add support for booting snapshots on LUKS encrypted disk

41_snapshots-btrfs

@@ -122,6 +122,25 @@ boot_uuid_subvolume=$(awk -F":" 'match($1, /(^[ \t]+UUID)/) {sub(/^[ \t]+/, "",
 boot_hs=$(${grub_probe} --device ${boot_device} --target="hints_string" 2>/dev/null) # hints string
 boot_fs=$(${grub_probe} --device ${boot_device} --target="fs" 2>/dev/null) # Type filesystem of boot device
 
+# Enable LUKS encrypted devices support
+case "$(echo "$GRUB_BTRFS_ENABLE_CRYPTODISK" | tr '[:upper:]' '[:lower:]')" in
+ true)
+ list_insmods=()
+ list_insmods+=("insmod gzio")
+ list_insmods+=("insmod part_gpt")
+ list_insmods+=("insmod cryptodisk")
+ list_insmods+=("insmod luks")
+ list_insmods+=("insmod gcry_rijndael")
+ list_insmods+=("insmod gcry_rijndael")
+ list_insmods+=("insmod gcry_sha256")
+ list_insmods+=("insmod ${boot_fs}")
+ list_insmods+=("cryptomount -u $(echo $GRUB_CMDLINE_LINUX_DEFAULT | grep -o -P '(?<=cryptdevice=UUID=).*(?=:cryptdev)')")
+ ;;
+ *)
+ list_insmods=("insmod ${boot_fs}")
+ ;;
+esac
+
 ## Parameters passed to the kernel
 kernel_parameters="$GRUB_CMDLINE_LINUX $GRUB_CMDLINE_LINUX_DEFAULT $GRUB_BTRFS_SNAPSHOT_KERNEL_PARAMETERS"
 ## Mount point location
@@ -218,8 +237,12 @@ make_menu_entries()
  if [ x\$feature_all_video_module = xy ]; then
  insmod all_video
  fi
- set gfxpayload=keep
- insmod ${boot_fs}
+ set gfxpayload=keep"
+ for j in "${insmods[@]}"; do
+ entry "\
+ ${j}"
+ done
+ entry "\
  if [ x\$feature_platform_search_hint = xy ]; then
  search --no-floppy --fs-uuid --set=root ${boot_hs} ${boot_uuid}
  else
@@ -541,6 +564,7 @@ boot_bounded()
  detect_rootflags
  title_format
  boot_dir_root_grub="$(make_system_path_relative_to_its_root "${boot_dir}")" # convert "boot_directory" to root of GRUB (e.g /boot become /)
+ insmods=("${list_insmods[@]##*"/"}")
  make_menu_entries
  # show snapshot found during run "grub-mkconfig"
  if [ "${GRUB_BTRFS_SHOW_SNAPSHOTS_FOUND:-"true"}" = "true" ]; then

README.md

@@ -274,6 +274,10 @@ After that, the daemon should be restarted with:
 sudo rc-service grub-btrfsd restart
 ```
 
+##### 🔒 Snapshots on LUKS encrypted devices
+By default, grub-btrfs generates entries that does not load modules for dealing with encrypted devices.
+Enable the `GRUB_BTRFS_ENABLE_CRYPTODISK` variable in `/etc/default/grub-btrfs/config` to load said modules and then execute the steps to mount encrypted root after selecting the snapshot.
+
 - - -
 ### Troubleshooting
 If you experience problems with grub-btrfs don't hesitate [to file an issue](https://github.com/Antynea/grub-btrfs/issues/new/choose).

config

@@ -158,3 +158,7 @@ GRUB_BTRFS_IGNORE_PREFIX_PATH=("var/lib/docker" "@var/lib/docker" "@/var/lib/doc
 # doesn't work if GRUB_BTRFS_PROTECTION_AUTHORIZED_USERS isn't empty
 # Default: "false"
 #GRUB_BTRFS_DISABLE_PROTECTION_SUBMENU="true"
+
+# Enable booting from snapshots stored on LUKS encrypted devices
+# Default: "false"
+#GRUB_BTRFS_ENABLE_CRYPTODISK="true"

manpages/grub-btrfs.8.man

@@ -102,6 +102,14 @@ Default: “false”
 .IP \(em 4
 Example: \fCGRUB_BTRFS_OVERRIDE_BOOT_PARTITION_DETECTION="true"\fP
 
+.SS "\GRUB_BTRFS_ENABLE_CRYPTODISK\fP"
+.PP
+Enable booting from snapshots stored on LUKS encrypted devices
+.IP \(em 4
+Default: “false”
+.IP \(em 4
+Example: \GRUB_BTRFS_ENABLE_CRYPTODISK="true"\fP
+
 .SS "CUSTOM KERNELS"
 .SS "\fCGRUB_BTRFS_NKERNEL\fP / \fCGRUB_BTRFS_NINIT\fP / \fCGRUB_BTRFS_CUSTOM_MICROCODE\fP"
 .PP

manpages/grub-btrfs.8.org

@@ -73,6 +73,11 @@ Change to "true" if your boot partition is not detected as separate.
 - Default: "false"
 - Example: ~GRUB_BTRFS_OVERRIDE_BOOT_PARTITION_DETECTION="true"~
 
+*** ~GRUB_BTRFS_ENABLE_CRYPTODISK~
+Enable booting from snapshots stored on LUKS encrypted devices
+- Default: "false"
+- Example: ~GRUB_BTRFS_ENABLE_CRYPTODISK="true"~
+
 ** CUSTOM KERNELS
 
 *** ~GRUB_BTRFS_NKERNEL~ / ~GRUB_BTRFS_NINIT~ / ~GRUB_BTRFS_CUSTOM_MICROCODE~