Is it possible to setup an encrypted root partition without a separate boot partition?

[Jiwan]

Is it possible to setup an encrypted root partition without a separate /boot partition?

Like this partition laytout:
ESP -> /boot/efi (FAT32)
Root (with encryption) -> / (BTRFS)

QSI:

Code: Select all

System:
  Kernel: 6.14.2-1-liquorix-amd64 [6.14-3~mx23ahs] arch: x86_64 bits: 64 compiler: gcc v: 12.2.0 parameters: audit=0
    intel_pstate=disable amd_pstate=disable BOOT_IMAGE=/@/boot/vmlinuz-6.14.2-1-liquorix-amd64
    root=UUID=<filter> ro rootflags=subvol=@ quiet splash
  Desktop: Xfce v: 4.20.0 tk: Gtk v: 3.24.38 info: xfce4-panel wm: xfwm v: 4.20.0 vt: 7
    dm: LightDM v: 1.32.0 Distro: MX-23.6_ahs_x64 Libretto April 13  2025 base: Debian GNU/Linux 12
    (bookworm)
Machine:
  Type: Laptop System: Apple product: MacBookPro9,2 v: 1.0 serial: <superuser required> Chassis:
    type: 10 v: Mac-6F01561E16C75D06 serial: <superuser required>
  Mobo: Apple model: Mac-6F01561E16C75D06 v: MacBookPro9,2 serial: <superuser required>
    UEFI: Apple v: 429.0.0.0.0 date: 03/18/2022
Battery:
  ID-1: BAT0 charge: 51.1 Wh (100.0%) condition: 51.1/62.9 Wh (81.2%) volts: 12.5 min: 10.9
    model: SMP bq20z451 type: Li-ion serial: N/A status: full cycles: 129
CPU:
  Info: model: Intel Core i5-3210M bits: 64 type: MT MCP arch: Ivy Bridge gen: core 3 level: v2
    built: 2012-15 process: Intel 22nm family: 6 model-id: 0x3A (58) stepping: 9 microcode: 0x21
  Topology: cpus: 1x cores: 2 tpc: 2 threads: 4 smt: enabled cache: L1: 128 KiB
    desc: d-2x32 KiB; i-2x32 KiB L2: 512 KiB desc: 2x256 KiB L3: 3 MiB desc: 1x3 MiB
  Speed (MHz): avg: 1560 high: 1666 min/max: 1200/2501 boost: enabled scaling:
    driver: acpi-cpufreq governor: ondemand cores: 1: 1542 2: 1666 3: 1400 4: 1634 bogomips: 19954
  Flags: avx ht lm nx pae sse sse2 sse3 sse4_1 sse4_2 ssse3 vmx
  Vulnerabilities:
  Type: gather_data_sampling status: Not affected
  Type: ghostwrite status: Not affected
  Type: itlb_multihit status: KVM: VMX disabled
  Type: l1tf mitigation: PTE Inversion; VMX: conditional cache flushes, SMT vulnerable
  Type: mds mitigation: Clear CPU buffers; SMT vulnerable
  Type: meltdown mitigation: PTI
  Type: mmio_stale_data status: Unknown: No mitigations
  Type: reg_file_data_sampling status: Not affected
  Type: retbleed status: Not affected
  Type: spec_rstack_overflow status: Not affected
  Type: spec_store_bypass mitigation: Speculative Store Bypass disabled via prctl
  Type: spectre_v1 mitigation: usercopy/swapgs barriers and __user pointer sanitization
  Type: spectre_v2 mitigation: Retpolines; IBPB: conditional; IBRS_FW; STIBP: conditional; RSB
    filling; PBRSB-eIBRS: Not affected; BHI: Not affected
  Type: srbds status: Vulnerable: No microcode
  Type: tsx_async_abort status: Not affected
Graphics:
  Device-1: Intel 3rd Gen Core processor Graphics vendor: Apple driver: i915 v: kernel arch: Gen-7
    process: Intel 22nm built: 2012-13 ports: active: LVDS-1 empty: DP-1, DP-2, DP-3, HDMI-A-1,
    HDMI-A-2, HDMI-A-3, VGA-1 bus-ID: 00:02.0 chip-ID: 8086:0166 class-ID: 0300
  Device-2: Apple FaceTime HD Camera type: USB driver: uvcvideo bus-ID: 2-1.1:3
    chip-ID: 05ac:8509 class-ID: 0e02 serial: <filter>
  Display: x11 server: X.Org v: 1.21.1.7 compositor: xfwm v: 4.20.0 driver: X:
    loaded: modesetting unloaded: fbdev,vesa dri: crocus gpu: i915 display-ID: :0.0 screens: 1
  Screen-1: 0 s-res: 1280x800 s-dpi: 96 s-size: 338x211mm (13.31x8.31") s-diag: 398mm (15.69")
  Monitor-1: LVDS-1 model: Apple 0x9cc3 built: 2009 res: 1280x800 hz: 60 dpi: 114 gamma: 1.2
    size: 286x179mm (11.26x7.05") diag: 337mm (13.3") ratio: 16:10 modes: 1280x800
  API: OpenGL v: 4.2 Mesa 24.2.8-1mx23ahs renderer: Mesa Intel HD Graphics 4000 (IVB GT2)
    direct-render: Yes
Audio:
  Device-1: Intel 7 Series/C216 Family High Definition Audio driver: snd_hda_intel v: kernel
    bus-ID: 00:1b.0 chip-ID: 8086:1e20 class-ID: 0403
  API: ALSA v: k6.14.2-1-liquorix-amd64 status: kernel-api tools: alsamixer,amixer
  Server-1: PipeWire v: 1.0.0 status: active with: 1: pipewire-pulse status: active
    2: wireplumber status: active 3: pipewire-alsa type: plugin 4: pw-jack type: plugin
    tools: pactl,pw-cat,pw-cli,wpctl
Network:
  Device-1: Broadcom NetXtreme BCM57765 Gigabit Ethernet PCIe driver: tg3 v: kernel pcie: gen: 1
    speed: 2.5 GT/s lanes: 1 port: N/A bus-ID: 01:00.0 chip-ID: 14e4:16b4 class-ID: 0200
  IF: eth0 state: up speed: 1000 Mbps duplex: full mac: <filter>
  Device-2: Broadcom BCM4331 802.11a/b/g/n vendor: Apple AirPort Extreme driver: wl v: kernel
    modules: bcma pcie: gen: 1 speed: 2.5 GT/s lanes: 1 bus-ID: 02:00.0 chip-ID: 14e4:4331
    class-ID: 0280
  IF: wlan0 state: up mac: <filter>
Bluetooth:
  Device-1: Apple Bluetooth USB Host Controller type: USB driver: btusb v: 0.8 bus-ID: 4-1.8.1.3:9
    chip-ID: 05ac:821d class-ID: fe01
  Report: hciconfig ID: hci0 rfk-id: 1 state: up address: <filter> bt-v: 2.1 lmp-v: 4.0
    sub-v: 229c hci-v: 4.0 rev: 171a
  Info: acl-mtu: 1021:6 sco-mtu: 64:1 link-policy: rswitch sniff link-mode: peripheral accept
    service-classes: rendering, capturing, object transfer, audio, telephony
Drives:
  Local Storage: total: 953.87 GiB used: 5.69 GiB (0.6%)
  SMART Message: Unable to run smartctl. Root privileges required.
  ID-1: /dev/sda maj-min: 8:0 vendor: TeamGroup model: T2531TB size: 953.87 GiB block-size:
    physical: 512 B logical: 512 B speed: 6.0 Gb/s type: SSD serial: <filter> rev: 0A0 scheme: GPT
Partition:
  ID-1: / raw-size: 952.7 GiB size: 952.7 GiB (100.00%) used: 5.69 GiB (0.6%) fs: btrfs
    dev: /dev/sda2 maj-min: 8:2
  ID-2: /boot/efi raw-size: 1.17 GiB size: 1.17 GiB (99.80%) used: 576 KiB (0.0%) fs: vfat
    dev: /dev/sda1 maj-min: 8:1
  ID-3: /home raw-size: 952.7 GiB size: 952.7 GiB (100.00%) used: 5.69 GiB (0.6%) fs: btrfs
    dev: /dev/sda2 maj-min: 8:2
  ID-4: /opt raw-size: 952.7 GiB size: 952.7 GiB (100.00%) used: 5.69 GiB (0.6%) fs: btrfs
    dev: /dev/sda2 maj-min: 8:2
  ID-5: /tmp raw-size: 952.7 GiB size: 952.7 GiB (100.00%) used: 5.69 GiB (0.6%) fs: btrfs
    dev: /dev/sda2 maj-min: 8:2
  ID-6: /var/log raw-size: 952.7 GiB size: 952.7 GiB (100.00%) used: 5.69 GiB (0.6%) fs: btrfs
    dev: /dev/sda2 maj-min: 8:2
Swap:
  Kernel: swappiness: 15 (default 60) cache-pressure: 100 (default)
  ID-1: swap-1 type: zram size: 3.88 GiB used: 0 KiB (0.0%) priority: 101 dev: /dev/zram0
Sensors:
  System Temperatures: cpu: 62.0 C mobo: N/A
  Fan Speeds (RPM): N/A
Repos:
  Packages: pm: dpkg pkgs: 2134 libs: 1061 tools: apt,apt-get,aptitude,nala,synaptic pm: rpm
    pkgs: 0 pm: flatpak pkgs: 0
  No active apt repos in: /etc/apt/sources.list
  Active apt repos in: /etc/apt/sources.list.d/debian-stable-updates.list
    1: deb http://deb.debian.org/debian bookworm-updates main contrib non-free non-free-firmware
  Active apt repos in: /etc/apt/sources.list.d/debian.list
    1: deb http://deb.debian.org/debian bookworm main contrib non-free non-free-firmware
    2: deb http://security.debian.org/debian-security bookworm-security main contrib non-free non-free-firmware
  Active apt repos in: /etc/apt/sources.list.d/mx.list
    1: deb http://mirror.rise.ph/mxlinux-pkg/mx/repo/ bookworm main non-free
    2: deb http://mirror.rise.ph/mxlinux-pkg/mx/repo/ bookworm ahs
  Active apt repos in: /etc/apt/sources.list.d/signal-xenial-added-by-mxpi.list
    1: deb [arch=amd64] https://updates.signal.org/desktop/apt xenial main
Info:
  Processes: 274 Uptime: 57m wakeups: 3 Memory: 15.53 GiB used: 2.89 GiB (18.6%) Init: SysVinit
  v: 3.06 runlevel: 5 default: graphical tool: systemctl Compilers: gcc: 12.2.0 alt: 12
  Client: shell wrapper v: 5.2.15-release inxi: 3.3.26
Boot Mode: UEFI

[DukeComposed]

Is it possible to setup an encrypted root partition without /boot partition?

Like this partition laytout:
ESP -> /boot/efi (FAT32)
Root (with encryption) -> / (BTRFS)

If I understand the question correctly: can one create an encrypted root partition without an unencrypted /boot partition (?), then yes, this can be done.

One could use an MBR-style partition table. One could create a LUKS container the size of the desired install, open it, and then create the necessary partition(s) inside the LUKS container.

If the question is subtly asking if creating a FAT32 partition can be avoided in a UEFI setup, no, I don't think that's possible.

[Jiwan]

What I was trying to do is something like this, see attached. Highlighted in red box is the root partition (Btrfs) that I wanted to encrypt. As you can see I have put a checked mark on the Encrypt column for that specific partition. My partition table is GPT. When I click next it prompts me with a message that I need to create a boot partition and that confuse me. I thought ESP partition is already a boot partition that is mounted to "/boot/efi". Am I missing something here? To let you know guys am new to Linux please bare with me.

[DukeComposed]

When I click next it prompts me with a message that I need to create a boot partition and that confuse me.

The error message should precisely say "You must choose a separate boot partition when encrypting root." So let's think about this for a second. You've specified an ESP (EFI System Partition) and you think that should live under /boot.

But where's /boot going to go? A very important thing to remember if you're going to try to get fancy with Linux partitions: mountpoints are hierarchical. If you want /boot/efi, you need to have a /boot first. If you want /var/log, you need a /var first. And in all cases you need a root partition, "/", first, too. So if you don't have an exact place for /boot it's automatically going to go under root, and... you've encrypted root.

Make sure you're creating a /boot partition and a 1 MB BIOS-GRUB partition. I ran a test install of MX-23 on a VM with this setup (GPT partition table, /boot, BIOS-GRUB, and an encrypted ext4 partition for /) and it boots as expected.

[Jiwan]

When I click next it prompts me with a message that I need to create a boot partition and that confuse me.

The error message should precisely say "You must choose a separate boot partition when encrypting root." So let's think about this for a second. You've specified an ESP (EFI System Partition) and you think that should live under /boot.

But where's /boot going to go? A very important thing to remember if you're going to try to get fancy with Linux partitions: mountpoints are hierarchical. If you want /boot/efi, you need to have a /boot first. If you want /var/log, you need a /var first. And in all cases you need a root partition, "/", first, too. So if you don't have an exact place for /boot it's automatically going to go under root, and... you've encrypted root.

Make sure you're creating a /boot partition and a 1 MB BIOS-GRUB partition. I ran a test install of MX-23 on a VM with this setup (GPT partition table, /boot, BIOS-GRUB, and an encrypted ext4 partition for /) and it boots as expected.

Thank you for these information. I will try your suggestion.

[DukeComposed]

Thank you for these information. I will try your suggestion.

Good luck!