It is possible to have btrfs encrypted?

Hi;

I compared Kali, Kaisen and Parrot, and I’m pretty convinced to use Kaisen over Parrot, but one thing I can’t reproduce with Kaisen is how to install on a btrfs encrypted
I mean, in Parrot, like in Kaisen btrfs is by default, but you could easily enable LUKS as an underlayer.
which result of one unique partition

Otherwise, if it is not possible with Kaisen,
How would you process to ensure that timeshift and snapper are working properly ?

ideal scenario

/ encrypted with LUKS then btrfs inside
/home encrypted with LUKS then xfs inside

backup and snapshot

• you only take snapshot of /
• and backup /home

workaround

option1

/boot btrfs
/ encrypted with LUKS then btrfs inside
/home encrypted with LUKS then xfs inside

option2

/boot xfs
/ encrypted with LUKS then btrfs inside
/home encrypted with LUKS then xfs inside

your option

…

Hello,

Since version 1.6, BTRFS snapshots are integrated by default in Kaisen (automatic snapshots via APT, and possibility to use Snapper/Timeshift/Btrbk for snapshots at any time).
LUKS is usable on Kaisen, you have to select it when partitioning disks. You can also use BTRFS with separate /, /home. And other partitions if you want but you have to do it manually in the installer and encrypt the partitions manually.

What you indicate is perfectly possible.

I have already made sure that snapper and timeshift work, everything is created and installed during the installation of the distribution to make sure they work (creation of subvolumes, installation of tools…).

You can’t make snapshots of an XFS partition.

If you partition your disk with /home separate from /, with timeshift you can take snapshots of /home as well as /.

I am forced to separate /boot and / on encrypted partitions, because GRUB 2.04 currently in use cannot boot via LUKS2 partitions without a /boot partition.
This is not a bug, it is normal behavior.

You don’t have to use BTRFS on all partitions either, just change it on the partition you want.

I’m used to using OpenSUSE with snapper
when you have an issue, with OpenSUSE, from the GRUB menu you can boot from a previous snapshot in read only then restore it and reboot. But this is only possible if your /boot is within the /, not in a separated partition not like
sda1 /boot/efi
sda2 /boot
sda3 /

So, I guessed my question is more: is that kind of selection for restoration from the Grub is possible too with Kaisen, and if yes, which partition scheme you suggest if I want / (root) encrypted, which is possible and proposed during the installation with Parrot ?

here an image, which might make it more clear

• sgdisk mention only one partition
• crypttab only show one partition
• fstab mount 2 times the same partition

I already tried to implement this feature (even before Kali, about a year ago), but the problem was that Docker volumes were interpreted as a snapshot by GRUB.
Considering the needs of the distribution and the fact that I can’t fix this behavior, I abandoned the idea.

On Kaisen, remember, I use GRUB 2.04, I am forced to have a really separate /boot to be able to boot the distribution if the / is encrypted.

What I recommend, and what I also do on my machines is to let the automatic partitioning do its job, you will have /boot and /.

On Kaisen, the software apt-btrfs-snapshot is used to make an automatic snapshot when APT is used (it’s an apt hook). This ensures that if an update goes wrong (even if it happens rarely), you can roll back via the CLI or a live system), the documentation talks about it: https://kaisenlinux.org/documentation/advanced-btrfs-utilisation.html#snapshots

During the update process, if you see that something went wrong, you just have to go back to the snapshot that was taken.

It’s not as advanced and practical as starting on these snapshots via GRUB, there are some extra steps, but the behavior is the same.

Personally, I use Timeshift for poctual snapshots. It works very well with separate /boot and / partitions and even handles the /home snapshot if it is separate.

For snapper, it should work the same way as Timeshift with some configuration

I guess you get this behavior with Parrot (/boot not separated from /), because you used the Calamares installer provided by Parrot. I have used it via Kaisen in the past (on release 1.2), but I had too many problems with it, so I gave up the idea. Calamares handles encryption differently via LUKS which allows not to separate partitions, but I noticed that the keyboard language was not necessarily adapted (it was QWERTY by default, I’m in AZERTY for example, at least when I did it at the time, it may have changed since then).

Also for customization reasons and to make sure that the system is installed correctly according to the user’s choices, I have post-installation scripts that run via d-i at the end of the Kaisen installation. This was less convenient to integrate via Calamares.

Simply wow; thank you, Kevin, for your time, works and commitment.

It is rare to find great product with honest and good support where they, and specially the founder, take time to reply and give knowledge and share is experience.

Over my 30+ years in OpenSource/Linux world I saw a lot of project and not only you know your stuff, you can make it accessible and stay humble.

I’ll definitely continue to explore more Kaisen and attempt to stick around to help others.

I thank you for this message, it is extremely pleasant.

I do my best to help people who have questions about Kaisen. I think it’s important outside of the product to be able to guide and answer requests and take time for that.

Developing a product can’t be done without user feedback