In a multi-boot setup where every distro is encrypted separately, what is the best way to handle the bootloader?
A single separate boot partition which is unencrypted and is shared among all the distros,
Multiple (separate) boot partitions which are unencrypted, each for every distro; or
Some magic setup that can handle multiple encrypted /boots (each inside its encrypted root)?
If it’s the second choice above, then is this a good idea to have a single separate boot partition and use LVM to create multiple logical volumes for bootloaders of different distros?
Well… LVM can span disks so a single encrypted LVM spanning as many drives as needed with a partitioned /boot for the the OS you decide to control booting should be possible. Never seen it but I’m guessing it would work. Personally I’d go for VMs
I am using a single encrypted lvm, with several logical volumes - home, swap, root1, root2, root3. That allows three systems. I use a separate unencrypted “/boot” for two of those. And I keep “/boot” part of the root file system for one of them.
My experience: OpenSUSE is the easiest to install to an existing encrypted LVM. It can also be done with Ubuntu, but with some difficulty. I never did work out how to do that with Debian, so I cheated. I installed Debian to an external USB drive with its own encrypted LVM (created in the installed). Then I copied everything to my hard drive and existing LVM, fix the configuration, regenerated the “initramfs”. And it worked. But I’m not planning to try that again.
Ubuntu needs a separate unencrypted “/boot”, at least if UEFI is used for booting. I tried installing Ubuntu with “/boot” part of the encrypted root file system, and it would not boot. I was able to get it to boot, but only by using the openSUSE installed grub. It looks as if the Ubuntu shim does not have the “cryptodisk” support needed.
For some installs, I just install to a separate partition without encryption and without swap and without a separate “/home”. Then, after the install, I modify the configuration to use swap from my encrypted lvm and to mount the home volume of my encrypted lvm at “/xhome” where I can use symlinks as needed. I set “/tmp” to use “tmpfs”. So swap and most of home are encrypted, but I leave the root filesystem unencrypted.
I don’t have any advice as to what you should do. I’ve just described what I do.
This is unrelated to shim. shim only loads grub (or any other bootloader) image from ESP, that’s all. shim is not aware of and does not work with or care about your encrypted root and ESP must not be encrypted for obvious reasons.
It is grub image loaded by shim that must include LUKS support if /boot (or more generally - filesytem where your kernel and initrd are loaded from) is encrypted. Apparently Ubuntu does not built its signed grub image with necessary components. Note also that SUSE grub2 signed image also includes only one out of many possible crypto algorithms - the one used by SUSE installer (default LUKS algorithm actually). So you can manually create encrypted container that won’t be readable by SUSE grub2 as well.
So what filesystem are you using for that shared /home partition? I’m asking that because I was just trying to share an ext4 partition between multiple distros and it wasn’t as easy as it sounds. Supposedly I have to use the same user id and group id across all the distros and then change the owner of the partition to that user and group. This seems unnecessarily complicated. Is ext4 really a good choice for sharing a partition between multiple distros?
Downside of sharing home using the same user is that different OS may have different versions of programs and thus possible mismatches of configurations files.
You can share your data again assuming at least close approximation of versions of the programs that access it. Multimedia stuff is general less sensitive to such variations
Users should share a group and that group should have read/wrote permission in any shared folder.
I use “ext4”. However, I usually mount that partition at “/xhome”, and keep “/home” as part of the root file system. And then I use symbolic links for what I want to share from “/xhome”. That avoids problems with incompatible desktop settings.
Yeah, I know and that’s what I have done as well. My question is, how do you handle the fact that the ext4 partition should be owned by a certain group and only that group will have write permission? Do you create a group with a certain id in every distro and then add your user to that group?
I try to keep userid and groups the same on all installed systems. Well, I only do that at the user level (userid 1000 and up). I don’t think there’s anything in the home file system owned by a system user.
I normally have 3 users, with userid 1000, 1001 and 1002. Most distros seems to use that. So the first user that I define is the one for userid 1000.
I also added two groups, with group id of 1000 and 1001. And I give those the same name as user 1000 and 1001. That works out okay with distros such as Ubuntu that create a group for each user. With openSUSE, I add those groups manually (with “vipw -g”). But some distros use odd ways of assigning groups, so I just ignore groups on those.
All users and groups are really me, so it doesn’t much matter.