Well thanks everyone. I finally managed to get it to work on Arch. System has separate encrypted root and swap in LVM, and a separate encrypted home. It can suspend and hibernate. Below are my steps

DISK PREP

• partition the main drive for your swap and root first. For me, it is a boot partition + an EFI + a LUKS container with LVM on top. Create your volumes. I use Arch, so format and mount them appropriately before pacstrap. Leave out mount point for /home.

• Go to your other drive, follow: https://www.cyberciti.biz/hardware/cryptsetup-add-enable-luks-disk-encryption-keyfile-linux/

to create a LUKS container that is encrypted with: a keyfile and a password. Test both to make sure you can open the locked drive. Format and mount it at /mnt/home or where you want the /home to be.

• Pacstrap and then genfstab.
  Important: Make sure to copy the keyfile from your archiso environment to your chroot environment aka your system. Otherwise, when reboot, the keyfile is gone. I put it in /root and set permission so only root can read.

AUTOMATIC UNLOCK

• First, fstab. When you do genfstab, things should be fine. But just double check the UUID is correct for /home. Note in fstab, the UUID is the unlocked one: so the one with /dev/mapper/home. Change to noatime if you desire.

• Second, crypttab. Assume you decrypt your LUKS home as “home”. Add this:

home uuid of the unencrypted home drive location of the keyfile luks

The link above said to just use /dev/sda, but imo UUID is safer if you have a removable drive.

• Third, grub. Edit your /etc/default/grub and append the following to GRUB_CMD_LINUX:

“rd.luks.uuid=UUID of the locked luks home drive”

FOR HIBERNATION

For some reasons, hibernation doesnt work out of the box. It works when I have everything in 1 drive, i.e 1 boot, 1 efi, 1 lvm on luks for /home, swap and /. The fix is simple:

• add “resume” to /etc/mkinitcpio.conf. Add before “filesystems” . Rebuild your initramfs with mkinitcpio -P.

• add to /etc/default/grub: “resume= uuid of the unlocked swap partition”. Or if you do LVM, just use “resume=/dev/vg/swap”.

Special thanks to [email protected] and [email protected] for giving me correct ideas about “rd.luks.uuid” and that LUKS can do both pass and keyfile.

What do you backup with dejadup? Everything under /home?

yeh if I encrypt /home using luks with passphrase, so cryptsetup. How do I tell the OS to decrypt it? I tried passphrase before and it cannot boot because /home cannot be mounted. That is why I searched and found out about the Arch wiki way: using keyfile stored in root.

I have Fedora on my work laptop and vanilla Arch on my tinkering laptop.

I think instead of thinking about “set it and forget it”, you might want to think about “if shit happens, how fast can I fix it?”. That is because stuff break or there are bugs . If you use a very old and LTS distro, you might be comfortable but there might be bugs that do not get fixed until much later. Eg: Debian’s kernel used to be able to suspend-then-hibernate, then they jump to one that cannot. So if you want that feature back, you need to wait… until Debian catches up with mainline’s fixes.

So if you only use your computer for web, email, movie. Then any distro will work.

Now, imo there are 2 types of problems in Linux:

1. Boot/GRUB/partition problems: this can happen if you’re dual boot, or a config goes wrong. To fix, usually you need to boot a live cd.

Pop OS would be #1 choice just because it has a “Recovery Partition” with live environment. You can reinstall the entire OS while you’re on the plane, without wifi or any USB.

Arch would be #2 here, just because the arch iso is so good. It is minimal and has all the tools you need to fix stuff: partitions, wifi…etc. Plus, it boots in tty so it is faster for fixing.

2. Problems with library mismatch: for this you want one with good snapshots built in. So OpenSUSE or if you know how to configure btrfs, maybe Fedora. I would still go Pop OS here, so you can configure btrfs AND get the recovery from point 1) above. Linux Mint would be #2 choice because they have timeshift built in.

So the TLDR for you is: pick Pop OS for the recovery partition. Also, use btrfs. Lastly, configure your disk nicely, i.e. dont do any crazy LVM encryption, just use standard layout so when comes the time to fix, it is easier.

hmm thanks i’m gonna try that script you linked in artix wiki. Havent seen that one before so its worth a shot. What I usually see is some systemd Unit scripts. Gtlock looks neat as well, does swaylock give you problems too?

The only robust and no BS lock combo so far, imo, is Regolith i3wm.

For some reasons and whatever black magic eas used, this Frankenstein combo of i3 and GNOME work every single time. The downside is their configs are soooo messy. It is very hard to use whatever you have in vanilla i3 for Regolith.

interesting, so you just back up your ~/.password-store directory? You use the same thing on Android or something else?/

I am using KeePass, it generates password and also TOTP. Works fine but I want to switch to something more Linuxy. Keepass is great but you really depend on a 3rd party.

the GNU pass encrypt using gpg? How do you transfer between devices, using cloud?

Do you script it so when it is an Ebay/Amazon link, Libre Wolf is opened? Or you just remember to do so?/

funny how with sooooo many updates, Windows are still very vulnerable. You buy a Windows PC, you better equip Antivirus software too; it is like bread and butter. On Linux and also Mac, you never need to worry about these things.