Blog

Encrypted Multiboot with Calamares and EFI

This article will show you how to set up a multi-boot system with LUKS encryption and EFI using the Calamares installer.

Calamares is an installer used by many Linux distributions. It supports a large number of filesystems and disk layouts. However, creating a multiboot setup still requires a few manual steps. This article describes one such layout.

The final disk layout will look like this:

Partition 1 is a 300MB EFI partition. It contains files for booting the 2 encrypted systems installed on Partitions 2 and 3. Partition 4 is a common data partition that is also encrypted and can be accessed from both systems.

I’ll be using Asmi 23.10 as an example but you can use any Linux distribution that uses the Calamares installer (Debian, Lubuntu, ArchLinux, Manjaro, etc).

Create Partitions

Boot the Linux distribution ISO that you want to install. Start GParted and partition the disk as shown below.

Create GPT partition table
Create ESP
Create system partition
Create another system partition
Create data partition
Set Boot and ESP flags on first partition
Final layout

Install the first system

Start the installer and select Manual partitioning.


In order to create an encrypted partition with Calamares we need to delete the existing Partition 2 and create it again. Select Partition 2 and click Delete.

Now select the free space and click Create to create a new partition. Select the filesystem as EXT4 or BTRFS. Check the checkbox for encrypting the partition and enter the boot password that you want to use.

Select Partition 1 and select the mount path /boot/efi from the drop-down. Select the “boot” flag from the list.

Note: GRUB now supports the decryption of encrypted root partitions. Creating a separate unencrypted boot partition is no longer necessary if you are using Calamares.

Click Next and finish the installation.

First Boot

When you boot the system you will be prompted for the password. This prompt is shown by the GRUB bootloader.

Enter the password and log in to the system.

Modify ESP files

Check the folder name that was created on the EFI partition. This is usually ubuntu for Ubuntu-based distributions.

sudo ls -la /boot/efi/EFI

Let’s rename the folder to avoid conflicts. Rename it sys1 as shown below or use any other name that you prefer.

sudo mv -vf /boot/efi/EFI/ubuntu /boot/efi/EFI/sys1

If you look in this folder you will see that it contains a grub.cfg file with information about the encrypted partition. We will now create a grub.efi file to boot the system.

echo 'acpi afsplitter all_video archelp bitmap bitmap_scale boot btrfs bufio chain configfile cpuid crypto cryptodisk datetime disk diskfilter echo efifwsetup efi_gop efinet efi_uga ext2 extcmd font fshelp gcry_arcfour gcry_blowfish gcry_camellia gcry_cast5 gcry_crc gcry_des gcry_dsa gcry_idea gcry_md4 gcry_md5 gcry_rfc2268 gcry_rijndael gcry_rmd160 gcry_rsa gcry_seed gcry_serpent gcry_sha1 gcry_sha256 gcry_sha512 gcry_tiger gcry_twofish gcry_whirlpool gettext gfxmenu gfxterm gfxterm_background gzio halt help hfsplus iso9660 jpeg keystatus linux loadenv loopback lsefi lsefimmap lsefisystab lssal luks lzopio mdraid09 mdraid1x memdisk minicmd mmap normal ntfs part_apple part_gpt part_msdos password_pbkdf2 pbkdf2 play priority_queue probe procfs raid5rec raid6rec reboot regexp relocator search search_fs_file search_fs_uuid search_label sleep smbios squash4 terminal test trig true video video_bochs video_cirrus video_colors video_fb xzio zfscrypt zfsinfo zstd' | sudo tee /root/grub-modules > /dev/null

sudo grub-mkimage -c /boot/efi/EFI/sys1/grub.cfg -o /boot/efi/EFI/sys1/grub.efi -O x86_64-efi -p grub/ $(cat /root/grub-modules)

Install Refind Boot Manager

Now install Refind. This is a boot manager that will display a menu to boot multiple operating systems. It will detect the grub.efi file we created earlier and show an entry for booting the system.

sudo apt install -y refind

Install a Refind theme for a better look.

wget -O - https://packages.teejeetech.com/scripts/install-refind-theme-regular.sh | bash

Reboot the system.

You will be greeted by the Refind boot screen. Select the boot entry for the grub.efi file that we generated earlier.

Refind will chain load the GRUB bootloader from the grub.efi file. GRUB will then prompt for the password as it did earlier. Enter the password and log in to the system to ensure that the boot entry is working.

Note: The other 2 entries displayed on the boot menu are not needed. You can hide them by selecting the entry with the arrow keys on your keyboard and hitting Delete.

Install Additional Distributions

Now boot from the ISO of the 2nd Linux distribution that you want to install and repeat the steps given above.

  • Start the installer and choose Manual Partitioning
  • Delete Partition 3 and create it again. You can enter the same unlock password or set a different password for the second system. Mount Partition 1 to /boot/efi without reformatting the partition.
  • Finish the installation and boot the new system
  • Rename the ubuntu folder to sys2, and then generate the grub.efi file in the /boot/efi/EFI/sys2 folder.
sudo mv -vf /boot/efi/EFI/ubuntu /boot/efi/EFI/sys2

echo 'acpi afsplitter all_video archelp bitmap bitmap_scale boot btrfs bufio chain configfile cpuid crypto cryptodisk datetime disk diskfilter echo efifwsetup efi_gop efinet efi_uga ext2 extcmd font fshelp gcry_arcfour gcry_blowfish gcry_camellia gcry_cast5 gcry_crc gcry_des gcry_dsa gcry_idea gcry_md4 gcry_md5 gcry_rfc2268 gcry_rijndael gcry_rmd160 gcry_rsa gcry_seed gcry_serpent gcry_sha1 gcry_sha256 gcry_sha512 gcry_tiger gcry_twofish gcry_whirlpool gettext gfxmenu gfxterm gfxterm_background gzio halt help hfsplus iso9660 jpeg keystatus linux loadenv loopback lsefi lsefimmap lsefisystab lssal luks lzopio mdraid09 mdraid1x memdisk minicmd mmap normal ntfs part_apple part_gpt part_msdos password_pbkdf2 pbkdf2 play priority_queue probe procfs raid5rec raid6rec reboot regexp relocator search search_fs_file search_fs_uuid search_label sleep smbios squash4 terminal test trig true video video_bochs video_cirrus video_colors video_fb xzio zfscrypt zfsinfo zstd' | sudo tee /root/grub-modules > /dev/null

sudo grub-mkimage -c /boot/efi/EFI/sys2/grub.cfg -o /boot/efi/EFI/sys2/grub.efi -O x86_64-efi -p grub/ $(cat /root/grub-modules)

sudo apt install -y refind

wget -O - https://packages.teejeetech.com/scripts/install-refind-theme-regular.sh | bash

Bonus Tips

Customize the icons in the boot menu

To customize the icons for boot entries, simply copy the icon that you want to use to the folder /boot/efi/EFI/sys1 or /boot/efi/EFI/sys2, and rename the icon file to grub.png. Refind supports PNG, JPG, BMP, and ICNF icons.

Cleanup EFI folders

The grub.efi file is independent of the installed system and needs to be generated only once. If you wish you can delete all other files in the sys1 folder since they are not needed.

Dark Theme

Run the command below for a dark theme

wget -O - https://packages.teejeetech.com/scripts/install-refind-theme-regular-dark.sh | bash

Hold GRUB packages

GRUB has a habit of hijacking the boot order and making itself the default bootloader during package updates. Place a hold on GRUB packages to avoid this. 

sudo apt-mark hold grub-efi-amd64 grub-efi-amd64-signed grub-common grub-efi-amd64-bin grub-common grub2-common

If by some chance GRUB makes itself the default boot loader again, run the following command:

sudo refind-install
Tags: , ,