Selecting BTRFS in the installer -- LUKS2?

I recently reinstalled Qubes OS R4.0.4 and selected BTRFS with automatic partitioning.

  • sda1 is /boot (ext4)
  • sda2 is swap (“luks-req2”?)
  • sda3 is / (btrfs) called “qubes_dom0”

I want to reseal my SSD/LUKS password with Heads/TPM. But it doesn’t work. Selecting sda3 and saving the password in the TPM is successful, but I then still get the standard Qubes OS LUKS password prompt.

On qubes-users it was mentioned today that LUKS2 requires a newer heads version. Does the above carry any indication that LUKS2 is used?

R4.0.x still uses LUKS1:

$ sudo cryptsetup luksDump /dev/sda3 | grep ^Version:
Version:       	1

I think the issue is that with the LVM layout, a single LUKS device is created and then the root fs and swap are volumes inside of that. But with the Btrfs layout or the “Standard Partition” layout there are two LUKS devices, one for the root fs and one for swap. (Both have the same passphrase, which normally Plymouth will cache on startup after successfully unlocking the first LUKS device, so it can be used automatically for the second, avoiding another passphrase prompt.)

Maybe both LUKS devices could be enrolled in Heads? Alternatively, it’s possible (but kind of fiddly) to convert the swap LUKS device to a raw dm-crypt partition with an ephemeral random key.

I’m sure that dracut will not understand if you not modify things, and later your generated initramfs is wrong.

As example in my detached header guide, i add crypt module and use a persistence block uuid and crypttab.

Thank you @rustybird and @51lieal for explaining that there are two LUKS devices now. With this information @tlaurion then explained to me on the osfw slack that I have to enter both encrypted devices when prompted (/dev/sda2 /dev/sda3). Now it works as expected!