[root tip] [How To] Convert GRUB+luks1 to UKI+luks2

linux-aarhus · 7 January 2026 16:13

Convert GRUB+LUKS1 to UKI+LUKS2

This guide targets a default Manjaro Installation (no dualboot) using btrfs inside a LUKS container.

Prerequisites

The $esp (EFI System Partition) is expected to be 300MiB
The kernel is expected to be the latest LTS (e.g. 6.18)
Your know the layout of the disk
```
lsblk -f
```
you will need the device name e.g. sdaor nvme0n1 and the partition numbers
a default manjaro system will have
- EFI partition is /dev/<device>1
- luks root is /dev/<device>2
- luks swap is /dev/<device>3

We will use labels - easier to work with than UUIDs which is different from one installation to the next.

Boot a live ISO

Open a terminal

Setting the assumptions as variables

The variables is to avoid human errors - mistyping commands etc.

If your disk is a SATA - remove the p from partition numbering

DEVICE="/dev/nvme0n1"             # disk device /dev/sda or /dev/nvme0n1
EFI_NUM="p1"                      # efi partition number (default = 1)
SYS_NUM="p2"                      # system partition number (default = 2)
SWAP_NUM="p3"                     # swap parition number (default = 3)
MOUNTPOINT="/mnt"                 # mountpoint
KERNEL="linux618"
BOOT_LOADER="/EFI/Linux/manjaro-6.18-x86_64.efi"
LABEL_BOOT="Manjaro 6.18 (EFI)"   # label for boot loader entry
LABEL_CRYPT_SYSTEM="cryptsystem"  # label for partition luks system container
LABEL_CRYPT_SWAP="cryptswap"      # label for partition luks swap container
LABEL_SYSTEM="system"             # label for filesystem inside container
LABEL_SWAP="swap"                 # label for filesystem inside container
EFI_LABEL="EFI"                   # label for efi partition

convert luks container to luks2

cryptsetup convert ${DEVICE}${SYS_NUM} --type luks2
cryptsetup luksConvertKey ${DEVICE}${SYS_NUM} --pbkdf argon2id

add label to root partition cryptsystem

sgdisk -c ${SYS_NUM}:${LABEL_CRYPT_SYSTEM} ${DEVICE}

mount btrfs subvolumes - see Basic Rescue and Recovery
when mounted, set label on btrfs fileystem root mount point to system
assuming you opened the container as /dev/mapper/system
```
btrfs filesystem label ${MOUNT} ${LABEL_SYSTEM}
udevadm trigger
```

set label on efi partition

sgdisk -c ${EFI_NUM}:${EFI_LABEL} ${DEVICE}

create mount point for EFI partition
```
mkdir ${MOUNT}/efi
```

mount efi partition on the mountpoint

mount  ${DEVICE}${EFI_NUM} ${MOUNT}/efi

enter chroot using the defined mountpoint
```
manjaro-chroot ${MOUNT} /bin/bash
```

System Configuration

optional edit: add FONT and FONT_MAP to /etc/vconsole.conf
example (the FONT_MAP is standard western font map)
```
KEYMAP=dk
FONT=lat2-16
FONT_MAP=8859-1
```
edit: remove or comment root directive from /etc/crypttab
edit: change efi mount in /etc/fstab to be /efi (created beforehand)

edit: modify /etc/fstab to
use the system partition label for all btrfs subvolumes for all subvolumes
use the EFI partition label for efi partition moving the mountpoint to /efi

LABEL=EFI         /efi        vfat   defaults,umask=0077 0 2
LABEL=system      /           btrfs  subvol=/@,defaults,compress=zstd:1       0  0
LABEL=system      /home       btrfs  subvol=/@home,defaults,compress=zstd:1   0  0
LABEL=system      /var/log    btrfs  subvol=/@log,defaults,compress=zstd:1    0  0
LABEL=system      /var/cache  btrfs  subvol=/@cache,defaults,compress=zstd:1  0  0
#/dev/mapper/swap  swap        swap   defaults,noatime,mode=1777               0  0

create: file /etc/crypttab.initramfs with content

system /dev/disk/by-partlabel/cryptsystem none timeout=120

create: file /etc/kernel/cmdline with content (cat /proc/cmdline) and amend to look like

fbcon=nodefer rd.luks.allow-discards bgrt_disable root=LABEL=system rootflags=subvol=@,rw quiet splash udevlog_priority=3 vt.global_cursor_default=0

edit: mkintcpio.conf

FILES array - remove keyfile
HOOKS array
- remove encrypt
- add systemd, sd-vconsole and sd-encrypt

FILES=()
HOOKS=(base systemd microcode autodetect kms modconf block keyboard sd-vconsole sd-encrypt plymouth filesystems fsck)

edit: /etc/mkinitcpio.d/linux<kernel>.preset
The file will look like this for Manjaro Linux 6.18

 $ cat /etc/mkinitcpio.d/linux618.preset
# mkinitcpio preset file for the '6.18-x86_64' package

#ALL_config="/etc/mkinitcpio.conf"
ALL_kver="/boot/vmlinuz-6.18-x86_64"

PRESETS=('default' 'fallback')

#default_config="/etc/mkinitcpio.conf"
#default_image="/boot/initramfs-6.18-x86_64.img"
default_uki="/efi/EFI/Linux/manjaro-6.18-x86_64.efi"
default_options="--splash /usr/share/systemd/bootctl/splash-manjaro.bmp"

#fallback_config="/etc/mkinitcpio.conf"
#fallback_image="/boot/initramfs-6.18-x86_64-fallback.img"
fallback_uki="/efi/EFI/Linux/manjaro-6.18-x86_64-fallback.efi"
fallback_options="-S autodetect"

Change to

ALL_kver="/boot/vmlinuz-6.18-x86_64"
PRESETS=('default')
default_uki="/efi/EFI/Linux/manjaro-6.18-x86_64.efi"
default_options="--splash /usr/share/systemd/bootctl/splash-manjaro.bmp"

configure plymouth to use spinfinity (or another theme providing a nice passphrase input)
```
plymouth-set-default-theme spinfinity
```
create Linux folder in /efi/EFI
```
mkdir /efi/EFI/Linux
```
generate initramfs
```
mkinitcpio -p ${KERNEL}
```

create a EFI boot entry (assuming kernel 6.18)

efibootmgr --create --disk ${DEVICE} --part ${EFI_NUM} --loader ${BOOT_LOADER} --label ${LABEL_BOOT} --unicode

remove grub efi stubs

rm -r /efi/EFI/boot
rm -r /efi/EFI/Manjaro

remove grub related packages and mkinitcpio-openswap

pacman -Rns grub-theme-manjaro install-grub update-grub grub grub-btrfs mkinitcpio-openswap

before you reboot the system
You can use efibootmgr to set the bootorder
This will ensure your new entry will be used first
You will need the number from the output e.g Boot0000 to set the bootorder
Example your new entry is 0000 unlikely but an example
```
efibootmgr -o 0000
```