I’m trying to encrypt my system during installation, but everytime I try to do so, the installation process stops. It closes the installer, and I basically have to do it all over again. This happens whenever I try to encrypt my individual partitions (/, /home, /usr, /opt, /var). It doesn’t make a difference whether I select the ‘encrypt’ checkbox or make the file system LUKS. I’m using GPT.
The partition table looks like this:
Name | File System | File System Label | Mount Point | Size
New Partition | FAT32 | BOOT | /boot/efi | 500.00 MiB
New Partition | LUKS | ROOT | / | 60.00 GiB
New Partition | LUKS | | /home | 120.00 GiB
New Partition | LUKS | | /usr | 30.00 GiB
New Partition | LUKS | | /opt | 10.00 GiB
New Partition | LUKS | | /var | 20.00 GiB
If I could get help with this, I’d really appreciate it.
Other things to note:
- in the partition table above, my file system labels are my flags for the partition
- luks2 also doesn’t work
- if using checked box to encrypt, I have ext4 as the selected file system before I press OK
Why not use BTRFS with subvolumes if you’re going to slice up your drive into several partitions/filesystems, each with their own LUKS container?
Your entire BTRFS partition will be encrypted with LUKS (single container; not several), and then you divvy up the subvolumes to your own liking.
If you want to use EXT4, then the same concept can be used with LVM (instead of BTRFS), with logical volumes instead of subvolumes.
You don’t need to encrypt Linux kernel in
/boot as it is important for hardware interface at boot, otherwise you would have problem with entering password of LUKS in boot because of non-default keyboard layout and other problems e.g. no Plymouth screen …
As far as I know
Calamares cannot do/does not support
anything other than full disk encryption
You want to have an unencrypted /boot partition
a setup which Calamares does not support (has not, at least until recently).
and a suggestion:
why not make it simpler?
instead of multiple LUKS containers, each containing a part of the full system (/home, /usr, /opt …)
just use one LUKS container
then LVM inside of it, to have those separate partitions
with the added advantage that you can relatively easily adjust the sizes of these partitions later on.
I did a bit of research on the topic, and I’m a confused on how to set this up on Calamares. Would I make boot partition then make the remaining space one large BTRFS partition and click on the encrypt option during that process?
Afterwards, would I control the sizes after rebooting?
I read the LVM on LUKS section for the page you provided. To my understanding, should I be doing this through the terminal instead?
I’m trying to keep the /boot partition unencrypted for that reason. Unless I’m misunderstanding what you’re saying.
This was the Arch wiki I linked to.
On Manjaro the procedure should be similar - but I don’t know whether it is easy to install Manjaro but do not use Calamares but do it “by hand/in a terminal” instead.
I have seen Guides to install trough Calamares and then adapt the system afterwards.
Seemed complicated, definitely for a new user.
A lot of work just to work around the Calamares limitation.
use what Manjaro supports.
if this does not fit your needs - use something else (like Arch itself or other Arch derivatives …)
In that case, I’ll just go ahead and use Arch itself. I’d rather not spend my time working around Calamares when I can do what I want with Arch. I was eventually going to move to Arch anyways.
I was able to pull off what @winnie suggested by using the ‘Erase Disk’ option with BTRFS. I was able to encrypt it by clicking the encrypt option in that page (instead of manual partitioning). It looks like the installer treated my BTRFS partition rather than a LUKS partition as it did when I tried manual partitioning. It’s probably because it encrypted the entire thing instead.
But that also brings up the issue that @Zesko mentioned where it encrypts the boot partition and causes potential other problems.
Luckily though, it looks like I can safely decrypt my system without worry. I’ll still consider moving to Arch just because it looks like it’s more flexible for what I want.
Thank you all for your help.
As long as your passphrase works (when prompted) and you don’t mind the longer time it takes to decrypt the master key (since Grub doesn’t use hardware acceleration), then you’re fine.