elementary OS — Encrypted Install on BTRFS!

elementary OS’ install process is very straightforward and simple. Making it incredibly easy to install the OS and presenting an encrypted installation as a front-and-center option, explaining the benefits of doing so, while most other installers simply have a checkbox for encryption with very little reasoning or encouragement for why users should consider it.

I really appreciate this aspect of elementary OS, but there is one small catch… If you plan on using the encrypted option, you will be stuck with the Ext4 filesystem. While most users will probably not care or even realize this is the case, there’s a growing number of users just like myself who very much prefer more featureful filesystems with modern qualities. For me, this ideal filesystem is BTRFS. So, installing elementary OS with an encrypted BTRFS layout vs the traditional Ext4 layout took me a bit of fiddling, but I’m here to lay it down. Note that this will require a full disk, and will erase all data on that disk!

Installing elementary OS

The very first thing you’ll need to do is boot into the Live USB. You can grab a copy of elementary OS from their website. Once you’ve booted in, proceed through the initial installer prompts for setting language, keyboard layout, locale, etc.

Once you’ve done this, select the option labeled “Erase Disk and Install”, choose your disk, and then choose the “Choose Password” option when asked about the encrypted install.

Enter the encryption password you’d like to use, and allow the installation to finish. Once complete, shut down the machine. Then, boot up once more with the same Live USB.

Decrypting The Root Partition

Now that you’ve got a freshly installed and encrypted elementary OS configuration on your disk, you’ll need to make some tweaks in the Live USB to swap out Ext4 for BTRFS. Once you’ve booted in, proceed through the initial installer steps for language, keyboard, etc. Once you’re at the screen which asks you what you’d like to do, choose the “Custom Install”. You’ll be presented with a screen showing your disks/partitions and a button on the bottom left saying “Modify Partitions”. Select this, and GParted will open.

In GParted, you should see your diskOh and BTW, seeing “volume group data not found” before cryptsetup decryption happens is totally normal. It’s just the wait with a few partitions. The one we want to interact with though will say “[Encrypted]”. Right click on that partition and choose “Open Encryption”. It will prompt you for a password. This will be the password you chose for your encrypted installation.

Once it’s unlocked, close GParted. Then, in the installer, press the “Back” button. You’ll then be at the screen with your installation options. Choose “Try Demo Mode”, and we’ll proceed to convert the now unlocked Ext4 partition to BTRFS.

Converting Ext4 To BTRFS

Now, open the Terminal, and proceed with the following command:

sudo btrfs-convert /dev/mapper/data-root

(Please note that your data-root may have a slightly different name if you have had pre-existing LVM installations. You may see something like “data_DeBho-root” instead. Adjust accordingly!)

Once this completes, you’ll then need to obtain the new partition’s ID so your system will point to it when you boot up. You can do so with the following command:

sudo blkid /dev/mapper/data-root

This will print two IDs. You need the first one. Copy that value. For instance, mine is 0ba0ded5-fc9b-496d-9d93–29f34dda205b.

Changing The FSTAB

Now, mount the BTRFS partition so we can make the necessary changes. You can do so with the following command:

sudo mount /dev/mapper/data-root /mnt

Then, edit the FSTAB file found at /mnt/etc/fstab. I’ll use nano, in this instance. sudo nano /mnt/etc/fstab

You should see something like the picture above. The line you’re looking to edit is the one with / and ext4. Replace the existing UUID with the one you copied from the earlier command. Then, change ext4 to btrfs and change noatime,errors=remount-ro to noatime,defaults.

If you would like to enable compression, you can also add compress to that list. And if you’d like to use a specific compression algorithm and level, such as ZSTD, you can add something like compress=zstd:1. I personally use ZSTD level 6. The resulting line should be something like noatime,defaults,compress=zstd:1.

Once you’ve made these changes and added the features you like, save the file and reboot your system.

You should reboot to a fresh elementary OS installation with the glorious benefits of BTRFS and encryption! If you’d like some basic information on your BTRFS filesystem, or want to fiddle with anything, be sure to install the btrfs-progs package in the terminal with sudo apt install btrfs-progs

You should then be able to see your BTRFS root filesystem by running sudo btrfs filesystem show.

Enjoy!

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store