Install Linux Mint (or other Ubuntu derivatives) with encrypted Btrfs

Intro

I've been using Btrfs as the main filesystem on my computers for about two years now, and I wanted to share my method for getting it to work relatively painlessly on Linux Mint, though this tutorial would work on any Ubuntu derivative.

Motivation

I am a big fan of Btrfs, and feel that it's worth the time investment of doing a bit of research, because it adds many awesome features like efficient CoW snapshots, block-level send/receive functionality for progressive backups, checksums, mirroring, and transparent file compression. I've been using it for about two years now with no significant issues that I can remember.

I'm also a fan of encryption, and think encrypting the root filesystem should be a no-brainer on any laptop these days. I think the CPU overhead is something like 2% and the functionality to perform the encryption & decryption efficiently is already a feature of any modern processor, so you might as well use it.

Caveats

Before I get started, this isn't something you should dive into, Btrfs is very feature-rich, but it has many pitfalls that might not be obvious for somebody coming from a traditional filesystem like EXT4 (The most prominent example is that filling up a Btrfs partition past 80-90% is filesystem suicide).

This tutorial makes heavy use of the CLI. It's not a big issue if you don't fully understand 100% of the commands and configurations used, but if it looks like gibberish to you, this tutorial may not be appropriate for your current experience level.

Method

All Ubuntu derivatives (that I'm aware of) use the same fundamental installer, it gives you the option of creating an encrypted partition, or manual partitioning, but not really both. Specifically, only the built-in "encrypted lvm partition" option will correctly configure the system. I'm sure it's possible to do manually as well but it's always seemed like way too much of a pain to me. Instead, my tutorial will show you how to perform a default install and then modify it to use Btrfs.

Getting Started

Download an ISO image of your choice, I'm using Linux Mint Xfce edition because it's lightweight and I like the UI, but it would work identically using Mint Cinnamon, LUbuntu, or just regular Ubuntu. The commands will be identical for any of these systems. Write it onto removable media, and then boot into it.

Requirements:

An ISO of a Ubuntu version of your choice, or a derivative of one of them. Double the free space needed for a fresh install (at least 20GB to be safe) An internet connection I'm writing this with the assumption that you are using UEFI booting, the instructions work with BIOS booting as well with minimal alterations.

Step 1

Launch the graphical installer, and follow like you normally would, choosing the encrypted partition option when it prompts for installation type. DON'T SELECT THE ENCRYPTED HOME DIRECTORY OPTION. This uses Encfs, which is a neat idea, but in the real world works poorly and doesn't have good compatiblity with Btrfs. Let the installer finish all the way, but don't choose to restart the computer when you're finished

Step 2

Identify your encrypted partition using lsblk , if it's locked, unlock it with cryptsetup open /dev/sda3 sda3_crypt , assuming your partition is sda3, it may be different. From now on, I'm going to use sda3 as the raw partition, sda3_crypt as the encrypted block device, and mint-vg-root as the logical volume, substitute these with whatever lsblk shows if necessary.

Step 3

Now I'm going to start listing commands, I'll add some brief explanations where I feel they're necessary

First we want the arch install scripts, this provides a few commands that will greatly reduce the effort. I'm adding a few extra commands that may not be necessary on all versions, but won't hurt.

Next, we rename and resize the old logical volume, and create a new logical volume to hold our Btrfs partition. By default, the root LV will take up 100% of the free space, this needs to be resized so that there's enough room to add a Btrfs partition.

Next, we mount each of the logical volumes

Now, we can make some decisions about subvolumes, I'm going to show the install with separate subvolumes for /home and /var, I use '@' for the root subvolume, and will layer the other subvolumes on top of that. There's lots of other ways to do it, but this is the easiest way to get the bare essentials I feel.

Now, we unmount the Btrfs filesystem and then re-mount, using the correct subvolume and lzo compression. You could use different compression algorithms, or no compression at all, but I feel that for a desktop/laptop user case, lzo is a good option

Now, we will copy over the entire root filesystem from the old-root logical volume to the new one (this might take a few minutes)

Now, we edit the fstab file to let Linux know about the new filesystem. We'll use genfstab from Arch to give us a hint as to what the correct file should look like, but we'll do the edit by hand. We'll also delete the old partition that's no longer needed, expand the new root partition, and then resize the filesystem.

The first entry should be the old root fileystem, remove it or comment it out, and verify that genfstab created a sane-looking entry at the end of the file (order doesn't matter)

Now, we will enter the new system, verify that we have the right packages, set up our snapshots, and then update the initramfs and grub config

At this point the computer will restart, and hopefully everything will have worked out fine.

A couple quick reminders when enjoying your new system:

Don't let the partition fill up past 85% or so, you'll have severe issues, which you might be able to fix, but most likely you'll end up having to reformat instead. (normally, no data loss occurs, but don't take that for granted) Set up some basic maintenance tasks (I recommend btrfs-maintenance, it includes systemd timers for all common maintenance commands

I made this tutorial purely for the benefit of readers, however, if you'd like to buy me a cup of coffee, you may send a donation through PayPal.

Additional Resources:

As per usual, the Arch Wiki has some great info on Btrfs

License



This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License.