You are not logged in.

#1 2022-06-07 17:29:00

Daedalus24
Member
From: Bucharest, Romania
Registered: 2015-03-27
Posts: 31

Btrfs subvolumes+encryption+refind

I have decided to use encryption on a new office laptop (Asus Vivobook 7600Q-2007X 16", AMD Ryzen 7, GeForce RTX), with Win11 preinstalled. It took almost 20 hours of wait until I was able to access the OS partion under Windows (EaseUS Partition Manager returned "BitLocker encryption in progress, please wait"). I decrypted the OS partition and started to format the SSD. The /boot partition was doubled in space, then I manually partitioned the SSD as follows   



NAME        MAJ:MIN RM   SIZE RO TYPE  MOUNTPOINTS

nvme0n1     259:0    0 953.9G  0 disk  
├─nvme0n1p1 259:1    0 446.1M  0 part  /boot
├─nvme0n1p2 259:2    0 144.5G  0 part  
├─nvme0n1p3 259:3    0 130.9G  0 part  
├─nvme0n1p4 259:4    0    22G  0 part  [SWAP]
├─nvme0n1p5 259:5    0     1G  0 part  
├─nvme0n1p6 259:6    0   200M  0 part  
└─nvme0n1p7 259:7    0 654.8G  0 part  
  └─luks    254:0    0 654.8G  0 crypt /var/log
                                       /var/cache
                                       /home
                                       /.snapshots
                                       /

I created a swap partition (labeled as /dev/nvme0n1p4), as it was my intention to enjoy the advantages of zswap (the wiki says it is preferable to zram and that it works only in conjunction with a dedicated swap partition). Moreover, sometimes I turn the laptop into suspend mode instead of shutting it down when I go to bed. I consider the security risk of having a non-encrypted swap partition (with zswap) as more than acceptable. I'm sure a better way exist, can you please give me a few hints? 

NAME FSTYPE FSVER LABEL UUID                                 FSAVAIL FSUSE% MOUNTPOINTS

nvme0n1
                                                                            
├─nvme0n1p1
│    vfat   FAT32 SYSTEM
│                       66FE-32E1                               295M    34% /boot
├─nvme0n1p2
│    ntfs         OS    A633000332FFD671                                    
├─nvme0n1p3
│    ntfs               01D86C69A62750F0                                    
├─nvme0n1p4
│    swap   1           48027649-e023-44f6-bd7d-75b20035f72e                [SWAP]
├─nvme0n1p5
│    ntfs         RECOVERY
│                       245447255446F956                                    
├─nvme0n1p6
│    vfat   FAT32 MYASUS
│                       5A0D-A168                                           
└─nvme0n1p7
     crypto 2           911fcc24-b622-4f36-8f79-057acdc40393                
  └─luks
     btrfs        ROOT  b1ae555f-7861-4abc-b079-dec2af172849  386.2G    41% 
                                                                            /var/log
                                                                            /var/cache
                                                                            /home
                                                                            /.snapshots
                                                                            /

As I am a big fan of refind, I had to reboot the system a few times into emergency mode (using the installation USB disk) until I managed to identify an operational configuration. Thus, my refind_linux.conf file looks like (where /dev/mapper/luks is the encrypted partition)



"Boot using default options"   "cryptdevice=UUID=911fcc24-b622-4f36-8f79-057acdc40393:luks root=/dev/mapper/luks luks=UUID=b1ae555f-7861-4abc-b079-dec2af172849 rw rootflags=subvol=@ initrd=amd-ucode.img initrd=initramfs-%v.img add_efi_memmap"
"Boot with fallback initramfs" "cryptdevice=UUID=911fcc24-b622-4f36-8f79-057acdc40393:luks root=/dev/mapper/luks luks=UUID=b1ae555f-7861-4abc-b079-dec2af172849 rw rootflags=subvol=@ initrd=amd-ucode.img initrd=initramfs-%v-fallback.img add_efi_memmap"
"Boot to rescue mode"         "cryptdevice=UUID=911fcc24-b622-4f36-8f79-057acdc40393:luks root=/dev/mapper/luks luks=UUID=b1ae555f-7861-4abc-b079-dec2af172849 rw rootflags=subvol=@ rescue initrd=initramfs-%v-fallback.img"
"Boot to single-user mode"    "cryptdevice=UUID=911fcc24-b622-4f36-8f79-057acdc40393:luks root=/dev/mapper/luks luks=UUID=b1ae555f-7861-4abc-b079-dec2af172849 rw rootflags=subvol=@ initrd=amd-ucode.img initrd=initramfs-%v.img archisobasedir=arch archisolabel=ARCH_202206 single"
"Boot to emergency mode"      "cryptdevice=UUID=911fcc24-b622-4f36-8f79-057acdc40393:luks root=/dev/mapper/luks luks=UUID=b1ae555f-7861-4abc-b079-dec2af172849 rw rootflags=subvol=@ emergency initrd=initramfs-%v-fallback.img"

 
Was there any simpler way to do it?

I have looked on

https://bbs.archlinux.org/viewtopic.php?id=264218

in order to make refind load the Arch Linux icon instead of the Linux penguin. I added

icons_dir icons

   
at line 80 in /boot/EFI/BOOT/refind.conf, but it did not help.

Thank you,
Bogdan

Last edited by Daedalus24 (2022-06-07 17:31:23)

Offline

#2 2022-06-14 02:16:58

XeroDotCom
Banned
From: Thorn ᚹ
Registered: 2022-06-13
Posts: 4

Re: Btrfs subvolumes+encryption+refind

There's an error with the initramfs if it's a constant issue, should you reinstall download Dracut to generate the Fstab & init, usually with an era such as this it's because either the wrong fs label or  UUID was added to the Fstab it or there is also the slight chance that for some reason it actually changed. Also for the sake of curiosity what Luks is it 1 or 2? Dracut is the best at Auto detecting all partitions encryption sub volumes etc with minimal to no user involvement.

Last edited by XeroDotCom (2022-06-14 02:22:23)


ᛩ King Mặsặdặ ᚹ
XeroNet
What's past is prologue"

Offline

#3 2022-06-16 17:23:00

Daedalus24
Member
From: Bucharest, Romania
Registered: 2015-03-27
Posts: 31

Re: Btrfs subvolumes+encryption+refind

Hi @XeroDotCom,

Thank you for the advice wink, until now it seems there is no need to reinstall. It is working all right, booting is super fast cool. I had some issues with suspend, as the computer was powering on randomly by itself. So I ran again

# mkinitcpio -p linux-zen

and added the following

resume=UUID=UUID-of-swap-partition

to the refind_linux.conf file. And resume works now!

It is LUKS version 2. I'll post if anything notable happens meanwhile.

Cheers wink

Last edited by Daedalus24 (2022-06-16 17:32:32)

Offline

Board footer

Powered by FluxBB