Hello Joshua and Raghav, thank you for your guide! I have just a couple of comments. Joshua Branson via Guix-patches via writes: > From: Joshua Branson > > The original guide was written by Raghav Gururajan > and edited by Joshua Branson . > > * doc/guix-cookbook.texi (System Configuration): New section of full disc > encryption via libreboot. > --- > doc/guix-cookbook.texi | 724 +++++++++++++++++++++++++++++++++++++++++ > 1 file changed, 724 insertions(+) [...] > +* Guix System with Full Disk Encryption:: Guix System with Full Disk Encryption AFAIU the steps, especially the partitioning that does not provide an UEFI dedicated partition, are specific to Libreboot systems: what about to make it more clear in the section title? ...or to adapt the section by separating Libreboot specific instructions from generic system instructions? [...] > +Create a physical volume in the partition. > + > +@example > +pvcreate /dev/mapper/partname --verbose > +@end example > + > +Create a volume group in the physical volume, where @code{vgname} is any > +desired name for volume group. > + > +@example > +vgcreate vgname /dev/mapper/partname --verbose > +@end example > + > +Create logical volumes in the volume group; where "num" is the number > +for space in GB, and @code{lvnameroot} and @code{lvnamehome} are any > +desired names for root and home volumes respectively. > + > +@example > +lvcreate --extents 25%VG vgname --name lvnameroot --verbose > +lvcreate --extents 100%FREE vgname --name lvnamehome --verbose > +@end example > + > +Create filesystems on the logical-volumes, where @code{fsnameroot} and > +@code{fsnamehome} are any desired names for root and home filesystems > +respectively. > + > +@example > +mkfs.btrfs --metadata dup --label fsnameroot /dev/vgname/lvnameroot > +mkfs.btrfs --metadata dup --label fsnamehome /dev/vgname/lvnamehome > +@end example Why using two BTRFS volumes on top of LVM and not directly using BTRFS (with subvolumes if you want) on top of /dev/mapper/partname? AFAIU the "double mapping" it's not needed, BTRFS have a very good (and now mature) built in volume manager. Furthermore, using BTRFS for volume management will allow users to switch to a multi-device system (e.g. RAID1) very easily. I'm still using LVM on some "legacy" systems but for new installations I'd strogly suggest starting using BTRFS on top of "physical" partitions. > +Mount the filesystems under the current system. > + > +@example > +mount --label fsnameroot --target /mnt --types btrfs --verbose > +mkdir --verbose /mnt/home && mount --label fsnamehome --target \ > +/mnt/home --types btrfs --verbose > +@end example > + > +Create a swap file. > + > +@example > +dd bs=1MiB count=1GiB if=/dev/zero of=/mnt/swapfile status=progress > +mkswap --verbose /mnt/swapfile > +@end example I know that since Linux 2.6 swapfile performance is not a big issue if the file is unfragmented (and it'll be for sure on newly partitioned filesystems) but AFAIU swap files are still a little bit problematic on BTRFS https://btrfs.wiki.kernel.org/index.php/FAQ#Does_Btrfs_support_swap_files.3F: --8<---------------cut here---------------start------------->8--- From kernel 5.0+ btrfs have native swap files support, but with some limitations. Swap file - must be fully allocated as NOCOW with no compression on one device. --8<---------------cut here---------------end--------------->8--- I've never tested a system with swap file on BTRFS but I think that your instructions should add how to set NOCOW for the swap file. The above example could be: --8<---------------cut here---------------start------------->8--- @example dd bs=1MiB count=1GiB if=/dev/zero of=/mnt/swapfile status=progress mkswap --verbose /mnt/swapfile chattr +C /mnt/swapfile btrfs property set /mnt/swapfile compression none @end example --8<---------------cut here---------------end--------------->8--- Final note: AFAIU BTRFS supports swap files ONLY in single device settings (that is: NO swap file support on multi device settings), so IMHO it's better to use a dedicated partition for the swap space so users are free to switch to a multi-device setting if they wish (and can). The problem with a fully encrypted dedicated swap partition is that it'll require a third passphrase prompt on boot (the one to unlock the swap partition), but that's a minor annoyance IMHO. What do you think? [...] Happy hacking! Gio' -- Giovanni Biscuolo Xelera IT Infrastructures