grub install error: cryptodisk not enabled

yoaquim · 2014-02-25 00:40:43

I'm installing arch on a Thinkpad T61 and, up'till now, it's all been pretty smooth. I'm encrypting using LUKS+LVM and I've been following this guide to set it up; I've also been following the beginner's guide.

The error I'm getting when doing grub-install --target=i386-pc --recheck /dev/sda is:

grub-install:error: attempt to install to encrypted disk without cryptodisk enabled. Set 'GRUB_ENABLE_CRYPTODISK=1' in file '/etc/default/grub'

and I tried that, but to no avail (also read somewhere I didn't have to actually edit anything).

I'm on a BIOS setup, so I created 3 partitions:

sda1 - BIOS compatibility partition for GDPT
sda2 - /boot
sda3 - the lvm with the mapping container

Before that grub install fail message, I get various of these:

/run/lvm/lvmetad.socket: connect failed: No such filed or directory

with the a title of WARNING: Failed to connect to lvmetad: No such file or directory. Falling back to internal scanning.

Bit'of a linux rookie here. Help?

Thanks.

Strike0 · 2014-02-28 22:36:52

You have to install grub to your bios compat partition: /dev/sda1
Have a look here: https://wiki.archlinux.org/index.php/Gr … structions
The cryptodisk error is misleading and should go away then. The other error is mentioned in the guide you link and can be ignored accordingly.

itektur · 2014-03-01 18:06:02

I'm trying to install Arch in VirtualBox today, and I run into the very same error. However, there is no such "BIOS compat" partition in my setup because this is only a dry run for my real machine (where there will be no such partition either, just plain old MBR). I booted from ipxe_text.iso and followed some guide, so my installation process looks something like this right now:

cfdisk 
# /dev/sda1 for /boot (type 83 (Linux)), boot-flag
# /dev/sda2 for LVM (type 8E (Linux LVM))

mkfs -t ext4 /dev/sda1

modprobe dm-crypt
cryptsetup --use-random -c aes-xts-plain -y -s 512 luksFormat /dev/sda2
cryptsetup luksOpen /dev/sda2 lvm
pvcreate /dev/mapper/lvm
vgcreate main /dev/mapper/lvm

lvcreate -L 20GB -n sysroot main
lvcreate -l 100%FREE -n homeroot main

mkfs -t ext4 /dev/mapper/main-sysroot
mkfs -t ext4 /dev/mapper/main-homeroot

vi /etc/pacman.d/mirrorlist

mount /dev/mapper/main-sysroot /mnt/

pacstrap /mnt base

mkdir -p /mnt/home
mount /dev/mapper/main-homeroot /mnt/home
genfstab -U -p /mnt >> /mnt/etc/fstab

arch-chroot /mnt

echo "thehostname" > /etc/hostname

ln -s /usr/share/zoneinfo/SOME/PLACE /etc/localtime

vi /etc/locale.gen 
locale-gen
locale > /etc/locale.conf

echo "KEYMAP=xx" >> /etc/vconsole.conf

vi /etc/mkinitcpio.conf
# HOOKS="... block keyboard keymap encrypt lvm2 filesystems fsck ..."

mkinitcpio -p linux

passwd 

pacman -S grub
vi /etc/default/grub
# Change
# GRUB_CMDLINE_LINUX_DEFAULT="quiet"
# to
# GRUB_CMDLINE_LINUX_DEFAULT="cryptdevice=/dev/sda2:main"

# Dunno which one to run first here:
grub-mkconfig -o /boot/grub/grub.cfg
grub-install --target=i386-pc --recheck --debug /dev/sda

(Note that I run grub-install for /dev/sda and not /dev/sda1. I tried sda1 but this resulted in the very same error.)

grub-install then dumps some info lines and an error line, saying something like this:

grub-install: info: Scanning for lvm devices on disk crypto0.
grub-install: info: Found array main.
grub-install: info: Inserting crypto0 (+0,XXX) into main (lvm).
grub-install: info: no partition map found for lvmid/xxxxxx-xxxx-xxxx-xxxx-xxxx-xxxx-xxxxxx/xxxxxx-xxxx-xxxx-xxxx-xxxx-xxxx-xxxxxx.
grub-install: info: no partition map found for crypto0.
grub-install: error: attempt to install to encrypted disk without cryptodisk enabled. Set `GRUB_ENABLE_CRYPTODISK=1' in file `/etc/default/grub'..

I also got all the other errors and warnings yoaquim mentioned, I tried GRUB_ENABLE_CRYPTODISK=1 and so on.

Any idea what's wrong here?

Strike0 · 2014-03-01 20:45:09

@itektur: welcome to the forums. When I read your install notes, you don't appear to mount /dev/sda1 to /mnt/boot for starters. You need to do that in any case.

I'm unsure about the cryptodisk error. There are some commits about it, but they seem to be in the grub beta1 package already which you use now I reckon.
(In any case using syslinux instead would be a very swift work-around, if you want to continue)

itektur · 2014-03-02 13:23:54

@Strike0: Thank you very much. You're right, I didn't mount /dev/sda1 on /mnt/boot. Now that I do so, it definitely makes much more sense and grub-install for /dev/sda runs without any errors.

However, there is still a problem left. When I try to boot my newly installed Arch, hooks like udev, lvm2 and keymap finish successfully. However, I don't get a prompt to enter the passphrase for my encrypted partition. Instead, when the system is "running hook [encrypt]", these messages do appear:

Waiting 10 seconds for device /dev/disk/by-uuid/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx ...
Waiting 10 seconds for device /dev/disk/by-uuid/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx ...
ERROR: device 'UUID=xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx' not found. Skipping fsck.
ERROR: Unable to find root device 'UUID=xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx'.

(The UUID here belongs to the encrypted system partition.) Then I get a recovery shell.

I worked around the problem by opening the LUKS device manually in this case:

cryptsetup luksOpen /dev/sda2 lvm

After entering the passphrase and exiting from the recovery shell, the boot process resumes and finishes successfully.

I think I messed up the HOOKS line in /etc/mkinitcpio.conf while installing, but I'm not sure. (The installation guide I use tells me that I did it the correct way.) How do I fix this?

(By the way, I switched to archlinux-2014.03.01-dual.iso for the installation process, so I don't use ipxe_text.iso anymore.)

EDIT:
I don't know whether this is only because I tried to fix this by myself, but now I see an entry (the last entry in this case) in GRUB saying "Advanced options for Arch Linux" and when I choose this, I get another menu with only one entry "Arch Linux, with Linux linux". (I think the lowercase "linux" is from what I passed to mkinitcpio while installing.) When I use this entry, I automatically get a prompt for the passphrase and things seem to work as expected.

However, there are three other entries in GRUB that are quite useless. The only option that actually works is the fourth, and this is also not the default option:

Arch Linux pkg-linux kernel
Arch Linux pkg-linux kernel (fallback initramfs)
Arch Linux
Advanced options for Arch Linux

I wonder how I can make GRUB use "my" option by default and offer another "fallback initramfs" entry for "my" option as well. (I think I don't need any other entries right now.) It would be nice if someone who is more used to GRUB than I am wants to help me here as well.

Last edited by itektur (2014-03-02 15:58:00)

clfarron4 · 2014-03-02 16:04:06

What does your grub/cfg file actually look like?

itektur · 2014-03-02 16:54:18

@clfarron4: Thank you for your help. Do you talk about /etc/default/grub or /boot/grub/grub.cfg?

/boot/grub/grub.cfg

#
# DO NOT EDIT THIS FILE
#
# It is automatically generated by grub-mkconfig using templates
# from /etc/grub.d and settings from /etc/default/grub
#

### BEGIN /etc/grub.d/00_header ###
insmod part_gpt
insmod part_msdos
if [ -s $prefix/grubenv ]; then
  load_env
fi
if [ "${next_entry}" ] ; then
   set default="${next_entry}"
   set next_entry=
   save_env next_entry
   set boot_once=true
else
   set default="0"
fi

if [ x"${feature_menuentry_id}" = xy ]; then
  menuentry_id_option="--id"
else
  menuentry_id_option=""
fi

export menuentry_id_option

if [ "${prev_saved_entry}" ]; then
  set saved_entry="${prev_saved_entry}"
  save_env saved_entry
  set prev_saved_entry=
  save_env prev_saved_entry
  set boot_once=true
fi

function savedefault {
  if [ -z "${boot_once}" ]; then
    saved_entry="${chosen}"
    save_env saved_entry
  fi
}

function load_video {
  if [ x$feature_all_video_module = xy ]; then
    insmod all_video
  else
    insmod efi_gop
    insmod efi_uga
    insmod ieee1275_fb
    insmod vbe
    insmod vga
    insmod video_bochs
    insmod video_cirrus
  fi
}

if loadfont unicode ; then
  set gfxmode=auto
  load_video
  insmod gfxterm
  set locale_dir=$prefix/locale
  set lang=en_US
  insmod gettext
fi
terminal_input console
terminal_output gfxterm
if [ x$feature_timeout_style = xy ] ; then
  set timeout_style=menu
  set timeout=5
# Fallback normal timeout code in case the timeout_style feature is
# unavailable.
else
  set timeout=5
fi
### END /etc/grub.d/00_header ###

### BEGIN /etc/grub.d/10_archlinux ###

menuentry "Arch Linux pkg-linux kernel" --class arch-linux --class arch --class gnu-linux --class gnu --class os {
    if [ x$feature_all_video_module = xy ]; then
        insmod all_video
    fi
    set gfxpayload=keep
    insmod ext2
    if [ x$feature_platform_search_hint = xy ]; then
        search --no-floppy --fs-uuid  --set=root --hint-bios=hd0,msdos1 --hint-efi=hd0,msdos1 --hint-baremetal=ahci0,msdos1  fa72ea8c-5072-4bcb-b479-c0573cbacd0d
    else
        search --no-floppy --fs-uuid  --set=root fa72ea8c-5072-4bcb-b479-c0573cbacd0d
    fi
    echo 'Loading Arch Linux pkg-linux kernel ...'
    linux /vmlinuz-linux root=UUID=6025759a-20fd-4240-a5bb-0a90ea7d46cb rw  cryptdevice=/dev/sda2:main
    echo 'Loading Arch Linux pkg-linux kernel initramfs ...'
    initrd /initramfs-linux.img
}


menuentry "Arch Linux pkg-linux kernel (fallback initramfs)" --class arch-linux --class arch --class gnu-linux --class gnu --class os {
    if [ x$feature_all_video_module = xy ]; then
        insmod all_video
    fi
    set gfxpayload=keep
    insmod ext2
    if [ x$feature_platform_search_hint = xy ]; then
        search --no-floppy --fs-uuid  --set=root --hint-bios=hd0,msdos1 --hint-efi=hd0,msdos1 --hint-baremetal=ahci0,msdos1  fa72ea8c-5072-4bcb-b479-c0573cbacd0d
    else
        search --no-floppy --fs-uuid  --set=root fa72ea8c-5072-4bcb-b479-c0573cbacd0d
    fi
    echo 'Loading Arch Linux pkg-linux kernel ...'
    linux /vmlinuz-linux root=UUID=6025759a-20fd-4240-a5bb-0a90ea7d46cb rw  cryptdevice=/dev/sda2:main
    echo 'Loading Arch Linux pkg-linux kernel fallback initramfs ...'
    initrd /initramfs-linux-fallback.img
}

### END /etc/grub.d/10_archlinux ###

### BEGIN /etc/grub.d/10_linux ###
menuentry 'Arch Linux' --class arch --class gnu-linux --class gnu --class os $menuentry_id_option 'gnulinux-simple-6025759a-20fd-4240-a5bb-0a90ea7d46cb' {
	load_video
	set gfxpayload=keep
	insmod gzio
	insmod part_msdos 
	insmod ext2
	set root='hd0,msdos1'
	if [ x$feature_platform_search_hint = xy ]; then
	  search --no-floppy --fs-uuid --set=root --hint-bios=hd0,msdos1 --hint-efi=hd0,msdos1 --hint-baremetal=ahci0,msdos1  fa72ea8c-5072-4bcb-b479-c0573cbacd0d
	else
	  search --no-floppy --fs-uuid --set=root fa72ea8c-5072-4bcb-b479-c0573cbacd0d
	fi
	echo	'Loading Linux linux ...'
	linux	/vmlinuz-linux root=UUID=6025759a-20fd-4240-a5bb-0a90ea7d46cb rw  cryptdevice=/dev/sda2:main
	echo	'Loading initial ramdisk ...'
	initrd	/initramfs-linux.img
}
submenu 'Advanced options for Arch Linux' $menuentry_id_option 'gnulinux-advanced-6025759a-20fd-4240-a5bb-0a90ea7d46cb' {
	menuentry 'Arch Linux, with Linux linux' --class arch --class gnu-linux --class gnu --class os $menuentry_id_option 'gnulinux-linux-advanced-6025759a-20fd-4240-a5bb-0a90ea7d46cb' {
		load_video
		set gfxpayload=keep
		insmod gzio
		insmod part_msdos 
		insmod ext2
		set root='hd0,msdos1'
		if [ x$feature_platform_search_hint = xy ]; then
		  search --no-floppy --fs-uuid --set=root --hint-bios=hd0,msdos1 --hint-efi=hd0,msdos1 --hint-baremetal=ahci0,msdos1  fa72ea8c-5072-4bcb-b479-c0573cbacd0d
		else
		  search --no-floppy --fs-uuid --set=root fa72ea8c-5072-4bcb-b479-c0573cbacd0d
		fi
		echo	'Loading Linux linux ...'
		linux	/vmlinuz-linux root=UUID=6025759a-20fd-4240-a5bb-0a90ea7d46cb rw  cryptdevice=/dev/sda2:main
		echo	'Loading initial ramdisk ...'
		initrd	/initramfs-linux.img
	}
}

### END /etc/grub.d/10_linux ###

### BEGIN /etc/grub.d/20_linux_xen ###
### END /etc/grub.d/20_linux_xen ###

### BEGIN /etc/grub.d/30_os-prober ###
### END /etc/grub.d/30_os-prober ###

### BEGIN /etc/grub.d/40_custom ###
# This file provides an easy way to add custom menu entries.  Simply type the
# menu entries you want to add after this comment.  Be careful not to change
# the 'exec tail' line above.
### END /etc/grub.d/40_custom ###

### BEGIN /etc/grub.d/41_custom ###
if [ -f  ${config_directory}/custom.cfg ]; then
  source ${config_directory}/custom.cfg
elif [ -z "${config_directory}" -a -f  $prefix/custom.cfg ]; then
  source $prefix/custom.cfg;
fi
### END /etc/grub.d/41_custom ###

### BEGIN /etc/grub.d/60_memtest86+ ###
### END /etc/grub.d/60_memtest86+ ###

/etc/default/grub

GRUB_DEFAULT=0
GRUB_TIMEOUT=5
GRUB_DISTRIBUTOR="Arch"
GRUB_CMDLINE_LINUX_DEFAULT="cryptdevice=/dev/sda2:main"
GRUB_CMDLINE_LINUX=""

# Preload both GPT and MBR modules so that they are not missed
GRUB_PRELOAD_MODULES="part_gpt part_msdos"

# Uncomment to enable Hidden Menu, and optionally hide the timeout count
#GRUB_HIDDEN_TIMEOUT=5
#GRUB_HIDDEN_TIMEOUT_QUIET=true

# Uncomment to use basic console
GRUB_TERMINAL_INPUT=console

# Uncomment to disable graphical terminal
#GRUB_TERMINAL_OUTPUT=console

# The resolution used on graphical terminal
# note that you can use only modes which your graphic card supports via VBE
# you can see them in real GRUB with the command `vbeinfo'
GRUB_GFXMODE=auto

# Uncomment to allow the kernel use the same resolution used by grub
GRUB_GFXPAYLOAD_LINUX=keep

# Uncomment if you want GRUB to pass to the Linux kernel the old parameter 
# format "root=/dev/xxx" instead of "root=/dev/disk/by-uuid/xxx" 
#GRUB_DISABLE_LINUX_UUID=true

# Uncomment to disable generation of recovery mode menu entries
GRUB_DISABLE_RECOVERY=true

# Uncomment and set to the desired menu colors.  Used by normal and wallpaper 
# modes only.  Entries specified as foreground/background.
#GRUB_COLOR_NORMAL="light-blue/black"
#GRUB_COLOR_HIGHLIGHT="light-cyan/blue"

# Uncomment one of them for the gfx desired, a image background or a gfxtheme
#GRUB_BACKGROUND="/path/to/wallpaper"
#GRUB_THEME="/path/to/gfxtheme"

# Uncomment to get a beep at GRUB start
#GRUB_INIT_TUNE="480 440 1"

#GRUB_SAVEDEFAULT="true"

clfarron4 · 2014-03-02 20:39:49

You have created this:

yoaquim wrote:

II'm on a BIOS setup, so I created 3 partitions:
sda1 - BIOS compatibility partition for GDPT
sda2 - /boot
sda3 - the lvm with the mapping container

but done this:

itektur wrote:

/etc/default/grub

GRUB_CMDLINE_LINUX_DEFAULT="cryptdevice=/dev/sda2:main"

That should be:

GRUB_CMDLINE_LINUX_DEFAULT="cryptdevice=/dev/sda3:main"

and then regenerate your grub file.

Last edited by clfarron4 (2014-03-02 20:48:33)

itektur · 2014-03-02 21:29:28

@clfarron4: Your post might help yoaquim. Note, however, that I am not yoaquim. (I thought that you were talking to me. Sorry for the confusion, I ran into the same problems yoaquim has/had, so I didn't create a new thread but used this one instead.)

clfarron4 · 2014-03-03 10:21:58

itektur wrote:

@clfarron4: Your post might help yoaquim. Note, however, that I am not yoaquim. (I thought that you were talking to me. Sorry for the confusion, I ran into the same problems yoaquim has/had, so I didn't create a new thread but used this one instead.)

¬¬ You shoul;d have opened your own thread, because you are VBox-ing

ewaller · 2014-03-03 15:54:03

The moderators received a comment on this thread. Let us please return of focus to OP's issue. It would seem we have inadvertently become sidetracked
Thanks

yoaquim · 2014-03-03 17:20:34

Sorry I took so long to reply (took some time off). Since I had to get up-and-running quick, went ahead and set up Arch without any encryption; everything's working as it should. Eventually I will redo installation (kinda need encryption). I think I see the error now:

I'm telling grub the default encrypted drive to load is sda2, but I actually need to load sda3? Also, when I installed grub I did it under chroot, which I assume is in sd3, so I'm guessing GRUB got installed in the encrypted partition and it should have been installed in sda2 (non-encrypted partition)?

Thanks!

Strike0 · 2014-03-03 19:27:14

Your bootloader grub needs to place its files on the /boot partition, which according to your initial post is sda2. And your cryptdevice has to point to sda3. IF your grub runs now on gpt sda2 and boots fine, you might actually be able to skip the grub install step when reinstalling with encryption. All you need to do then is configure the crypdevice= bootloader option (please have a look at the wiki again, the layout you use is actually described there).
Now that you have installed, you can also post your exact drive layout and settings you anticipate to use with encryption.

@ewaller: at the expense of getting sidetracked: Are that wings on the back? nice new picture.

edit: @yoaquim - Maybe in the meantime (before re-install) you want to use an encrypted container for whatever particularly sensitive you have. I just browsed the wiki again, setting up such a container is pretty simple:
https://wiki.archlinux.org/index.php/Dm … oop_device

Last edited by Strike0 (2014-03-03 19:41:45)

Arch Linux

#1 2014-02-25 00:40:43

grub install error: cryptodisk not enabled

#2 2014-02-28 22:36:52

Re: grub install error: cryptodisk not enabled

#3 2014-03-01 18:06:02

Re: grub install error: cryptodisk not enabled

#4 2014-03-01 20:45:09

Re: grub install error: cryptodisk not enabled

#5 2014-03-02 13:23:54

Re: grub install error: cryptodisk not enabled

#6 2014-03-02 16:04:06

Re: grub install error: cryptodisk not enabled

#7 2014-03-02 16:54:18

Re: grub install error: cryptodisk not enabled

#8 2014-03-02 20:39:49

Re: grub install error: cryptodisk not enabled

#9 2014-03-02 21:29:28

Re: grub install error: cryptodisk not enabled

#10 2014-03-03 10:21:58

Re: grub install error: cryptodisk not enabled

#11 2014-03-03 15:54:03

Re: grub install error: cryptodisk not enabled

#12 2014-03-03 17:20:34

Re: grub install error: cryptodisk not enabled

#13 2014-03-03 19:27:14

Re: grub install error: cryptodisk not enabled

Board footer