I recently reinstalled Qubes OS R4.0.4 and selected BTRFS with automatic partitioning.
sda1 is /boot (ext4)
sda2 is swap (“luks-req2”?)
sda3 is / (btrfs) called “qubes_dom0”
I want to reseal my SSD/LUKS password with Heads/TPM. But it doesn’t work. Selecting sda3 and saving the password in the TPM is successful, but I then still get the standard Qubes OS LUKS password prompt.
On qubes-users it was mentioned today that LUKS2 requires a newer heads version. Does the above carry any indication that LUKS2 is used?
I think the issue is that with the LVM layout, a single LUKS device is created and then the root fs and swap are volumes inside of that. But with the Btrfs layout or the “Standard Partition” layout there are two LUKS devices, one for the root fs and one for swap. (Both have the same passphrase, which normally Plymouth will cache on startup after successfully unlocking the first LUKS device, so it can be used automatically for the second, avoiding another passphrase prompt.)
Maybe both LUKS devices could be enrolled in Heads? Alternatively, it’s possible (but kind of fiddly) to convert the swap LUKS device to a raw dm-crypt partition with an ephemeral random key.
Thank you @rustybird and @51lieal for explaining that there are two LUKS devices now. With this information @tlaurion then explained to me on the osfw slack that I have to enter both encrypted devices when prompted (/dev/sda2 /dev/sda3). Now it works as expected!