This article will show you how to set up a multi-boot system with LUKS encryption and EFI using the Calamares installer.
This post was migrated from the previous Wordpress site to Hugo. Some links and formatting may be broken.
Calamares is an installer used by many Linux distributions. It supports a large number of filesystems and disk layouts. However, creating a multiboot setup still requires a few manual steps. This article describes one such layout.
The final disk layout will look like this:
Partition 1 is a 300MB EFI partition. It contains files for booting the 2 encrypted systems installed on Partitions 2 and 3. Partition 4 is a common data partition that is also encrypted and can be accessed from both systems.
I’ll be using Asmi 23.10 as an example but you can use any Linux distribution that uses the Calamares installer (Debian, Lubuntu, ArchLinux, Manjaro, etc).
Create Partitions
Boot the Linux distribution ISO that you want to install. Start GParted and partition the disk as shown below.
Install the first system
Start the installer and select Manual partitioning.
In order to create an encrypted partition with Calamares we need to delete the existing Partition 2 and create it again. Select Partition 2 and click Delete.
Now select the free space and click Create to create a new partition. Select the filesystem as EXT4 or BTRFS. Check the checkbox for encrypting the partition and enter the boot password that you want to use.
Select Partition 1 and select the mount path /boot/efi from the drop-down. Select the boot flag from the list.
Select Partition 1 and select the mount path /boot/efi from the drop-down. Select the boot flag from the list.
Note: GRUB now supports the decryption of encrypted root partitions. Creating a separate unencrypted boot partition is no longer necessary if you are using Calamares
Click Next and finish the installation.
First Boot
When you boot the system you will be prompted for the password. This prompt is shown by the GRUB bootloader.
Enter the password and log in to the system.
Modify ESP files
Check the folder name that was created on the EFI partition. This is usually ubuntu for Ubuntu-based distributions.
sudo ls -la /boot/efi/EFI
Let’s rename the folder to avoid conflicts. Rename it sys1 as shown below or use any other name that you prefer.
sudo mv -vf /boot/efi/EFI/ubuntu /boot/efi/EFI/sys1
If you look in this folder you will see that it contains a grub.cfg file with information about the encrypted partition. We will now create a grub.efi file to boot the system.
echo 'acpi afsplitter all_video archelp bitmap bitmap_scale boot btrfs bufio chain configfile cpuid crypto cryptodisk datetime disk diskfilter echo efifwsetup efi_gop efinet efi_uga ext2 extcmd font fshelp gcry_arcfour gcry_blowfish gcry_camellia gcry_cast5 gcry_crc gcry_des gcry_dsa gcry_idea gcry_md4 gcry_md5 gcry_rfc2268 gcry_rijndael gcry_rmd160 gcry_rsa gcry_seed gcry_serpent gcry_sha1 gcry_sha256 gcry_sha512 gcry_tiger gcry_twofish gcry_whirlpool gettext gfxmenu gfxterm gfxterm_background gzio halt help hfsplus iso9660 jpeg keystatus linux loadenv loopback lsefi lsefimmap lsefisystab lssal luks lzopio mdraid09 mdraid1x memdisk minicmd mmap normal ntfs part_apple part_gpt part_msdos password_pbkdf2 pbkdf2 play priority_queue probe procfs raid5rec raid6rec reboot regexp relocator search search_fs_file search_fs_uuid search_label sleep smbios squash4 terminal test trig true video video_bochs video_cirrus video_colors video_fb xzio zfscrypt zfsinfo zstd' | sudo tee /root/grub-modules > /dev/null
sudo grub-mkimage -c /boot/efi/EFI/sys1/grub.cfg -o /boot/efi/EFI/sys1/grub.efi -O x86_64-efi -p grub/ $(cat /root/grub-modules)
Install Refind Boot Manager
Now install Refind. This is a boot manager that will display a menu to boot multiple operating systems. It will detect the grub.efi file we created earlier and show an entry for booting the system.
sudo apt install -y refind
Install a Refind theme for a better look.
wget -O - https://packages.teejeetech.com/scripts/install-refind-theme-regular.sh | bash
Reboot the system.
You will be greeted by the Refind boot screen. Select the boot entry for the grub.efi file that we generated earlier.
Refind will chain load the GRUB bootloader from the grub.efi file. GRUB will then prompt for the password as it did earlier. Enter the password and log in to the system to ensure that the boot entry is working.
Note: The other 2 entries displayed on the boot menu are not needed. You can hide them by selecting the entry with the arrow keys on your keyboard and hitting Delete
Install Additional Distributions
Now boot from the ISO of the 2nd Linux distribution that you want to install and repeat the steps given above.
- Start the installer and choose Manual Partitioning
- Delete Partition 3 and create it again. You can enter the same unlock password or set a different password for the second system. Mount Partition 1 to
/boot/efiwithout reformatting the partition. - Finish the installation and boot the new system
- Rename the
ubuntufolder tosys2, and then generate thegrub.efifile in the/boot/efi/EFI/sys2folder.
sudo mv -vf /boot/efi/EFI/ubuntu /boot/efi/EFI/sys2
echo 'acpi afsplitter all_video archelp bitmap bitmap_scale boot btrfs bufio chain configfile cpuid crypto cryptodisk datetime disk diskfilter echo efifwsetup efi_gop efinet efi_uga ext2 extcmd font fshelp gcry_arcfour gcry_blowfish gcry_camellia gcry_cast5 gcry_crc gcry_des gcry_dsa gcry_idea gcry_md4 gcry_md5 gcry_rfc2268 gcry_rijndael gcry_rmd160 gcry_rsa gcry_seed gcry_serpent gcry_sha1 gcry_sha256 gcry_sha512 gcry_tiger gcry_twofish gcry_whirlpool gettext gfxmenu gfxterm gfxterm_background gzio halt help hfsplus iso9660 jpeg keystatus linux loadenv loopback lsefi lsefimmap lsefisystab lssal luks lzopio mdraid09 mdraid1x memdisk minicmd mmap normal ntfs part_apple part_gpt part_msdos password_pbkdf2 pbkdf2 play priority_queue probe procfs raid5rec raid6rec reboot regexp relocator search search_fs_file search_fs_uuid search_label sleep smbios squash4 terminal test trig true video video_bochs video_cirrus video_colors video_fb xzio zfscrypt zfsinfo zstd' | sudo tee /root/grub-modules > /dev/null
sudo grub-mkimage -c /boot/efi/EFI/sys2/grub.cfg -o /boot/efi/EFI/sys2/grub.efi -O x86_64-efi -p grub/ $(cat /root/grub-modules)
sudo apt install -y refind
wget -O - https://packages.teejeetech.com/scripts/install-refind-theme-regular.sh | bash
Bonus Tips
Customize the icons in the boot menu
To customize the icons for boot entries, simply copy the icon that you want to use to the folder /boot/efi/EFI/sys1 or /boot/efi/EFI/sys2, and rename the icon file to grub.png. Refind supports PNG, JPG, BMP, and ICNF icons.
Cleanup EFI folders
The grub.efi file is independent of the installed system and needs to be generated only once. If you wish you can delete all other files in the sys1 folder since they are not needed.
Dark Theme
Run the command below for a dark theme
wget -O - https://packages.teejeetech.com/scripts/install-refind-theme-regular-dark.sh | bash
Hold GRUB packages
GRUB has a habit of hijacking the boot order and making itself the default bootloader during package updates. Place a hold on GRUB packages to avoid this.
sudo apt-mark hold grub-efi-amd64 grub-efi-amd64-signed grub-common grub-efi-amd64-bin grub-common grub2-common
If by some chance GRUB makes itself the default boot loader again, run the following command:
sudo refind-install