Please enter CoinGecko Free Api Key to get this plugin works.

Partner links

Disk encryption with Calamares, the Linux installer

Calamares is the graphical installation program that you’ll most likely use to install many popular and not-so-popular Linux distributions. That’s because its development is not tied to a specific distribution and adoption by desktop distributions has been encouraging.

In this article, you’ll learn how to use its disk encryption feature to enhance the physical security posture of a supported Linux distribution. And we’ll look at how to use that feature when a Linux distribution is being installed in standalone mode and also when it’s being installed alongside Windows 10 in dual-boot setup.

The images used in this article were taken from test installations of Manjaro 16.10 in standalone mode in a virtual environment, and from a dual-boot setup between Manjaro 16.10 KDE and Windows 10 on a Lenovo G50 laptop.

Figure 1 shows the disk partitioning options available on the latest edition of Calamares. The program has no default method.

Calamares disk partitioning options

Figure 1: Disk partitioning options of Calamares

Disk Encryption in Calamares in Standalone Mode

With the Replace a partition option, you can select a free portion of the disk that you wish to install the Linux distribution on, or an occupied partition that you wish to erase. The installer will auto-partition it for you. It will also encrypt it if you select the Encrypt system option.

Calamares replace disk partition

Figure 2: Replace disk partitioning option of Calamares

If your choice is the Erase disk option, then selected Encrypt system, the installer will erase and encrypt the whole disk.

Calamares erase disk partition

Figure 3: Calamares erase disk partition option

At the next screen, after selecting one of the previous options, the installer will display the partitions that will be encrypted. All partitions, including the swap partition, are encrypted.

Calamares disk partition

Figure 4: Calamares disk partition confirmation

After installation and reboot, you’ll be prompted for the encryption passphrase before the GRUB boot menu is displayed. As shown in Figure 5, the system is asking for a passphrase to decrypt hd0,msdos1. That’s the first partition of an MBR-partitioned disk. And this is when you get to experience the benefit of disk encryption. The system will not boot if the correct encryption passphrase is not specified. So if another party gains unauthorized, physical access to the computer while it’s not turned on, you can be rest assured that the system will not boot. The other side of that, is if you forget the encryption passphrase, same deal happens to you. You won’t be able to brute-force your way in.

Calamares decrypting a disk

Figure 5: Calamares decrypting an encrypted disk

This is what happens when the correct disk encryption passphrase is specified – you’re presented with the GRUB boot menu. Now you may boot into your favorite Linux distribution.

Linux GRUB boot menu

Figure 6: GRUB boot menu after disk has been decrypted

Disk Encryption in Calamares When Dual-booting with Windows 10

Setting up a dual-boot system using a Linux distribution that uses Calamares and Windows 10 with the Linux side encrypted is just as easy in standalone mode. The recommended approach to that is to select the Manual partitioning option.

Manual disk partitioning option of Calamares

Figure 7: Manual disk partitioning option of Calamares

This and the next two images show how to create an encrypted custom set of partitions using the installer’s partition editor. In Figure 8, the root partition is encrypted. To encrypt any partition, simply select the Encrypt option, then specify and confirm the encryption passphrase.

Calamares encrypted root partition

Figure 8: Creating an encrypted root partition in Calamares

Same was done when creating the partition mounted at /home.

Calamares encrypted home partition

Figure 9: Creating an encrypted home partition in Calamares

And for the swap partition too. It is very important that you encrypt all partitions, except for a partition mounted at /boot or /boot/efi. Also use the same encryption passphrase for each.

Calamares encrypted swap partition

Figure 10: Creating an encrypted swap partition in Calamares

At the installer’s manual disk partitioning window, the partitions marked for encryption will have LUKS in the File System column.

LUKS-encrypted Linux partitions

Figure 11: LUKS-encrypted partitions created with Calamares in a dual-boot setup with Windows 10

After a successful installation and reboot, you’ll be prompted for the encryption passphrase before the GRUB boot menu is displayed. In this image, notice that the system is asking for a passphrase to decrypt hd0 gpt5. That corresponds to the root partition of the Linux side of the business. Contrast that with the situation in Figure 5, during a standalone mode setup.

Decrypting a disk encrypted with Calamares

Figure 12: Decrypting a disk encrypted with Calamares in a dual-boot setup with Windows 10

Note that on the test system I used for this article, if the GRUB Boot Manager is the default boot manager, I had no problem booting into either operating system. However, when I set the default boot manager to Windows (10) Boot Manager, the system will not boot. What I got instead, is shown in Figure 13. Not sure why, but that’s how it worked on mine. If your experience is different, post a comment.

Figure : GRUB error when Windows Bot Manager is the default in a Calamares disk encrypted setup

Figure 13: GRUB error when Windows Bot Manager is the default in a Calamares disk encrypted, dual-boot setup with Windows 10

And that’s how you can encrypt your Linux installation if the distribution uses the Calamares graphical installer – in standalone and dual-boot mode.



Partner links

Newsletter: Subscribe for updates

Notify of
Inline Feedbacks
View all comments
Robert Rettig
Robert Rettig
2 years ago

grub encryption input language is most of the time english. but the world is more than that.
if you configure a complex passphrase or using a token you might get into troubles.
the calamaras installer does not recognize the current input language and will not setup grub to use the same input as at install time.
I hope someday open source will accept the world and not some exotic singularity.

Homer Nevis
Homer Nevis
5 years ago

Regarding the problem you’ve encountered preventing you to boot Windows 10 through the Windows Boot Manager on a FDE [Full Disk Encryption] Linux installation you can try the following (credits to Linux22,

“If you want to resolve this last error you must break a taboo …

You must edit the ‘grub.cfg’ file in your directory ‘/boot/grub’, search for the menuentry ‘Windows Boot Manager’ and comment out the line ‘cryptomount -u’ with a # …

Remember that you need root privileges for editing these files.”

Get the latest

On social media

Security distros

Linux distros for hacking and pentesting

Crypto mining OS

Distros for mining bitcoin and other cryptocurrencies

Crypto hardware

MSI GeForce GTX 1070
Installing Nvidia GTX 1070 GPU drivers on Ubuntu

Disk guide

Beginner's guide to disks & disk partitions in Linux

Bash guide

Bash shell terminal
How to set the PATH variable in Bash
Hya, what do you think? Please comment.x