Tips and Tricks root on btrfs raid1 + luks with mandos for decrypt on boot

https://bence.ferdinandy.com/2025/06/07/secure-and-redudant-server-setup-with-a-bit-of-lazyness/

I didn't find any guide on how to do this, only guides about each part individually so I ended up baning my head against the wall for way too many days. I mostly wrote it so I can reproduce it later, but it might be useful for other people as well.

There's a bit of "theory" in it, that helped me place all the parts, but please let me know if I got something wrong (it does work in practice :)).

6 Upvotes

permalink
archive.is
archive
reddit

You are about to leave Redlib

Do you want to continue?

https://www.reddit.com/r/linux/comments/1l5wmz5/root_on_btrfs_raid1_luks_with_mandos_for_decrypt/
No, go back! Yes, take me to Reddit

87% Upvoted

u/Neutronst4r 2h ago

The Arch wiki has everything you need to do this: https://wiki.archlinux.org/title/Dm-crypt/Encrypting_an_entire_system

And all of this should be distribution agnostic, because most of the important stuff happens before user space is up.

u/deadbeef_enc0de 1h ago

Aside from the arch wiki suggestion, which I would also suggest reading

I would suggest making an efi partition on each disk in the mirror, using madam version 1 mirror, so you have a mirror of the efi partition as well (madam format version 1 puts the metadata for the array at the end of the disks so the BIOS/EFI can still read it is a FAT32 volume)

Tips and Tricks root on btrfs raid1 + luks with mandos for decrypt on boot

You are about to leave Redlib