You are not logged in.

#1 2022-07-31 13:35:46

vodd
Member
Registered: 2022-07-31
Posts: 4

btrfs, two disks, LUKS encryption on laptop

Hello!

I'm willing to try Arch Linux on my Laptop with one 128GB NVME and 1TB SSD.
Currently I'm using Fedora 36, in which I created one btrfs volume for each drive.

So currently I'm using:
128NVME:
btrfs LUKS encrypted
subvolumes: @, @snapshots

1TB:
btrfs LUKS encrypted
subvolumes: @home

I like the setup and would like to use something familiar on my new arch install, but my question is (after reading the Wiki several times):
1. What is the easiest and most efficient way to only enter the password for each device once at boot?
2. should I also encrypt the /boot drive and limit myself to LUKS1 in order for GRUB to encrypt /boot?
3. what benefits do I get for using sd-encrypt instead of using only encrypt in the mkinitcpio.conf?
4. Fedora has a nice boot password prompt, what do I have to install to get a similar experience?
5. when exactly do I need the crypttab? or are keyfiles for encryption enough?
6. should I use one pool of 2 disks in btrfs or is the current setup with two independet btrfs-volumes better?

Sorry for mixing things up, the Wiki is an excellent resource, but in my case I don't really know which path to choose.

Last edited by vodd (2022-07-31 13:37:21)

Offline

#2 2022-08-04 22:43:29

ectospasm
Member
Registered: 2015-08-28
Posts: 107

Re: btrfs, two disks, LUKS encryption on laptop

I have a laptop that I use LUKS1 with (since GRUB didn't support LUKS2 when I set it up, it looks like it still might not).  It has been a couple of years how I set it up, but I'll try to answer some of your questions.


vodd wrote:

1. What is the easiest and most efficient way to only enter the password for each device once at boot?

This may sound counter-intuitive, but store a key file in the inner encrypted device.  So, you still need your LUKS password to unlock the outer device, but when it would normally prompt you for your password a second time, it uses the key file.  That's how I worked around it, I don't know if there's a better option.

vodd wrote:

2. should I also encrypt the /boot drive and limit myself to LUKS1 in order for GRUB to encrypt /boot?

As with many questions like this, it depends on how paranoid you are about computer security and privacy.  If you are worried that someone might steal your laptop and get into your disks, encrypting boot (and setting a UEFI/BIOS password) might slow them down.  A lot of it depends on how sensitive the information on it is to you.

vodd wrote:

3. what benefits do I get for using sd-encrypt instead of using only encrypt in the mkinitcpio.conf?

If I remember correctly, I use sd-encrypt so systemd is more aware of the fact that the disk is encrypted.  But that's totally a guess.

vodd wrote:

4. Fedora has a nice boot password prompt, what do I have to install to get a similar experience?

I have no need for fancy colorful login screens, so mine is just text until startx.

vodd wrote:

5. when exactly do I need the crypttab? or are keyfiles for encryption enough?

I don't use crypttab, since I just have one disk, and one LUKS device.

vodd wrote:

6. should I use one pool of 2 disks in btrfs or is the current setup with two independet btrfs-volumes better?

I don't know what's better, but I don't mount my top-level subvolume (subvol_id=5) on my laptop.  The root partition is a subvolume, along with my home partition, which I use snapper to make snapshots.

On my file server I have eight disks, six of which are in Btrfs RAID10 (two are manual hot spares).  I'm not sure the wisdom of having two disparate disks in the same pool, but it might be easier to manage until something goes wrong.

I'd read through Btrfs Sysadmin Guide for more information on the tradeoffs between various approaches.

Offline

#3 2022-08-05 06:52:54

vodd
Member
Registered: 2022-07-31
Posts: 4

Re: btrfs, two disks, LUKS encryption on laptop

ectospasm wrote:

This may sound counter-intuitive, but store a key file in the inner encrypted device.  So, you still need your LUKS password to unlock the outer device, but when it would normally prompt you for your password a second time, it uses the key file.  That's how I worked around it, I don't know if there's a better option.

That sounds great, I will use the crypttab method with a keyfile stored in the encrypted first drive under /etc

ectospasm wrote:

I don't know what's better, but I don't mount my top-level subvolume (subvol_id=5) on my laptop.  The root partition is a subvolume, along with my home partition, which I use snapper to make snapshots.

I set up the rootflags in the /etc/default/grub to use the @ subvolume as root, thanks for the tip.

Currently I decided to don't use the two drives as one volume. You can see my current decisions under btrfs, encrypted boot, GRUB error: no such device, although I have problems with GRUB to find my root device...

Anyway, thanks for your input!

Offline

#4 2022-08-05 15:01:05

ectospasm
Member
Registered: 2015-08-28
Posts: 107

Re: btrfs, two disks, LUKS encryption on laptop

vodd wrote:

That sounds great, I will use the crypttab method with a keyfile stored in the encrypted first drive under /etc

I use the rd.luks.key kernel cmdline parameter to set the key file (in GRUB_CMDLINE_LINUX variable in /etc/default/grub), and put the key in /etc/cryptsetup-keys.d/.

Offline

Board footer

Powered by FluxBB