How to Install Fedora 37 with LUKS Full Disk Encryption, Snapper, and Grub-Btrfs for Full System Rollback

How to Install Fedora 37 with LUKS Full Disk Encryption + Snapper + Grub-Btrfs Feature Image

In this blog, I will show you how to install Fedora 37 with LUKS Full Disk Encryption, snapper, and grub-btrfs packages, allowing you to take snapshots of the / and /home subvolumes as well as perform a full system rollback on the / volume if something goes wrong.

LUKS encryption protects the data in a block device while it is offline. This is especially important for mobile devices such as laptops because your hard drive can be easily accessed if left in the wrong places or, worse, stolen. To access the decrypted content on the device, you need to provide a passphrase or key file. The LUKS Full Disk Encryption will take care of this.

Regarding the snapshot rollback, I hoped that in Fedora 37, the DNF database would be relocated to /usr, as the RPM database was in Fedora 36. Sadly, It did not happen. It is still held back in /var/lib/dnf.

So, to avoid package mismatches between the two databases, I need to keep the /var directory in the rollback regime. I will, however, exclude the /var/log directory so that log data are not lost during rollbacks. You may add more directories if you wish.

Here is a brief overview of what needs to be done.

  1. Design the disk layout to install Fedora 37.
  2. Install Fedora 37 with a LUKS encrypted btrfs / filesystem and an unencrypted separate ext4 /boot partition, as the Anaconda installer does not support encryption of the /boot partition.
  3. After the installation is complete, copy the contents of the /boot partition to encrypted /, and configure GRUB to boot from it.
  4. Remove the ext4 /boot partition and merge its space with the btrfs volume.
  5. Configure the system to request the LUKS passphrase only once by supplying the key file.
  6. Install and configure snapper to take snapshots of the / and /home subvolume.
  7. Install and configure grub-btrfs to add snapshots menu to GRUB, allowing you to perform a full system rollback on the / volume.
  8. Finally, do some tests on the snapper 'undo change' and rollback features to ensure that everything is working properly.

So let’s begin.

1. Disk Layout for Installing Fedora 37

Since the Anaconda installer does not allow encryption of the /boot partition, either separately or in the / filesystem, you first need to create an unencrypted /boot partition separately. This is how the disk partition appears at first. I will use a 100 GiB hard disk for the demonstration.

NAME          SIZE   FSTYPE         LABEL    MOUNTPOINT
/dev/vda      100G                   
├─/dev/vda1   512M   vfat           EFI      /boot/efi
├─/dev/vda2    98G   btrfs (LUKS)   FEDORA   /       
└─/dev/vda3   1.5G   ext4           BOOT     /boot

When the installation is complete, I will copy the contents of the /boot partition to the / file system. The final disk partition looks like this.

NAME           SIZE   FSTYPE         LABEL    MOUNTPOINT
/dev/vda       100G                   
├─/dev/vda1    512M   vfat           EFI      /boot/efi
└─/dev/vda2   99.5G   btrfs (LUKS)   FEDORA   /

And, these are the subvolumes that will be created from the encrypted btrfs volume (/dev/vda2).

NAME               MOUNTPOINT          TYPE
[main]             /                   mainvolume
home               /home               subvolume 
var/log            /var/log            subvolume
.snapshots         /.snapshots         subvolume
home/.snapshots    /home/.snapshots    subvolume

Below are the directories for which subvolumes are created and the reasons for doing so.

/home

Contains user data. It is created to keep user data separate and also to avoid loss of user data on / volume rollbacks.

/var/log

Contains log files. It is created to avoid the loss of log data during rollbacks.

/.snapshots

Contains snapshots of / volume. Allows you to undo any changes or completely roll back a snapshot from the GRUB menu.

/home/.snapshots

Contains snapshots of /home subvolume. Allows you to undo any changes in the /home directory. No rollbacks from the GRUB menu on the /home directory.

Depending on your needs, you may also want to create some additional subvolumes. For example, /opt, /var/www, /var/lib/libvirt/images, and so on.

2. Install Fedora 37 Workstation

Boot your system using the Fedora 37 Workstation installer in UEFI mode. On the welcome screen, select the Install to Hard Drive option. Next, select your LanguageKeyboard, and configure Time & Date. Following that, from the INSTALLATION SUMMARY screen, select Installation Destination.

You should now be on the INSTALLATION DESTINATION screen. To proceed, pick the Advanced Custom (Blivet-GUI) radio button and then hit the Done button.

How to Install Fedora 37 with LUKS Full Disk Encryption + Snapper + Grub-Btrfs Blivet Beta

On the BLIVET GUI PARTITIONING screen, create the partitions, file systems, and btrfs subvolumes necessary to install Fedora 37 Workstation.

First, you need to create and mount the EFI partition. Select the free space and click the + sign to create a partition.

How to Install Fedora 37 with LUKS Full Disk Encryption + Snapper + Grub-Btrfs Blivet Overview Beta

Set the partition size to 512 MiB, the filesystem to EFI System Partition, and the mountpoint to /boot/efi.

How to Install Fedora 37 with LUKS Full Disk Encryption + Snapper + Grub-Btrfs EFI Beta

Then, you need to create a btrfs volume where you can create all the subvolumes needed to install Fedora 37 Workstation.

Select the free space again and click on the + sign to create a btrfs filesystem. Set the size of the btrfs filesystem. I allocated 98 GiB for the btrfs filesystem and left roughly 1.5 GiB unallocated for the /boot partition. Set btrfs as the filesystem and / as the mountpoint. Enable encryption, set encryption to luks2, and provide a strong passphrase with entropy greater than 60 bits. Finally, click on the OK button.

How to Install Fedora 37 with LUKS Full Disk Encryption + Snapper + Grub-Btrfs Root Beta

You then need to create and mount the /boot partition. Set the boot partition to use all of the remaining unallocated space (1534 MiB), the filesystem to ext4, and the mountpoint to /boot. After the installation is finished, I’ll move the contents of the /boot partition to the main root file system and merge this 1.5 GiB space with the main BTRFS volume.

How to Install Fedora 37 with LUKS Full Disk Encryption + Snapper + Grub-Btrfs Boot Beta

Next, you must create a home subvolume. (1) Select the Btrfs Volume from the left panel, and (2) click on the + sign on the right panel.

How to Install Fedora 37 with LUKS Full Disk Encryption + Snapper + Grub-Btrfs Select Btrfs Volume Beta

Create a home subvolume. Enter the name as home and mountpoint as /home. Click OK to finish.

How to Install Fedora 37 with LUKS Full Disk Encryption + Snapper + Grub-Btrfs Home Subvolume Beta

I will create the remaining subvolumes when the installation is finished. This is because the Anaconda installer does not allow you to create subvolumes with slashes (/) in their names, such as var/log.

For now, click Done to finish creating subvolumes.

On the SUMMARY OF CHANGES screen, double-check that everything is properly defined. To finalize the changes, click the Accept Changes button.

How to Install Fedora 37 with LUKS Full Disk Encryption + Snapper + Grub-Btrfs Summary Beta

You will be returned to the INSTALLATION SUMMARY screen. Press the Begin Installation button to start the installation process. The installation process will start. Just sit back and relax.

How to Install Fedora 37 with LUKS Full Disk Encryption + Snapper + Grub-Btrfs Installation Beta

When the installation is finished, click the Finish installation button and restart the system. After the computer restarts, you will be prompted for the LUKS passphrase.

How to Install Fedora 37 with LUKS Full Disk Encryption + Snapper + Grub-Btrfs LUKS Passphrase Beta

Enter the LUKS passphrase that you provided. The last phase of the installation procedure will start. Click the Start Setup button to complete the remaining customization steps, such as setting a new login, password, and so on.

You will then be logged into the Fedora 37 Workstation with the all-new Gnome 43 desktop interface.

How to Install Fedora 37 with LUKS Full Disk Encryption + Snapper + Grub-Btrfs GNOME 43 Beta

Now, open the Gnome terminal.

Set the btrfs volume label. I named the btrfs volume FEDORA, but you may name it whatever you want.

$ sudo btrfs filesystem label / FEDORA

$ sudo btrfs filesystem show /
Label: 'FEDORA'  uuid: 9e134c14-b6cc-4269-b164-45769b86abb8
	Total devices 1 FS bytes used 6.97GiB
	devid    1 size 97.98GiB used 9.02GiB path /dev/mapper/luks-85681518-63a1-42e8-a3ca-5b07b045250e

Create the /var/log subvolume.

$ sudo mv -v /var/log /var/log-old
$ sudo btrfs subvolume create /var/log
$ sudo cp -arv /var/log-old/. /var/log/
$ sudo restorecon -RFv /var/log
$ sudo rm -rvf /var/log-old

If you wish to create more subvolumes, use the same methods as above.

In the /etc/fstab file, add the newly created /var/log subvolume. The updated line is displayed in amber. Replace UUID with your setup's UUID.

sudo vi /etc/fstab
UUID=9e134c14-b6cc-4269-b164-45769b86abb8 /         btrfs defaults,x-systemd.device-timeout=0 0 0
UUID=86084a70-2927-40a9-84d7-df9b280d5a6c /boot     ext4  defaults 1 2
UUID=A070-0BE4                            /boot/efi vfat  umask=0077,shortname=winnt 0 2
UUID=9e134c14-b6cc-4269-b164-45769b86abb8 /home     btrfs subvol=home,compress=zstd:1,x-systemd.device-timeout=0 0 0
UUID=9e134c14-b6cc-4269-b164-45769b86abb8 /var/log  btrfs subvol=var/log,compress=zstd:1,x-systemd.device-timeout=0 0 0

Reload the /etc/fstab file to mount all filesystems.

$ sudo systemctl daemon-reload
$ sudo mount -va

Your setup should now look somewhat like this.

$ lsblk -p
NAME                                                      MAJ:MIN RM  SIZE RO TYPE  MOUNTPOINTS
/dev/sr0                                                   11:0    1 1024M  0 rom   
/dev/zram0                                                251:0    0  2.8G  0 disk  [SWAP]
/dev/vda                                                  252:0    0  100G  0 disk  
├─/dev/vda1                                               252:1    0  512M  0 part  /boot/efi
├─/dev/vda2                                               252:2    0   98G  0 part  
│ └─/dev/mapper/luks-85681518-63a1-42e8-a3ca-5b07b045250e 253:0    0   98G  0 crypt /var/log
│                                                                                   /home
│                                                                                   /
└─/dev/vda3                                               252:3    0  1.5G  0 part  /boot

Finally, list all subvolumes.

$ sudo btrfs subvolume list /
ID 256 gen 73 top level 5 path home
ID 257 gen 67 top level 5 path var/lib/machines
ID 258 gen 79 top level 5 path var/log

The var/lib/machines subvolume is created by systemd implicitly in Fedora 37 Workstation for systemd-nspawn containers.

The Fedora 37 Workstation installation is now complete.

3. Move /boot to the / Filesystem

You must now copy the contents of the ext4 /boot partition to the /boot directory in the root file system and configure GRUB to boot from it.

First, unmount the /dev/vda3 (boot) and /dev/vda1 (EFI) partitions from the /boot directory.

$ sudo umount -vR /boot

Then, mount the /dev/vda3 partition in the /mnt directory temporarily.

$ sudo mount -v /dev/vda3 /mnt

Now, copy all boot files from /mnt to the /boot directory.

$ sudo cp -arv /mnt/. /boot

Unmount the /dev/vda3 partition from /mnt and delete its entry from the /etc/fstab file. You no longer need the /dev/vda3 partition.

$ sudo umount -v /mnt
$ sudo sed -i.original '/\/boot.*ext4/d' /etc/fstab
$ sudo systemctl daemon-reload
$ sudo mount -va

Restore the SELinux labels to the /boot directory.

$ sudo restorecon -RFv /boot

Enable the CRYPTODISK option in GRUB. When enabled, it will check the encrypted disks and generate the additional commands needed to access them during boot.

$ echo 'GRUB_ENABLE_CRYPTODISK=y' | sudo tee -a /etc/default/grub
$ sudo grub2-mkconfig -o /boot/grub2/grub.cfg

The kernel and initrd paths are configured to look in the /boot partition (/dev/vda3).

$ sudo grubby --info=DEFAULT
index=0
kernel="/vmlinuz-5.19.7-300.fc37.x86_64"
args="ro rd.luks.uuid=luks-85681518-63a1-42e8-a3ca-5b07b045250e rhgb quiet"
root="UUID=9e134c14-b6cc-4269-b164-45769b86abb8"
initrd="/initramfs-5.19.7-300.fc37.x86_64.img"
title="Fedora Linux (5.19.7-300.fc37.x86_64) 37 (Workstation Edition Prerelease)"
id="f914c785eab548a1aaea84cde88cccb7-5.19.7-300.fc37.x86_64"

This must be changed to the /boot directory in the / filesystem (/dev/vda2). To do this, first, remove the old Boot Loader Specification (BLS) configuration files.

$ sudo sh -c 'rm -i /boot/loader/entries/*.conf'

Then recreate the BLS config file by adding the kernel image.

$ sudo kernel-install -v add $(uname -r) /lib/modules/$(uname -r)/vmlinuz

Take a look at the newly created BLS configuration files. The ‘/boot‘ directory should be added to the kernel and initrd lines.

$ sudo grubby --info=DEFAULT
index=0
kernel="/boot/vmlinuz-5.19.7-300.fc37.x86_64"
args="ro rd.luks.uuid=luks-85681518-63a1-42e8-a3ca-5b07b045250e rhgb quiet"
root="UUID=9e134c14-b6cc-4269-b164-45769b86abb8"
initrd="/boot/initramfs-5.19.7-300.fc37.x86_64.img"
title="Fedora Linux (5.19.7-300.fc37.x86_64) 37 (Workstation Edition Prerelease)"
id="f914c785eab548a1aaea84cde88cccb7-5.19.7-300.fc37.x86_64"

As CRYPTODISK is now enabled, you must make changes to /boot/efi/EFI/fedora/grub.cfg file as well.

List your device's UUIDs first.

$ lsblk -po name,uuid,mountpoints /dev/vda
NAME                                                      UUID                                 MOUNTPOINTS
/dev/vda                                                                                       
├─/dev/vda1                                               A070-0BE4                            /boot/efi
├─/dev/vda2                                               85681518-63a1-42e8-a3ca-5b07b045250e 
│ └─/dev/mapper/luks-85681518-63a1-42e8-a3ca-5b07b045250e 9e134c14-b6cc-4269-b164-45769b86abb8 /var/log
│                                                                                              /home
│                                                                                              /
└─/dev/vda3                                               86084a70-2927-40a9-84d7-df9b280d5a6c

Set up access to the encrypted boot device by adding the cryptomount command.

$ CRYPTOUUID="$(sudo cryptsetup luksUUID /dev/vda2 | tr -d -)"
$ sudo sed -i.backup1 "1i cryptomount -u ${CRYPTOUUID}" /boot/efi/EFI/fedora/grub.cfg

Replace the /dev/vda3 device UUID with the UUID of a LUKS encrypted device where the / file system is mounted.

$ OLDUUID="$(lsblk -dno uuid /dev/vda3)"
$ NEWUUID="$(lsblk -dno uuid /dev/mapper/luks-$(sudo cryptsetup luksUUID /dev/vda2))"
$ sudo sed -i.backup2 "s/${OLDUUID}/${NEWUUID}/" /boot/efi/EFI/fedora/grub.cfg

And add /boot to the grub2 path.

$ sudo sed -i.backup3 's#($dev)/grub2#($dev)/boot/grub2#' /boot/efi/EFI/fedora/grub.cfg

In the end,  the modifications to the /boot/efi/EFI/fedora/grub.cfg file should be from this ...

search --no-floppy --fs-uuid --set=dev 86084a70-2927-40a9-84d7-df9b280d5a6c
set prefix=($dev)/grub2

export $prefix
configfile $prefix/grub.cfg

... to this.

cryptomount -u 8568151863a142e8a3ca5b07b045250e
search --no-floppy --fs-uuid --set=dev 9e134c14-b6cc-4269-b164-45769b86abb8
set prefix=($dev)/boot/grub2

export $prefix
configfile $prefix/grub.cfg

The changes are as follows.

  • Line 1: Amber color. Set up access to the encrypted boot device. The UUID here is of the /dev/vda2 partition without dashes (-).
  • Line 2: Cyan color. Replace the UUID of /boot partition. The new UUID is of the LUKS encrypted / filesystem.
  • Line 3: Orange color: Insert the '/boot' directory into the 'set prefix' line.

Finally, you need to change the Password-Based Key Derivation Function (PBKDF) algorithm for LUKS keyslot. By default PBKDF for LUKS2 is argon2id.

$ sudo cryptsetup luksDump /dev/vda2 | grep 'PBKDF:'
	PBKDF:      argon2id

However, GRUB currently only supports pbkdf2. As a result, you must change the PBKDF algorithm. You should also change the iteration count. The more powerful your CPU, the higher the iteration count. And, the higher the iteration count, the longer it takes to unlock the LUKS in the GRUB.

For pbkdf2, the minimum iteration count is 1000 and the maximum is 4294967295. I will set the iteration count to 500000. Lowering the iterations reduces security. To get around it, use a stronger passphrase with higher entropy.

$ sudo cryptsetup luksChangeKey \
    --key-slot 0 \
    --pbkdf pbkdf2 \
    --pbkdf-force-iterations 500000 \
    /dev/vda2

Set the new password to the same one you used before.

Review the device LUKS encryption details.

$ sudo cryptsetup luksDump /dev/vda2
LUKS header information
Version:       	2
Epoch:         	4
Metadata area: 	16384 [bytes]
Keyslots area: 	16744448 [bytes]
UUID:          	85681518-63a1-42e8-a3ca-5b07b045250e
Label:         	(no label)
Subsystem:     	(no subsystem)
Flags:       	(no flags)
Data segments:
  0: crypt
	offset: 16777216 [bytes]
	length: (whole device)
	cipher: aes-xts-plain64
	sector: 512 [bytes]
Keyslots:
  0: luks2
	Key:        512 bits
	Priority:   normal
	Cipher:     aes-xts-plain64
	Cipher key: 512 bits
	PBKDF:      pbkdf2
	Hash:       sha256
	Iterations: 500000
	Salt:       2c bc 81 c8 75 0f 96 90 fc ee 41 c4 cc dd b1 b1 
	            1c f2 33 7d 65 b5 fe ac b2 ca 33 6d 9c de 41 4c 
	AF stripes: 4000
	AF hash:    sha256
	Area offset:32768 [bytes]
	Area length:258048 [bytes]
	Digest ID:  0
Tokens:
Digests:
  0: pbkdf2
	Hash:       sha256
	Iterations: 88323
	Salt:       97 91 83 39 65 f0 cc fc 4b 69 de ec 86 6d 3e e2 
	            6e 8a 8a de a0 ee ba 41 16 28 27 f6 86 59 9f 03 
	Digest:     81 3f 1d 98 98 ab 6d 55 f7 7f 25 4f 8f 12 77 1a 
	            0a ca 90 b2 62 a3 b6 3e 27 a5 0c d4 e2 34 dd cc

Reboot the computer now to ensure that everything is working correctly. You will be prompted for the passphrase twice. The first time is before loading GRUB, and the second time is before mounting the root file system.

Depending on your computer's CPU, it may take up to 15 seconds for the GRUB to display the second passphrase prompt. So please be patient.

When you input your passphrase in the first LUKS prompt, no "*" cursor indication appears. So you should assume you have entered your passphrase correctly. Simply enter your LUKS passphrase blindly and hit the [ENTER] key.

4. Remove the /boot Partition and Reclaim the Space

You no longer need the /dev/vda3 partition since you moved the boot files to the /boot directory in the / file system. So, you can safely remove the /dev/vda3 partition from the partition table and reclaim the 1.5 GiB it occupies.

Run the gdisk utility.

$ sudo gdisk /dev/vda

On the command input prompt, enter the key p to print the partition table.

Command (? for help): p
Disk /dev/vda: 209715200 sectors, 100.0 GiB
...
Total free space is 4029 sectors (2.0 MiB)

Number  Start (sector)    End (sector)  Size       Code  Name
   1            2048         1050623   512.0 MiB   EF00  EFI System Partition
   2         1050624       206571519   98.0 GiB    8300  
   3       206571520       209713151   1.5 GiB     8300

Delete partition #3 (/dev/vda3) by pressing the key d and then the number 3.

Command (? for help): d
Partition number (1-3): 3

Command (? for help): p
...
Total free space is 3145661 sectors (1.5 GiB)

Number  Start (sector)    End (sector)  Size       Code  Name
   1            2048         1050623   512.0 MiB   EF00  EFI System Partition
   2         1050624       206571519   98.0 GiB    8300

Then, delete partition #2 (/dev/vda2) as well by pressing the key d and then the number 2. Don’t worry, until you permanently write the modifications, the data will not be lost.

Command (? for help): d
Partition number (1-2): 2

Command (? for help): p
...
Total free space is 208666557 sectors (99.5 GiB)

Number  Start (sector)    End (sector)  Size       Code  Name
   1            2048         1050623   512.0 MiB   EF00  EFI System Partition

Now, create a new partition by pressing the key n. Choose the entire disc space by pressing the [Enter] key four times. Don’t input any values; instead, let it use the defaults. Your data will remain intact with the new expanded size.

Command (? for help): n
Partition number (2-128, default 2): 
First sector (34-209715166, default = 1050624) or {+-}size{KMGTP}: 
Last sector (1050624-209715166, default = 209713151) or {+-}size{KMGTP}: 
Current type is 8300 (Linux filesystem)
Hex code or GUID (L to show codes, Enter = 8300): 
Changed type of partition to 'Linux filesystem'

Command (? for help): p
...
Total free space is 4029 sectors (2.0 MiB)

Number  Start (sector)    End (sector)  Size       Code  Name
   1            2048         1050623   512.0 MiB   EF00  EFI System Partition
   2         1050624       209713151   99.5 GiB    8300  Linux filesystem

As an option, you can modify the partition name.

Command (? for help): c
Partition number (1-2): 2
Enter name: Fedora 37 Workstation

Command (? for help): p
...

Number  Start (sector)    End (sector)  Size       Code  Name
   1            2048         1050623   512.0 MiB   EF00  EFI System Partition
   2         1050624       209713151   99.5 GiB    8300  Fedora 37 Workstation

Finally, hit the w key to permanently save the table to disk and quit.

Command (? for help): w

Final checks complete. About to write GPT data. THIS WILL OVERWRITE EXISTING
PARTITIONS!!

Do you want to proceed? (Y/N): y
OK; writing new GUID partition table (GPT) to /dev/vda.
Warning: The kernel is still using the old partition table.
The new table will be used at the next reboot or after you
run partprobe(8) or kpartx(8)
The operation has completed successfully.

For the changes to take effect, restart the system. After restarting the system, use the following command to reclaim all available space on the BTRFS volume.

$ sudo btrfs filesystem resize max /

Now check the space used up by the BTRFS volume.

$ sudo btrfs filesystem show /
Label: 'FEDORA'  uuid: 9e134c14-b6cc-4269-b164-45769b86abb8
	Total devices 1 FS bytes used 7.15GiB
	devid    1 size 99.48GiB used 10.02GiB path /dev/mapper/luks-85681518-63a1-42e8-a3ca-5b07b045250e

List to verify whether the /dev/vda3 partition has actually been removed.

$ lsblk -p /dev/vda
NAME                                                      MAJ:MIN RM  SIZE RO TYPE  MOUNTPOINTS
/dev/vda                                                  252:0    0  100G  0 disk  
├─/dev/vda1                                               252:1    0  512M  0 part  /boot/efi
└─/dev/vda2                                               252:2    0 99.5G  0 part  
  └─/dev/mapper/luks-85681518-63a1-42e8-a3ca-5b07b045250e 253:0    0 99.5G  0 crypt /var/log
                                                                                    /home
                                                                                    /

5. Bypass the Additional Passphrase Prompt

While GRUB asks for a passphrase to unlock the encrypted /boot files, this information is not passed on to initramfs. As a result, during the initramfs stage, the root (/) must be unlocked once again. This means that either the user must input his passphrase twice, or the initramfs image itself must include a file with the root partition’s passphrase.

Because the initramfs image will be in the /boot directory of the encrypted root partition (/), the passphrase will be secure when the data is at rest. However, once the data is online, it must be safeguarded by making it read-only for the root user.

So let’s create a key file so that the passphrase is only asked once.

Create /etc/cryptsetup-keys.d directory if it is not already there.

$ sudo mkdir /etc/cryptsetup-keys.d

Create a key file with 4KiB of random data. The key file has to be in volume.key format.

$ sudo dd if=/dev/random \
    of=/etc/cryptsetup-keys.d/luks-$(sudo cryptsetup luksUUID /dev/vda2).key \
    bs=512 count=8

Ensure that only the root user has read access to the key file.

$ sudo chmod 0400 /etc/cryptsetup-keys.d/*.key

Attach the created key to the encrypted device’s available key slot. When prompted for a passphrase, enter the same LUKS passphrase.

$ sudo cryptsetup luksAddKey \
    --pbkdf pbkdf2 \
    --pbkdf-force-iterations 500000 \
    /dev/vda2 \
    /etc/cryptsetup-keys.d/luks-$(sudo cryptsetup luksUUID /dev/vda2).key

Open (or create) the /etc/dracut.conf.d/cryptodisk.conf file.

$ sudo vi /etc/dracut.conf.d/cryptodisk.conf

And add the following line to include the key in the initramfs image.

install_items+=" /etc/cryptsetup-keys.d/* "

Finally, rebuild the initramfs image.

$ sudo dracut -vf

Reboot the computer and verify that everything is operating correctly. The LUKS passphrase should only be asked once.

6. Install and Configure Snapper

Install snapper and the optional package python3-dnf-plugin-snapper. The python3-dnf-plugin-snapper package allows you to create pre and post snapshots every time you install a package on the system with the dnf package manager.

$ sudo dnf install snapper python3-dnf-plugin-snapper

Create new snapper configurations named root and home for the Btrfs volume at / and /home, respectively.

$ sudo snapper -c root create-config /
$ sudo snapper -c home create-config /home

Verify the snapper configuration files have been created.

$ sudo snapper list-configs
Config | Subvolume
-------+----------
home   | /home    
root   | /

Allow the regular user to list snapshots. Add your user name in the snapper's root and home configurations.

$ sudo snapper -c root set-config ALLOW_USERS=$USER SYNC_ACL=yes
$ sudo snapper -c home set-config ALLOW_USERS=$USER SYNC_ACL=yes

Change the group permissions of the /.snapshots and /home/.snapshots directories to your user name.

$ sudo chown -R :$USER /.snapshots
$ sudo chown -R :$USER /home/.snapshots

Finally, in the /etc/fstab file, add the newly created snapshots subvolumes. The updated lines are displayed in amber.

$ sudo vi /etc/fstab
UUID=9e134c14-b6cc-4269-b164-45769b86abb8 /                btrfs defaults,x-systemd.device-timeout=0 0 0
UUID=A070-0BE4                            /boot/efi        vfat  umask=0077,shortname=winnt 0 2
UUID=9e134c14-b6cc-4269-b164-45769b86abb8 /home            btrfs subvol=home,compress=zstd:1,x-systemd.device-timeout=0 0 0
UUID=9e134c14-b6cc-4269-b164-45769b86abb8 /var/log         btrfs subvol=var/log,compress=zstd:1,x-systemd.device-timeout=0 0 0
UUID=9e134c14-b6cc-4269-b164-45769b86abb8 /.snapshots      btrfs subvol=.snapshots,compress=zstd:1,x-systemd.device-timeout=0 0 0
UUID=9e134c14-b6cc-4269-b164-45769b86abb8 /home/.snapshots btrfs subvol=home/.snapshots,compress=zstd:1,x-systemd.device-timeout=0 0 0

Reload the /etc/fstab file.

$ sudo systemctl daemon-reload
$ sudo mount -va

Your setup should look something like this.

$ lsblk -p /dev/vda
NAME                                                      MAJ:MIN RM  SIZE RO TYPE  MOUNTPOINTS
/dev/vda                                                  252:0    0  100G  0 disk  
├─/dev/vda1                                               252:1    0  512M  0 part  /boot/efi
└─/dev/vda2                                               252:2    0 99.5G  0 part  
  └─/dev/mapper/luks-85681518-63a1-42e8-a3ca-5b07b045250e 253:0    0 99.5G  0 crypt /home/.snapshots
                                                                                    /.snapshots
                                                                                    /var/log
                                                                                    /home
                                                                                    /

And your subvolumes will look like this.

$ sudo btrfs subvolume list /
ID 256 gen 175 top level 5 path home
ID 257 gen 169 top level 5 path var/lib/machines
ID 258 gen 185 top level 5 path var/log
ID 259 gen 181 top level 5 path .snapshots
ID 260 gen 181 top level 256 path home/.snapshots

Enable snapshot booting by appending the SUSE_BTRFS_SNAPSHOT_BOOTING="true" option to the /etc/default/grub file.

$ echo 'SUSE_BTRFS_SNAPSHOT_BOOTING="true"' | sudo tee -a /etc/default/grub

Because snapshot booting is now enabled, you must make changes to the /boot/efi/EFI/fedora/grub.cfg file as well.

$ sudo sed -i '1i set btrfs_relative_path="yes"' /boot/efi/EFI/fedora/grub.cfg

Update the grub.cfg file.

$ sudo grub2-mkconfig -o /boot/grub2/grub.cfg

Finally, disable the GRUB menu auto-hide feature.

$ sudo grub2-editenv - unset menu_auto_hide

The snapper configuration is now complete.

List the snapshots for / volume. For the root, you may use snapper -c root ls or simply snapper ls. Both provide the same output.

$ snapper ls
 # | Type   | Pre # | Date | User | Cleanup | Description | Userdata
---+--------+-------+------+------+---------+-------------+---------
0  | single |       |      | root |         | current     |

List the snapshots for /home subvolume.

$ snapper -c home ls
 # | Type   | Pre # | Date | User | Cleanup | Description | Userdata
---+--------+-------+------+------+---------+-------------+---------
0  | single |       |      | root |         | current     |

At this stage, you do not have any snapshots, we will create some later.

7. Install and Configure Grub-Btrfs

Consider the following scenario: you make a mistake, and the system fails to start properly the next time. You may want to revert to a previously working snapshot and reboot again.

The grub-btrfs package provides this functionality. The package adds "Fedora Linux snapshots" to the GRUB menu and allows you to boot to a snapshot in read-only mode to test it before rolling back to it in read-write mode.

So, clone the grub-btrfs repository.

$ git clone https://github.com/Antynea/grub-btrfs
$ cd grub-btrfs
$ git switch Add-systemd-volatile

The setup is initially configured to work with Arch and Gentoo out of the box. To make it work with Fedora, you must make a few changes to the grub-btrfs config file.

$ sed -i 's/#GRUB_BTRFS_SYSTEMD_VOLATILE=/GRUB_BTRFS_SYSTEMD_VOLATILE=/' config
$ sed -i 's/#GRUB_BTRFS_GRUB_DIRNAME=/GRUB_BTRFS_GRUB_DIRNAME=/' config
$ sed -i '/#GRUB_BTRFS_MKCONFIG=/c\GRUB_BTRFS_MKCONFIG=/sbin/grub2-mkconfig' config
$ sed -i 's/#GRUB_BTRFS_SCRIPT_CHECK=/GRUB_BTRFS_SCRIPT_CHECK=/' config

Then install it.

$ sudo make INITCPIO=true install

Update the grub.cfg file. You will receive the 'No snapshots found' error since you have not yet created any snapshots, but don't worry, it will function properly after you do.

$ sudo grub2-mkconfig -o /boot/grub2/grub.cfg

Finally, enable the grub-btrfs.path

$ sudo systemctl enable --now grub-btrfs.path

Your grub-btrfs installation is now complete. You may now delete the cloned grub-btrfs repository.

$ cd ..
$ rm -rvf grub-btrfs

8. Test the Snapper's Undochange and Rollback Features

I ran several tests to confirm that everything is operating well and that there are no problems. Please see the Tests section of the article "How to Install Fedora 37 with Snapper and Grub-Btrfs for Full System Rollback" for more information.

9. Conclusion

Now that you have installed Fedora 37 with LUKS Full Disk Encryption, snapper, and grub-btrfs, you can now be certain that your data at rest is safe, and if you make a mistake, you can easily roll back to a previous functioning snapshot.

You can also better secure your machine from Evil Maid attacks by using UEFI Secure Boot custom key enrollment and a self-signed kernel and bootloader. Check out my other blog 'Enable Fedora UEFI Secure Boot with Custom Keys and Self-Signed Bootloader, Kernel, and Modules' on how to do this.

If you want to configure the snapper to take snapshots at predetermined intervals. Visit the Arch Wiki’s Snapper page for more information.

guest
4 Comments
Newest
Oldest
Inline Feedbacks
View all comments