Here is a draft of a rewrite of Dm-crypt/Encrypting_an_entire_system#Btrfs_subvolumes_with_swap. The main motivation is that the current guide is very difficult to follow because it is lacking specific commands. Also the references it gives are quite vague and make it difficult to figure out which sections of the referenced articles should be followed.
I am looking forward to your edits, comments and discussion :)
Btrfs on LUKS
The following example creates a full system encryption with LUKS1 using Btrfs as filesystem and btrfs subvolumes to simulate partitions. That way you combine the security of a fully encrypted system with the advantages of Btrfs.
Prior to creating any partitions, you should inform yourself about the importance and methods to securely erase the disk, described in dm-crypt/Drive preparation.
In this guide we assume you are using UEFI. Therefore, an EFI system partition (ESP) is required. The ESP itself cannot be encrypted. the ESP is
/dev/sda1 and is mounted at
/efi. If the disk already has an EFI partition, leave it alone. It can be used as is.
Btrfs will use the LUKS1-encrypted system partition
+----------------------+----------------------+ | EFI system partition | System partition | | unencrypted | LUKS1-encrypted | | | | | /efi | / | | /dev/sda1 | /dev/sda2 | |----------------------+----------------------+
mkfs.fat). Do not use vFAT or your system will not boot
/bootwill be located on the LUKS1 encrypted system partition. GRUB will be used as the bootloader and decrypt
/boot, avoiding an unencrypted /boot partition
Preparing the system partition
Encrypt and unlock the root partition
see dm-crypt/Device encryption for detailed explanations and other options.
cryptsetup luksFormat --type luks1) for partitions that GRUB will need to unlock.
# cryptsetup luksFormat --type luks1 /dev/sda2 # cryptsetup open /dev/sda2 cryptroot
Format the unlocked luks device
see Btrfs#File system on a single device for details.
# mkfs.btrfs -L root /dev/mapper/cryptroot
Create btrfs subvolumes and mount them
Mount the btrfs volume:
# mount /dev/mapper/cryptroot /mnt
Create top-level btrfs subvolumes:
# btrfs subvolume create /mnt/@ # to be mounted at / # btrfs subvolume create /mnt/@home # to be mounted at /home # btrfs subvolume create /mnt/@snapshots # to be mounted at /.snapshots # btrfs subvolume create /mnt/@var_log # to be mounted at /var/log
Unmount the btrfs volume:
# umount /mnt
Mount the top level subvolumes:
# mount -o compress=zstd,subvol=@ /dev/mapper/cryptroot /mnt # mkdir /mnt/home # mount -o compress=zstd,subvol=@home /dev/mapper/cryptroot /mnt/home # mkdir /mnt/.snapshots # mount -o compress=zstd,subvol=@snapshots /dev/mapper/cryptroot /mnt/.snapshots # mkdir -p /mnt/var/log # mount -o compress=zstd,subvol=@var_log /dev/mapper/cryptroot /mnt/var/log
Create subvolumes for paths to be excluded from snapshots
This is a good time to create subvolumes for paths you do not want to have snapshots of when taking a snapshot of
/. Creating these subvolumes later, when they already contain data will be more difficult.
Since you are still in the live system, where the root (
@) subvolume is mounted at
/mnt you will need to create the subvolumes at
/mnt/<path/to/exclude> You may have to create any parent directories first.
It is recommended to exclude these directories:
# mkdir -p /mnt/var/cache/pacman/ # btrfs subvolume create /mnt/var/cache/pacman/pkg # btrfs subvolume create /mnt/var/tmp # btrfs subvolume create /mnt/srv
If you plan to use docker, you may also want to exclude:
# mkdir -p /mnt/var/lib/docker/ # btrfs subvolume create /mnt/var/lib/docker/volumes # btrfs subvolume create /mnt/var/lib/docker/images
Mount the EFI System Partition (esp)
# mkdir /mnt/efi # mount /dev/sda1 /mnt/efi
/efi, since it is not a btrfs file system.
You should now be chrooted into your freshly installed system.
Install additional packages
The Installation_guide installs only the absolute bare minimum. At the very least you need to install
btrfs-progs and an editor (for example
# pacman -S btrfs-progs nano
Your life will be easier if you also install:
# pacman -S man-db man-pages bash-completion
Create a new initramfs
Create a keyfile for GRUB to be able to unlock the root partition. See dm-crypt/Device encryption#With a keyfile embedded in the initramfs for details.
# dd bs=512 count=4 if=/dev/random of=/crypto_keyfile.bin iflag=fullblock # chmod 600 /crypto_keyfile.bin # chmod 600 /boot/initramfs-linux* # cryptsetup luksAddKey /dev/sda2 /crypto_keyfile.bin
Add the following parameters to the respective places in
/etc/mkinitcpio.conf. See dm-crypt/System configuration#mkinitcpio for detailed information.
BINARIES=(/usr/bin/btrfs) FILES=(/crypto_keyfile.bin) HOOKS=(base udev keyboard autodetect keymap consolefont modconf block encrypt filesystems fsck)
Crete the initramfs:
# mkinitcpio -P
Configure and install the boot loader
Install the grub efi binaries to the efi partition:
# grub-install --target=x86_64-efi --efi-directory=efi --bootloader-id=GRUB
Change the GRUB_CMDLINE_LINUX parameter in
/etc/default/grub as shown below (using
sed to avoid having to manually type the UUID). See GRUB#Encrypted /boot and dm-crypt/System configuration#Using encrypt hook for details.
# uuid=$( blkid -o value /dev/sda2 | head -n 1 ) # sed -i -e "s|\(GRUB_CMDLINE_LINUX=\"\).*\"|\1cryptdevice=UUID=$uuid:cryptroot: crypto=:::: rd.luks.options=discard\"|g" /etc/default/grub
/etc/default/grub in an editor to uncomment:
while you are there, check that
GRUB_CMDLINE_LINUX reads something like:
GRUB_CMDLINE_LINUX="cryptdevice=UUID=12345678-9abcd-ef10-111213141516:cryptroot:enable-discards crypto=:::: rd.luks.options=discard"
rd.luks.options=discardkernel parameter, but when I checked, fstrim did not work on my ssd until I added it. I am not sure if the cryptdevice option
enable-discardsis necessary together with the kernel parameter
rd.luks.options=discard, but since fstrim works now, I did not bother to remove it.
GRUB_CMDLINE_LINUX=in order to set the noatime option for the root filesystem, which improves performance for btrfs and reduces the write operations to the ssd. While you are at it, you can also edit
noatimefor all btrfs filesystems.
Generate the grub config file:
# grub-mkconfig -o /boot/grub/grub.cfg
Create a swap file
See Btrfs#Swap_file for details.
# btrfs subvolume create /swap # cd /swap # truncate -s 0 ./swapfile # chattr +C ./swapfile # btrfs property set ./swapfile compression none # fallocate -l 2G swapfile # chmod 600 ./swapfile # mkswap ./swapfile # swapon ./swapfile
Make sure you set a root password:
Install the appropriate microcode for your processor:
# pacman -S amd-ucode # or 'intel-ucode' for Intel Processors