Hi Joshua Joshua Branson writes: [...] >> Why using two BTRFS volumes on top of LVM and not directly using BTRFS >> (with subvolumes if you want) on top of /dev/mapper/partname? > > This is probably a good idea...however does the grub payload support > this? Do you mean: does grub support booting from encrypted BTRFS? The answer is yes. WARNING: I've (still) not tried myself to boot Guix System using an encrypted BTRFS (sub)volume but I'm pretty confident that Guix is configuring grub with the needed modules (luks and btrfs) [...] >> I'm still using LVM on some "legacy" systems but for new installations >> I'd strogly suggest starting using BTRFS on top of "physical" >> partitions. > > does btrfs volume manage allow use to use ext4, jfs, or xfs > filesystems? No: BTRFS is a volume manager and a filesystem "all in one", you cannot create a BRTFS subvolume and format it with another filesystem > Or does on LVM do that? LVM is "just" a volume manager with no idea about the overlaying filesystem [...] >> I know that since Linux 2.6 swapfile performance is not a big issue if >> the file is unfragmented (and it'll be for sure on newly partitioned >> filesystems) but AFAIU swap files are still a little bit problematic on >> BTRFS >> https://btrfs.wiki.kernel.org/index.php/FAQ#Does_Btrfs_support_swap_files.3F: > > Ok...maybe we could use ext4 for the swap file? Is there a better > filesystem? Again does btrfs volume management allow the swap file to > be ext4? No, al explained above > Or do we have to use LVM? If we use a dedicated partition for swap there is no need to set up an LVM volume (phisical, VG and then logical): we can just create a dedicate partition during partitioning, encrypt it with LUKS and "mkswap" it (e.g. mkswap /dev/mapper/) [...] >> Final note: AFAIU BTRFS supports swap files ONLY in single device >> settings (that is: NO swap file support on multi device settings), so >> IMHO it's better to use a dedicated partition for the swap space so >> users are free to switch to a multi-device setting if they wish (and >> can). > > Ok, I will create a dedicated partition and format it with ext4 > and the swap program There's no need to format (mkfs.ext4) the partition with ext4, just "mkswap" it :-) > ...but I will probably need help figuring out how to encrypt > the swap partition...There are guides online that I can look at... You have to encrypt it like any other partition, e.g.: --8<---------------cut here---------------start------------->8--- Encrypt swap the partition. Follow the prompts. @example cryptsetup --verbose --hash whirlpool --cipher serpent-xts-plain64 \ --verify-passphrase --use-random --key-size 512 --iter-time 500 \ luksFormat /dev/ @end example Obtain and note down the UUID of the LUKS partition. @example cryptsetup --verbose luksUUID /dev/ @end example Open the encrypted partition, where @code{luks-uuid} is the LUKS UUID, and @code{crypt_swap01} is any desired name for the decrypted swap partition. @example cryptsetup --verbose luksOpen UUID=luks-uuid crypt_swap01 @end example Format the encrypted swap @example mkswap /dev/mapper/crypt_swap01 @end example --8<---------------cut here---------------end--------------->8--- Then, in our (operating-system) declaration, we have to use something like this: --8<---------------cut here---------------start------------->8--- (mapped-devices (list (mapped-device (source (uuid "LUKS-UUID")) (target "partname") (type luks-device-mapping)) ;; This is our new encrypted swap partition (mapped-device (source (uuid "SWAP-LUKS-UUID")) (target "crypt_swap01") (type luks-device-mapping)) (mapped-device (source "vgname") (targets (list "vgname-lvnameroot" "vgname-lvnamehome")) (type lvm-device-mapping)))) (swap-devices (list "/dev/mapper/crypt_swap01")) --8<---------------cut here---------------end--------------->8--- WARNING: please consider I've not tested this code. >> The problem with a fully encrypted dedicated swap partition is that >> it'll require a third passphrase prompt on boot (the one to unlock the >> swap partition), but that's a minor annoyance IMHO. > > Oh no! I hadn't thought about that! grrr! Actually what I said it's NOT true... or better: we could avoid the (third) password prompt for the swap partition if we _add_ a keyfile to the LUKS encrypted swap partition _and_ we have a mechanism to "luksOpen" that mapped volume using that keyfile. I'm not aware of such a mechanism on Guix Systems, in Debian (et al) this is done with /etc/crypttab, AFAIU the luks-device-mapping lacks the option to specify a keyfile. So, as far as this cookbook section is concerned, unfortunately when using a dedicated encrypted swap partition an additional passphrase prompt will be presented to the user at each boot. > I wonder if bcachefs is better than btrfs...well I guess it's not > merged yet. No, still not. AFAIU also still not available in Guix. > What about instead of using a swap file we use zram? Never used zram and I don't know if it's supported (I mean configured by (operating-system)) on Guix System [...] Sorry I've more issues than answers on this topics, nevertheless I hope it somway helps. Thanks! Gio' -- Giovanni Biscuolo Xelera IT Infrastructures