your system partition in a way that now you don't remember what you did exactly (my case), and you don't care about system files, it may be faster to just reinstall.

It's going to be faster for sure :slight_smile:

Ok
One more thing.
Yesterday I have tried to encrypt whole drive (luks + lvm). System (virtualbox) has been installed but something went wrong. (not booting)

I think that I'll let go full disk encryption (my old t410 is almost writing typewriter for me).

I'm thinking about M-A + lvm + luks
Tell me please if my assumptions are correct.

  1. I'll crate lvm partitions (terminal on livecd) [example lv1 for / and lv2 for /home]
  2. start M-A and encrypt lv2 with LUKS
  3. mount lv1 as / and lv2luks as /home
  4. install...

is it proper way?
is it going to be possible to edit (resize) lv2luks in the future?

If you only want to encrypt /home, then you don't need LVM.

1 Like

Imho lvm just adds extra complexity. It's better to use common partitions instead if there's no need for some special setup which can be covered by lvm only. I for myself use root as luks v2 and home as luks v2. Keyfile on root partition unlocks home automatically.

1 Like

So maybe a little help with something else.

I'm trying to learn to use LVM.
I've tried to create pv from whole disk sda
than I've created group and volumes for root and home

I've installed system but it's not booting. grub can't find device to boot.
I didn't create boot partition because I thought that I don't need to.

But should I create for example something like this:
sda1 - /boot (500MB ext2)
sda2 - partition for lvm
?

If your system is UEFI then you have to have $esp system partition (usually the first one): FAT32, about 300 Mb if you plan to use it as /boot, or about 100 MB if as /boot/efi. There goes Grub bootloader, if it's /boot, it becomes also the place for Linux kernels.
That was a brief introduction. For details (including encryption) you HAVE TO read and understand what ArchWiki says. Forum's duscussion is useless for basic education in some new field, we can talk for hours. You'd better read first.

1 Like

My system is standard old bios and mbr partition.
I've red this arch tutorial.
Warning: /boot cannot reside in LVM when using a boot loader which does not support LVM; you must create a separate /boot partition and format it directly. Only GRUB is known to support LVM.
So I assumed that I don't need to crate /boot.

I've tried with and without /boot
I can boot into system when I have boot partition. Without I can't.

I have no idea as I stopped using bios/mbr systems long ago and never looked back. Better ask @gohlip or @petsam if you wanna get some advice.

2 Likes

I have zero experience on lvm/luks.
OP wants to learn. Learning comes, either from reading or mistakes. So I am useless... :wink:

1 Like

Yea... I have no idea how to work with a legacy boot system anymore... It's best to convert your system to GPT & EFI if possible, it's a whole lot easier to work with in the long run.

In an EFI system... you only need a 100MB /boot/EFI, and then the rest of your drive can be LUKS encrypted.

After many fails I've managed to install fully encrypted system. It was quite easy to be honest :slight_smile:

  1. 500MB /boot bartition [sda1]
  2. 200GB partition [sda2]
  3. in M-A with luks "manager" encrypt sda2
  4. in M-A created volume group from encrypted sda2 and here two logical volumes for root and home lv-root, lv-hoome
  5. in M-A mounted crypted partitions lv-root as / and lv-home as /home and not crypted partition as /boot

Easy installation and working system :slight_smile:
One thing that after a lot of reading do not understand is fsck hook in M-A. I've red and asked about this. I don't know if I should use it or not.

As for backing it up
Can I do something like this? :slight_smile:
encrypt second drive
create keyfile in encrypted root partition
somehow set things up to automatically unlock backup when root is unlocked [don't know how]
set timeshift to backup root to my encrypted drive

p.s.
realmain if you could tell me. (for the future)
I I will have EFI system
100MB /boot/EFI will replace my /boot partition ?

BIOS/Legacy is fine IMHO, and contrary to popular belief it also works with GPT.

I use it on all of my computers and I see no need to convert to EFI as it doesn't give me any advantages. Some people reported faster boot times with EFI but at least on my hardware I cannot confirm this at all.

However EFI is certainly more future proof than Legacy mode especially with new hardware.

Glad that it worked out well for you.

I've been wondering.
Is it possible to automatically log into luks encrypted system?
When laptop is in home I don't need to password protect my system. Can I disable it for home use, and enable when I take the laptop out?

There's no such option as far as I know. How is it supposed to work, think yourself?
If you have TPM module, you can try luks-tpm from AUR. Check my profile for a link to my message with description.

It could work exactly the same as account autologin :slight_smile: