https://btrfs.wiki.kernel.org/index...._encryption.3F
Btrfs will work on top of dm-crypt.
https://wiki.archlinux.org/index.php...umes_with_swap
https://seravo.fi/2017/secure-flexib...dm-crypt-btrfs

Looks like my response earlier got lost, well here we go again...
Thanks a lot GrayGeek, I had a closer look at the links you provided and it looks like encryption and btrfs is still pretty complicated, especially when one has got only one drive with a single partition.

Well, encrypting my laptop drive is a must have for me hence I will have to give btrfs a pass. But thanks for your help!

No problem. You do what you gota do!

I've been running a 5 GB encrypted file on a btrfs filesystem for almost a year now. I use zulucrypt to access it.

BTRFS and encryption

There you go! Experience speaks better than a WAG.

The advantage I see in your approach is that the 5GB file can be stored independently of your system or home account and that eliminates the risk of a checksum error locking you out of the system at login.


Have you tried the new vault technology? As I understand it you lock a sub directory under your home account. That seems the same or similar.

I lied -- now that I am awake I see it is actually 10 GB.

No, I had never used encryption until about a year ago. I took a consulting assignment and the client requires its business information be kept encrypted when offsite from their office, and I live 35 or 40 miles from there, so it's mostly remote support via e-mail. So I was in a big hurry to figure something out, and happily I found that setting it up with zulucrypt was very straightforward. The decision on the front end is, file or partition? The work is almost entirely documents, so 10 GB is way overkill for the space needed. Therefore I thought an encrypted file, which zulucrypt sees as a container, on my dual-drive btrfs filesystem would be pretty secure and gets backed up with everything else I have there. I could symlink it in to my home directory if I wanted to, but zulucrypt has a "Favorites" feature that lets me set it up for quick access, so there's no point symlinking it as that won't eliminate any steps to access. It is so simple to operate that I'm not very tempted to invest time in vault technology.

Well, that breaks the whole deal!

Container? I can understand encrypting a file or a directory, but it seems that your container is more like a blob database?

It is a luks1 type encrypted blob until you open it.

When you go in through dolphin or the terminal to my btrfs filesystem which is mounted at /mnt/DATA, all you see is a 10 GB file named "Work" sitting there along side my music directory, documents directory, backups directory, etc. Those directories are linked in to my home folder, btw. But, when you run zulucrypt and enter the encryption key to open the file, it gets mounted to /run/media/private/don, then you can see that there are folders and files in it -- just normal linux directories and sub-directories and files. As I mentioned, zulucrypt lets you set it as a "favorite", and so upon running zulucrypt-gui, you can go straight to the blob and open it and voila you're ready to work.

Neat! I’m going to look into zulu

I assume if you install zulucrypt-gui that it will pull in the rest of the packages needed to run an encrypted file or partition. Like I wrote above, the first decision to make is whether a file will do or whether you need an encrypted partition. I'm finding a 10 GB file perfectly satisfactory for a consulting client with lots of documents that need edited, organized into folders, etc.

For the Zulu use case I am using Cryptomator which works better for me because it's also available on Windows and Anroid.

As far as the original question regarding btrfs and encryption is concerned, I have figured it out.
After hours of wrestling with the Kubuntu installer and the suggestions here https://albertodonato.net/blog/posts...-ubuntu-xenial I finally ended up with installing Ubuntu, because only the Ubuntu installer allows to do a custom disk layout + encryption + changing the filesystem type at install time.
Followed by converting Ubuntu into Kubuntu :-/

Here are the steps I had to take:
- Launch Ubuntu from USB stick
- Select test Ubuntu
- Launch installer
- Disk setup: Something else
New partition: Physical for encryption
Change new encrypted partition from ext4 to btrfs
- Reboot
-Install kubuntu-desktop
sddm as display manager
remove Gnome snap apps (calculator, etc.)
- Rsync backup home folder to /home
- Reboot
- Install all my other apps
Done!

:~$ sudo lsblk -o NAME,FSTYPE,SIZE,MOUNTPOINT,LABEL NAME FSTYPE SIZE MOUNTPOINT LABEL
nvme0n1 477G
|-nvme0n1p1 vfat 512M /boot/efi
|-nvme0n1p2 ext4 732M /boot
`-nvme0n1p3 crypto_LUKS 475.7G
`-nvme0n1p3_crypt btrfs 475.7G /home

Maybe this helps someone else at some stage
And now on to the new world of btrfs.

So, is this issue 'Solved' for you then?

There is a concept in physics that states that regardless of the path you take, the difference in energy between the starting point and the ending point are the same.

Well, looks like I will have to put some more energy into this
As I am working through the many btrfs related posts here I realized that I should not work with the swap file automatically created during installation but rather have a separate swap partition.
Ok, easy, resize the btrfs partition and create a swap partition as you described very well here https://www.kubuntuforums.net/showth...swap-partition
But while "btrfs filesystem usage..." shows the new, smaller size I don't see the free space anywhere else. Not in Partition Manager nor in lsblk.

That's likely got to do with the fact that my btrfs file system is inside a crypt volume. So somehow I need to create a new partition inside the crypt volume which I don't seem to be able to as the installer (probably correctly) didn't create a logical volume group.
-nvme0n1p3 259:3 0 475.7G 0 part
`-nvme0n1p3_crypt 253:0 0 475.7G 0 crypt /home

I got the subtle feeling fixing this will turn out to become a first test for the btrfs backup and restore feature...