[root tip] [How To] Use Calamares to install encrypted root using unencrypted boot

Contributions Tutorials
, ,
1

Unencrypted boot and encrypted root with Calamares

This article has been writtin at a time wher Grub did not support LUKS2 and Calamares default to LUKS1.

Since around 2020/2021 Grub has gained support for LUKS2 and this article may be obsolete as the goal of it is to describe how one can use unencrypted boot instead of full disk encryption.

If you have concerns about using an unencrypted boot you are not in the target audience and you would likely be using qubes-os and full disk encryption

There is pro’s and con’s to this approach so please respect that this topic is not intended for discussions of such considerations.

This topic is for those who are not worried about abusive government and their agencies but still caring enough of their privacy to encrypt their data without sacrificing their system boot time.

Calamares EFI system encryption guide

Ensure your system is using EFI mode by entering your system firmware and disable Legacy or Ccmpatibility mode.

Boot the live ISO and start the Calamares installer.

In the installer - move along with the installer until you reach the Partitions section

Partitions section.

  1. Choose Manual partitioning option
  2. Do Not tick the Encrypt system box
  3. Click > Next button
Screenshot

image

  1. Click the New Parition Table button
  2. The GPT partition scheme should be preselected
    (if it’s not something’s not right - cancel and fix it)
  3. Click the OK button
Screenshot

image

Select the Free space and click the Create button

  1. Size → 512M
  2. File system → fat32
  3. Mount Point → /boot/efi
  4. FS Label → efi system
  5. Flags → boot
  6. Click the OK button
Screenshot

image

Select the Free space and click the Create button

  1. Size → 1024M
  2. File system → ext4
  3. Mount Point → /boot
  4. FS Label → linux boot
  5. Flags → No flags
  6. Click the OK button
Screenshot

image

Select the Free space and click the Create button

  1. Size → remaining
  2. File system → ext4
  3. Tick Encrypt
  4. Fill in encryption phrase
  5. Confirm encryption phrase
  6. Mount Point → /
  7. FS Label → linux root
  8. Flags → root
  9. Click the OK button
Summary

image

When you continue the remainder of the installation you will be notified by the installer, the installation is considered unsafe. You already know that - so acknowledge the warning and continue.

image

:information_source: After you finalize your installation and reboot - consider creating a swapfile following the instructions on the wiki page at Swap - Manjaro

:information_source: Hibernate functionality is not initially setup using this kind of installation. It is likely possible to setup but beyond the scope of this guide.

6 Likes
3

Hey @linux-aarhus this is great – I actually planned to do it as well, especially with the screenshots as they are really helpful. So thanks for beating me to it :wink: :+1:

(replying here, as topics are already closed after two [sic!] days (WHY? people have work, life, …) and I cannot reply in my original thread anymore :confused:)

hopefully this is a little help: this (supposedly) solves:

https://archived.forum.manjaro.org/t/grub-luks-slow-boot/117673

4

Great guide thanks a lot.
Worked perfectly!

5

I don’t even use Manjaro (currently Debian Sid) but I made this account to say THANK YOU!!

This is the clearest, most concise guide I have found on this topic. The screenshots and instructions were wonderful.

Hope you are well, you are an asset to the Open Source community.

3 Likes