Full disk encryption

[MadLittleMods]

How to setup?

I don't know of the best option, I used the option in the installer.

Decrypting takes a long time

Related to how I set it up initially. Seems like a LUKS2 problem or something (idk)

Graceful retry after entering the wrong password

If you use the built-in disk encryption option from the Manjaro/XFCE install, it will only give you once chance to enter your password correctly before dropping you in grub rescue.

See https://forum.manjaro.org/t/how-do-get-graceful-retry-for-bad-wrong-password-entry-at-disk-decryption-during-boot/85233

Enter passphrase for hd1,gp2 (...):
Attempting to decrypt master key...
Enter passphrase for hd2,gpt2(...long-hex-string...):
error: access denied.
error: no such cryptodisk found.
error: disk 'cryptouuid/...long-hex-string...' not found.
Entering rescue mode...
grub rescue>

To workaround this issue, you can use:

1. cryptomount -a to mount all encrypted partitions (hopefully only one)
2. insmod normal to get of grub rescue
3. normal to continue the boot process

Updating the UEFI (BIOS)

When updating the UEFI (BIOS), it warns about suspending BitLocker and any encryption relying on the TPM (Trusted Platform Module, security chip on your motherboard). I was uncertain whether this applied to me with how I had full-disk encryption setup but I was completely fine without doing anything:

This is just a default warning, the BIOS always gives it. Only if you use the TPM to automatically decrypt LUKS on boot this would apply to you, if you have such a setup the TPM will not release the password anymore making it so that you will have to manually enter the password.

So if you are typing a password on boot right now this does not apply to you.

-- @arkane-linux, https://www.reddit.com/r/linux4noobs/comments/17z6ol8/comment/k9z6pqo/