Full Encrypted Btrfs/Native System Root Guide

Introduction
Basically this post is an extension to Btrfs/Native System Root Guide which adds Dm-crypt and uses Dracut to create the initramfs rather then dealing with the Early Userspace Mounting approach. As the root partition, which also includes /boot, will end up encrypted, we'll store the keyfile to unlock the btrfs raid partitions within the initramfs. This may be a bit unsafer on runtime as the keyfile ends up in memory but we gain a faster boot process without the need to input the password 4 times (2 x grub and 2 x btrfs raid1). I also have an btrs raid6 with 6 full encrypted disks and this would lead me to enter my password 10 times to have a fully working system. so i'm happy with embedding the keyfile within the initramfs.

As i didn't find a way to get a working system with the initramfs generated by genkernel i've decided to use dracut.

We'll migrate an existing MD software raid1 to an btrfs raid1 without adding extra disks. So better make backups of your data! I assume the raid members of  to be   and.

The whole procedure is straight forward but you have to double check a few things i'll mention later. Please carefully read the whole post and pay extra attention to grub2 and dracut.

There may be better ways to accomplish this setup but after nights of research and testing within a virtual machine this procedure has worked for me.

Required packages
First add the required use flags for the packages. As i'm a lazy person :) i'll use genkernel-next to do the work even if i'll replace the initramfs with the dracut one.

Next unmask the packages (Please change the keyword as needed for your system). We'll use the latest available versions.

install the required packages

If this installs newer kernel sources, please change the symlink either using  or do it manually, build the kernel and reboot. After that proceed from here.

Preparing for encryption
As we'll use a keyfile to unlock the partitions we'll now create one (paranoid settings).

Dealing with the software raid
Remove  drive from md array

Partition the drive
We create a bios boot partition and use the remaining space for the root partition.

Encrypt partition
First we'll format the partitions

Next we add the keyfile to the root partition

Finally we open the root partition

Create filesystem, mountpoints and subvolumes
Now we format the mapped partition.

Next we create the mountpoints

Now the subvolumes

And finally we mount the whole stuff

Hot copy /
We'll now mount our running system onto  and copy everything over.

Enter the chroot
We now need to chroot into  and do the usual chroot stuff.

mtab/fstab
Check that  contains the following lines and if not, add them:

Next change  to this:

Remove md array configuration
Edit  and remove your array from it.

Build kernel and initramfs
Now we'll create the kernel with the required configuration.

Dracut
Next step is to create a new intitramfs

and we just replace the initramfs create by genkernel with the one from dracut.

Customize grub2
We'll change  to fit our needs.

For that we'll add rd.luks, rd.luks.key and rd.luks.uuid to GRUB_CMDLINE_LUNUX and add GRUB_ENABLE_CRYPTODISK=y as new line somewhere.

The rd.luks.uuid is the uuid of the encrypted (!!) partition in this case.

Now  should look like this (i use systemd!):

Generate grub.cfg
We'll use  to generate the grub.cfg

Finishing first disk
That's it for the first drive. Now we leave the chroot.

Install grub2 into MBR of  if not already done to be able to reboot into the old system in case of problems.

Now reboot.

Booting from encrypted disk
Make sure you boot from  !!

You'll be asked for the password to unlock the boot partition and after that it should boot up as normal (without further password request!)

Dealing with the software raid - Part 2
We'll now completely stop and destroy the MD array.

Partition the drive
We create a bios boot partition and use the remaining space for the root partition.

Encrypt partition
First we'll format the partitions

Next we add the keyfile to the root partition

Finally we open the root partition

BTRFS Raid 1
Now we add the second disk to the btrfs filesystem and convert it to raid1.

Dracut
Recreate the intitramfs with dracut and replace the old one.

Customize grub2
Append rd.luks.uuid for  to GRUB_CMDLINE_LINUX_DEFAULT in

Generate grub.cfg
Recreate the grub.cfg

Attention!! The current grub2-mkconfig (time of writing) creates an invalid grub.cfg. There is a bug which cannot handle multiple boot devices (see https://www.mail-archive.com/bug-grub@gnu.org/msg15384.html and https://bugzilla.redhat.com/show_bug.cgi?id=1177470).

grub2-mkconfig will generate the following broken lines in different places:

You've to search and fix them.

I'm not sure how they should look like, but this is how they look on my working system:

Also check the UUIDs are correct!

Install grub2 into MBR
Reinstall on /dev/sda

Install on /dev/sdb

Cleanup
Remove obsolete mountpoints

Backup Luks Headers
You definitely should make a backup of your luks headers as you'll not be able to rescue the data if the header gets damaged for some reason.

Reboot
At this point you should have a full encrypted and working system.

You should now reboot. Grub will ask you for the password twice as it needs to unlock both disks.

After that you should not be prompted for password input anymore.

That's it. Have fun with your encrypted system!

Systemd asks for password on wall
If systemd asks for the password on wall while your system is already bootet up, you should check /etc/crypttab and make sure your root partitions are not listed there. This is because they are already unlocked by dracut and systemd simply doesn't check that and thus tries to unlock them again which fails as the mapping device already exists.

Mapping names are build from uuid
After a reboot your root partitions mapping devices will look like /dev/mapper/. If you prefer clean names (i do) like /dev/mapper/luks-1.1 and /dev/mappper/luks1.2 you can achieve this by adding the partitions to /etc/crypttab and include it into the initramfs. But make sure to comment the lines in /etc/crypttab after you have created the initramfs!

Example of /etc/crypttab

Now include it into the initramfs.