Encrypted BTRFS with bootable snapshots

Upon facing an issue preventing me from booting to my openSUSE Tumbleweed installed on Thinkpad T470s I found out that despite I’m using BTRFS, I don’t have bootable snapshots. I have no idea why, I thought it should be managed automatically by snapper and grub.

Nevertheless, if I don’t solve the issue linked above, I’ll need to reinstall the laptop since I need it functional. This time I will probably try Leap 42.3 instead of Tumbleweed but I haven’t decided yet and either way I really want to have bootable BTRFS snapshots on an encrypted drive. What setup would you recommend?

Assumptions:

  • It needs to be a dual boot with the already installed Windows 10.
  • The Linux partition needs to be encrypted.
  • I want automatic snapshots (e.g. pre-update) that are bootable and easily selectable from Grub.
  • If it can be helped, I want to only type my password once (i.e. not once to unlock grub and then again to unlock root for boot). Not sure if this is doable without separate /boot partition.

Current setup of my SSD:

> sudo fdisk -l /dev/nvme0n1
Disk /dev/nvme0n1: 477 GiB, 512110190592 bytes, 1000215216 sectors
Units: sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disklabel type: dos
Disk identifier: 0xef7fc9f1

Device         Boot     Start        End   Sectors   Size Id Type
/dev/nvme0n1p1           2048    1026047   1024000   500M  7 HPFS/NTFS/exFAT
/dev/nvme0n1p2 *      1026048  369666047 368640000 175.8G  7 HPFS/NTFS/exFAT
/dev/nvme0n1p3      369666048  370491391    825344   403M 83 Linux
/dev/nvme0n1p4      370491392 1000214527 629723136 300.3G 8e Linux LVM

Any advice?

This is doable although with some manual intervention. To have rollback support (note that you can have snapshots always, this is not really a problem; I presume you want support for booting into snapshots) you need /boot on root filesystem, so you need to unlock it in grub. To avoid prompt for passphrase in Linux you can add second key and place it on initrd; it is possible to configure dracut to use this file to unlock root. At least I was successful for proof of concept. I think I described this in one of recent discussions, do not have reference handy … I think it is here: How to automatically unlock LUKS encrypted root with a keyfile from a USB - Install/Boot/Login - openSUSE Forums You can ignore external USB, it just adds more complication, but idea is to have keyfile that is then copied to initrd.

Thanks. Is the manual intervention done once and then lasts “forever” or does it need to be fixed e.g. after each kernel update etc.?

Can you please explain why the /boot needs to be on the same btrfs partition to have bootable snapshots from grub? If I remember correctly, I had this with a separate /boot on Debian some time ago.

Also sub-question. If I have Leap installed already with separate /boot partition, is it easily doable to move /boot to the btrfs partition and start using the bootable snapshots or is reinstall an easier way?

It should be once only.

Can you please explain why the /boot needs to be on the same btrfs partition to have bootable snapshots from grub?

Because kernels are in /boot and you need matching modules. Otherwise rolling back to previous snapshot will likely lose modules for kernel currently present in /boot.

If I remember correctly, I had this with a separate /boot on Debian some time ago.

I cannot discuss what I have not seen.

Also sub-question. If I have Leap installed already with separate /boot partition, is it easily doable to move /boot to the btrfs partition and start using the bootable snapshots?

It is easy to move /boot into /, but it requires some additional subvolume setup that is not really documented anywhere so if possible, reinstalling is more simple.

OK, I admit that I’ve always found partitioning in the openSUSE installer very confusing so maybe I’m doing something wrong but in Leap 42.3 installer I edited the “proposed settings” like this:

  • Encrypted LVM-based proposal
  • Btrfs with snapshots enabled for root partition
  • Do not propose separate home partition
  • Do not enlarge swap for suspend.

When I confirm this selection though, the installer proposes a separate ext4 partition for /boot. Why would it do so? As far as I understand this thread, I can’t have bootable snapshots with separate /boot. Are bootable snapshots not what the default setup should include?

Couldn’t another not-encrypted btrfs partition do the same service though?

Are you using EFI or legacy BIOS?

Couldn’t another not-encrypted btrfs partition do the same service though?

I do not understand this question.

Legacy. Does this make a difference?

If I understand it correctly, I need /boot on btrfs to make sure that the kernels there are in sync with the modules in / if I want to boot into another snapshot. Therefore I asked whether the /boot btrfs subvolume must be on the same partition as the / or if it is possible to have two separate btrfs partitions (one not-encrypted for /boot and one encrypted for the rest) that would both have “synchronized” snapshots - therefore I could select respective snapshots on these two partitions for boot.

It’s mostly a theoretical question whether this way can lead to typing password only once while booting.

Yes. For some reasons installer only offers encrypted /boot on EFI. You can go to expert partitioner and delete /boot partition and it should work.

if it is possible to have two separate btrfs partitions … that would both have “synchronized” snapshots

snapper assumes one partition for root; I do not think it supports it.

Thanks for the explanation.

So finally I solved my original problem and so now re-installing is not the only option thankfully. Could you please point me to any relevant sources regarding this subvolume setup?