How to create encrypted boot partition on external usb drive?

balko · May 20, 2025, 4:32am

What I want:

To be able to boot from usb drive with 2 partitions:

EFI (filesystem fat32)
Encrypted boot (luks1+ext2 seems to be the only option for grub?).

Version of Qubes OS: R4.2.

I have EFI boot, no CSM, no MBR, nothing like that should be used.

Disks:

Let’s imagine I have nvme disk with usual Qubes OS installation:

/dev/nmve0n1p1 - EFI partition installed by Qubes OS (let’s say UUID=$uuid-nmve0n1p1)
/dev/nmve0n1p2 - usual boot ext4 partition installed by Qubes OS (UUID=$uuid-nmve0n1p2)
/dev/nmve0n1p3 - usual luks2+lvm with Qubes OS (UUID=$uuid-nmve0n1p3)

And a usb drive:

/dev/sda1 - EFI partition, empty (UUID=$uuid-sda1)
/dev/sda2 - luks1 partition with ext2 filesystem inside (UUID=$uuid-sda2) and inside ext2 filesystem with UUID $uuid-sda2-boot)

What exactly should I do from this point?

P.S. I read several times articles like provided links below and some others, but they are not consistent with each other, kind of outdated, have not-related stuff and did not work for me. Grub does not ask for password with error: no such device) in my case.

balko · May 20, 2025, 4:42am

I think the main problem is properly modification of grub configs in Qubes OS. There is almost zero documentation for Qubes OS for it, and completely zero for encrypted boot case.
If I manually go to grub2 command line and type something like: cryptmount (hd0,gpt2) it WILL ask for password. And it I then say root=(crypto0) and exit - it WILL boot to initramfs (from sda2) and then system fine.

So, the main problem - how to edit /etc/default/grub properly and run something like grub2-mkconfig or something. I hope for solution that would be probable to update with mounting sda1 and sda2 to dom0 via qvm-block attaching and then running system update the usual way.

So, please help.