Nowadays you don’t even need a /boot unless you’re doing full disk encryption and I actually recommend keeping /boot on / if you’re doing BTRFS root snapshots. Being able to include your kernel images in your snapshots makes rollbacks painlessly easy.
UEFI forum made it a requirement for motherboard constructors (hp, dell, msi…) to make their UEFI implementation to be able to at least read fat(12/16/32) filesystems. That is why you need a fat(12/16/32) partition flagged ESP (efi system partition) for holding your boot files.
So, I dont think you can do that unless you fall back to the old outdated BIOS or you have some *nix filesystem in your uefi implementation which I dont trust.
You’re only partially correct. /boot doesn’t have to also be your EFI partition. In fact, most distros by default will separate the two, with the EFI partition mounted at /boot/efi and /boot being a separate ext4 based partition. My suggestion is that, if you’re running BTRFS, you should merge /boot and / as one partition. You’re still free to have a FAT32-based EFI mounted at /boot/efi or better yet /efi.
I am guessing you’re on systemd-boot? Yeah, one of the reasons why I hesitate to use it is how it requires EFI contain the kernel images. I am currently using refind.
Full disk encryption can be done without a separate /boot if your bootloader is modern enough. It’ll ask you for your password before the GRUB/sysyemd-boot/rEFInd OS selection screen.
I’ve made this work on Manjaro and Ubuntu without too much effort. My only mistake was not putting swap in a separate partition, leading to some painful problems when it comes to hibernating the system.
If you use the same LUKS container for the swap file and the root partition, you’ll only need to enter your password once to unlock the single LUKS container. The UEFI bootloader can then load the kernel and initramfs from the encrypted partition without a separate boot partition.
If all you’re trying to protect against is someone ripping out the SSD and running away with it, you can even go as far as have an encrypted filesystem without ever having to enter any password by leveraging the TPM. A TPM can also help strengthen a password encrypted partition, but the password free encryption makes encryption as easy as Bitlocker on Windows 11. Sadly, there’s not a lot of support for this in most distro installers.
Shrinking partitions is quite annoying already because you have to do that offline, and my LUKS+BTRFS setup isn’t very well suited for advanced partition operations. I’d also need to enter my password twice if I don’t retroactively add LVM to the mix. BTRFS works perfectly fine, but its management tools aren’t as reliable and mature as their ext4 counterparts.
Nowadays you don’t even need a /boot unless you’re doing full disk encryption and I actually recommend keeping /boot on / if you’re doing BTRFS root snapshots. Being able to include your kernel images in your snapshots makes rollbacks painlessly easy.
UEFI forum made it a requirement for motherboard constructors (hp, dell, msi…) to make their UEFI implementation to be able to at least read fat(12/16/32) filesystems. That is why you need a fat(12/16/32) partition flagged ESP (efi system partition) for holding your boot files.
So, I dont think you can do that unless you fall back to the old outdated BIOS or you have some *nix filesystem in your uefi implementation which I dont trust.
You’re only partially correct.
/bootdoesn’t have to also be your EFI partition. In fact, most distros by default will separate the two, with the EFI partition mounted at/boot/efiand/bootbeing a separateext4based partition. My suggestion is that, if you’re running BTRFS, you should merge/bootand/as one partition. You’re still free to have a FAT32-based EFI mounted at/boot/efior better yet/efi.I use systemd-boot and my mount point is /efi. /efi/EFI/ is where my bootloaders live.
If I rollback to an old enough snapshot, I have to reinstall my kernels from a chroot. It’d be cool if I could get around that.
Where’s your /boot?
Separate FAT32 part.
It has been a while since I used grub that I forgot tgat esp could only be used to hold the boot files residing on /boot/efi.
I am guessing you’re on systemd-boot? Yeah, one of the reasons why I hesitate to use it is how it requires EFI contain the kernel images. I am currently using refind.
Yeah, I’m on systemd-boot, it requires the kernel to be located in the ESP partition which I mount in /boot, resulting in cleaner setup.
Full disk encryption can be done without a separate /boot if your bootloader is modern enough. It’ll ask you for your password before the GRUB/sysyemd-boot/rEFInd OS selection screen.
I’ve made this work on Manjaro and Ubuntu without too much effort. My only mistake was not putting swap in a separate partition, leading to some painful problems when it comes to hibernating the system.
I’ve heard that you have to put in your encryption pw twice if you do it that way no?
Out of curiosity, what’s stopping you from shrinking the partition and adding a swap partition?
If you use the same LUKS container for the swap file and the root partition, you’ll only need to enter your password once to unlock the single LUKS container. The UEFI bootloader can then load the kernel and initramfs from the encrypted partition without a separate boot partition.
If all you’re trying to protect against is someone ripping out the SSD and running away with it, you can even go as far as have an encrypted filesystem without ever having to enter any password by leveraging the TPM. A TPM can also help strengthen a password encrypted partition, but the password free encryption makes encryption as easy as Bitlocker on Windows 11. Sadly, there’s not a lot of support for this in most distro installers.
Shrinking partitions is quite annoying already because you have to do that offline, and my LUKS+BTRFS setup isn’t very well suited for advanced partition operations. I’d also need to enter my password twice if I don’t retroactively add LVM to the mix. BTRFS works perfectly fine, but its management tools aren’t as reliable and mature as their ext4 counterparts.