Full Encrypted Btrfs/Native System Root Guide

Introduction
Basically this is post is an extension to Btrfs/Native System Root Guide which adds Dm-crypt and uses Dracut to create the initramfs rather then dealing with the Early Userspace Mounting approach. As the root, which also includes /boot, partition will end up encrypted, we'll store the keyfile to unlock the btrfs raid partitions within the initramfs. This may be a bit unsafer on runtime as the keyfile ends up in memory but we gain a faster boot process without the need to input the password 4 times (2 x grub and 2 x btrfs raid1). I also have an btrs raid6 with 6 full encrypted disks and this would lead me to enter my password 10 times to have a fully working system. so i'm happy with embedding the keyfile within the initramfs.

We'll migrate an existing MD software raid1 to an btrfs raid1 without adding extra disks. So better make backups of your data! I assume the raid members to be  and   of.

The whole procedure is straight forward but you have to double check a few things i'll mention later. Please carefully read the whole post and pay extra attention to grub2 and dracut.

Required packages
First add the required use flags for the packages. As i'm a lazy person :) i'll use genkernel-next to do the work even if i'll replace the initramfs with the dracut one.

Next unmask the packages (Please change the keyword as needed for your system). We'll use the latest available versions.

install the required packages

If this installs newer kernel sources, please change the symlink either using  or do it manually.

Preparing for encryption
As we'll use a keyfile to unlock the partitions we'll now create one (paranoid settings).

Dealing with the software raid
Remove  drive from md array

Partition the drive
We create a bios boot partition and use the remaining space for the root partition.

Encrypt partitions
First we'll format the partitions

Next we add the keyfile to the root partition

Finally we open the root partition

Create filesystem, mountpoints and subvolumes
Now we format the mapped partition.

Next we create the mountpoints

Now the subvolumes

And finally we mount the whole stuff

Hot copy
We'll now mount our running system onto  and copy everything over.

Enter the chroot
We now need to chroot into  and do the usual chroot stuff.

mtab/fstab
Check that  contains the following lines and if not, add it:

Next change  to this:

Remove md array configuration
Next edit  and remove your array from it.

Build kernel and initramfs
Now we'll create the kernel with the required configuration.

Activate support for device mapper infrastructure as well as the crypt target.

And finally add initramfs support as well:

TODO
I'll finish this post tomorrow. Please be patient, it's late ;)

Here are the plain instructions for those who cannot wait.

Edit /etc/default/grub

Add GRUB_ENABLE_CRYPTODISK=y

Add "rd.luks=1 rd.luks.key=/root/secretkey rd.luks.uuid=luks-"" (UUID of the "encrypted"!! partition ex. /dev/sda2) to GRUB_CMDLINE_LUNUX

Install grub into MBR

grub2-install /dev/sda

Add luks device uuids (UUIDs of the "encrypted"!! partition ex. /dev/sda2) to /etc/crypttab

ex.: luks-sda2 UUID=e57c4e30-7b2e-457a-af9b-3270d085aae2 /root/secretkey luks

Install dracut

Generate new intitramfs

dracut -f -I /etc/crypttab -I /root/secretkey

Move generate initramfs to the genkernel one

Generate grub.cfg

grub2-mkconfig -o /boot/grub/grub.cfg

Fix newline problems

Leave chroot and unmount everything

reboot and cross fingers

After reboot

mdadm --stop /dev/md1

mdadm --zero-superblock /dev/sdb

Partition the drive

gdisk /dev/sdb

Number Start (sector)    End (sector)  Size       Code  Name 1           2048            8191   3.0 MiB     EF02  grub2biosboot 2        	8192       250069679   119,2G      8300  root

Encrypt partitions

cryptsetup luksFormat -s 512 -c twofish-xts-plain64 /dev/sdb1

cryptsetup luksFormat -s 512 -c twofish-xts-plain64 /dev/sdb2

Add keyfile

cryptsetup luksAddKey /dev/sdb2 /root/secretkey

Open the partition

cryptsetup open -d /root/secretkey /dev/sdb2 luks-2

Add device and convert to raid1

btrfs device add /dev/mapper/luks-2 /mnt/btrfsmirror

btrfs balance start -dconvert=raid1 -mconvert=raid1 /mnt/btrfsmirror

Add rd.luks.uuid to /etc/default/grub

Add to crypttab

luks-2 UUID=e57c4e30-7b2e-457a-af9b-3270d085aae2 /root/secretkey luks

Recreate initramfs with dracut

dracut -f -I /etc/crypttab -I /root/secretkey

Move generate initramfs to the genkernel one

Recreate grub.cfg

grub2-mkconfig -o /boot/grub/grub.cfg

Fix newline problems

DOUBLE CHECK THE UUIDS IN grub.cfg !!!

Install grub into MBR

grub2-install /dev/sdb

rm -rf /mnt/newroot

rm -rf /mnt/rawroot

Reboot