Arch Linux

chpatton013

Member

Registered: 2014-05-07

Posts: 4

[SOLVED] Why isn't my fully automated installer working?

I've been working on a simple fully-automated installer for ArchLinux recently.

• I started with a basic three-partition system; that made a bootable system.

• I added LVM and several more logical partitions; that worked also.

• I'm now trying to add LUKS encryption; that isn't working.

I want to have LUKS inside of LVM for more flexibility. For a BIOS system with a single disk and a GPT label, that should look something like this:

Raw Partitions
+-----------+------+-------+-----------+
| Partition | Name | Size  | Flags     |
+-----------+------+-------+-----------+
| /dev/sda1 | grub | 2MB   | bios_grub |
| /dev/sda2 | boot | 200MB | boot      |
| /dev/sda3 | lvm  |       | lvm       |
+-----------+------+-------+-----------+

LVM Partitions
+-------------+--------------+-------+------+
| LVM Device  | LUKS Device  | Name  | Size |
+-------------+--------------+-------+------+
| LvmDvc-root | LuksDvc-root | root  | 2GB  |
| LvmDvc-home | LuksDvc-home | home  | 2GB  |
| LvmDvc-var  | LuksDvc-var  | var   | 1G   |
| LvmDvc-usr  | LuksDvc-usr  | usr   | 1G   |
| LvmDvc-swap | LuksDvc-swap | swap  | 4G   |
+-------------+--------------+-------+------+

LvmDvc-root is decrypted to LuksDvc-root using a passphrase.

All other LVM devices are decrypted using keys stored in /etc/ctyptkeys.

Partitions are mounted as:

/dev/mapper/LuksDvc-root -> /
/dev/sda2                -> /boot
/dev/mapper/LuksDvc-home -> /home
/dev/mapper/LuksDvc-var  -> /var
/dev/mapper/LuksDvc-usr  -> /usr

From what I can tell, disk partitioning and system install work just fine. I receive a slew of errors about lvmetad not being loaded during grub configuration, but the documentation in Arch's wiki indicates this is a non-issue (https://wiki.archlinux.org/index.php/GR … _systems_2). I also receive these same errors in the previous version of my script (using LVM, but not LUKS), and it produces a bootable system. So I don't think this error message indicates a problem.

When I boot the system, I get through GRUB just fine. I am presented with a dialogue to decrypt the root partition:

A password is required to access the LuksDvc-root volume:
Enter passphrase for /dev/mapper/LvmDvc-root:

I enter the passphrase used during installation, and receive this message:

No key available with this passphrase.

I'm using a very simple passphrase for testing (asdfasdf), so I doubt I'm messing it up. I can decrypt and mount the whole system from the live installer without incident, I just can't make it happen at boot.

I'm not sure what information would be most helpful for solving this. Here is the script I use to install the system:

#!/usr/bin/env bash
set -ex -o pipefail -o nounset

# Raw Partitioning

parted --script --align optimal -- /dev/sda mklabel gpt

parted --script --align optimal -- /dev/sda mkpart primary 2 4
parted --script --align optimal -- /dev/sda name 1 bios_grub
parted --script --align optimal -- /dev/sda set 1 bios_grub on

parted --script --align optimal -- /dev/sda mkpart primary 4 204
parted --script --align optimal -- /dev/sda name 2 boot
parted --script --align optimal -- /dev/sda set 2 boot on

parted --script --align optimal -- /dev/sda mkpart primary 204 -1
parted --script --align optimal -- /dev/sda name 3 lvm
parted --script --align optimal -- /dev/sda set 3 lvm on

# LVM Partitioning

pvcreate -ff --yes /dev/sda3
vgcreate LvmDvc /dev/sda3
lvcreate --zero y --wipesignatures y --name root --size 2G LvmDvc
lvcreate --zero y --wipesignatures y --name home --size 2G LvmDvc
lvcreate --zero y --wipesignatures y --name var --size 1G LvmDvc
lvcreate --zero y --wipesignatures y --name usr --size 1G LvmDvc
lvcreate --zero y --wipesignatures y --name swap --size 4G LvmDvc

# Root Partition

echo asdfasdf | cryptsetup -q --key-file - luksFormat /dev/mapper/LvmDvc-root
echo asdfasdf | cryptsetup -q --key-file - luksOpen /dev/mapper/LvmDvc-root LuksDvc-root
mkfs.ext4 -q /dev/mapper/LuksDvc-root

mkdir -p /mnt/archbox
mount /dev/mapper/LuksDvc-root /mnt/archbox

# Boot Partition

mkfs.ext4 -q /dev/sda2

# Encrypted Partitions

mkdir -p /mnt/archbox/etc/cryptkeys
chmod 400 /mnt/archbox/etc/cryptkeys

dd if=/dev/random of=/mnt/archbox/etc/cryptkeys/home bs=512 count=4 iflag=fullblock
chmod 400 /mnt/archbox/etc/cryptkeys/home
cryptsetup -q --key-file /mnt/archbox/etc/cryptkeys/home luksFormat /dev/mapper/LvmDvc-home
cryptsetup -q --key-file /mnt/archbox/etc/cryptkeys/home luksOpen /dev/mapper/LvmDvc-home LuksDvc-home
mkfs.ext4 -q /dev/mapper/LuksDvc-home

dd if=/dev/random of=/mnt/archbox/etc/cryptkeys/var bs=512 count=4 iflag=fullblock
chmod 400 /mnt/archbox/etc/cryptkeys/var
cryptsetup -q --key-file /mnt/archbox/etc/cryptkeys/var luksFormat /dev/mapper/LvmDvc-var
cryptsetup -q --key-file /mnt/archbox/etc/cryptkeys/var luksOpen /dev/mapper/LvmDvc-var LuksDvc-var
mkfs.ext4 -q /dev/mapper/LuksDvc-var

dd if=/dev/random of=/mnt/archbox/etc/cryptkeys/usr bs=512 count=4 iflag=fullblock
chmod 400 /mnt/archbox/etc/cryptkeys/usr
cryptsetup -q --key-file /mnt/archbox/etc/cryptkeys/usr luksFormat /dev/mapper/LvmDvc-usr
cryptsetup -q --key-file /mnt/archbox/etc/cryptkeys/usr luksOpen /dev/mapper/LvmDvc-usr LuksDvc-usr
mkfs.ext4 -q /dev/mapper/LuksDvc-usr

dd if=/dev/random of=/mnt/archbox/etc/cryptkeys/swap bs=512 count=4 iflag=fullblock
chmod 400 /mnt/archbox/etc/cryptkeys/swap
cryptsetup -q --key-file /mnt/archbox/etc/cryptkeys/swap luksFormat /dev/mapper/LvmDvc-swap
cryptsetup -q --key-file /mnt/archbox/etc/cryptkeys/swap luksOpen /dev/mapper/LvmDvc-swap LuksDvc-swap
mkswap /dev/mapper/LuksDvc-swap

# Mount

mkdir -p /mnt/archbox/boot
mount /dev/sda2 /mnt/archbox/boot

mkdir -p /mnt/archbox/home
mount /dev/mapper/LuksDvc-home /mnt/archbox/home

mkdir -p /mnt/archbox/var
mount /dev/mapper/LuksDvc-var /mnt/archbox/var

mkdir -p /mnt/archbox/usr
mount /dev/mapper/LuksDvc-usr /mnt/archbox/usr

swapon /dev/mapper/LuksDvc-swap

# Packages

mkdir -p ./cache-dir
rm -f /mnt/archbox/var/lib/pacman/db.lck
pacstrap /mnt/archbox --cachedir ./cache-dir base grub

# Root password

echo "root:asdfasdf" | chpasswd --root /mnt/archbox

# FSTab

genfstab -U -p /mnt/archbox >> /mnt/archbox/etc/fstab

# CryptTab

echo "" > /mnt/archbox/etc/crypttab
echo "home /dev/mapper/LvmDvc-home /mnt/archbox/etc/cryptkeys/home" >> /mnt/archbox/etc/crypttab
echo "usr /dev/mapper/LvmDvc-usr /mnt/archbox/etc/cryptkeys/usr" >> /mnt/archbox/etc/crypttab
echo "var /dev/mapper/LvmDvc-var /mnt/archbox/etc/cryptkeys/var" >> /mnt/archbox/etc/crypttab
echo "swap /dev/mapper/LvmDvc-swap /mnt/archbox/etc/cryptkeys/swap" >> /mnt/archbox/etc/crypttab

# Ramdisk

file=/mnt/archbox/etc/mkinitcpio.conf

search="^\s*MODULES=.*$"
replace="MODULES=\\\"virtio virtio_blk virtio_pci virtio_net\\\""
grep -q "$search" "$file" && sed -i "s#$search#$replace#" "$file" || echo "$replace" >> "$file"

search="^\s*HOOKS=.*$"
replace="HOOKS=\\\"base udev autodetect modconf block keymap encrypt lvm2 filesystems keyboard shutdown fsck usr\\\""
grep -q "$search" "$file" && sed -i "s#$search#$replace#" "$file" || echo "$replace" >> "$file"

arch-chroot /mnt/archbox mkinitcpio -p linux

# Bootloader

arch-chroot /mnt/archbox grub-install --target=i386-pc --recheck /dev/sda

file=/mnt/archbox/etc/default/grub

search="^\s*GRUB_CMDLINE_LINUX=.*$"
replace="GRUB_CMDLINE_LINUX=\\\"init=/usr/lib/systemd/systemd cryptdevice=/dev/mapper/LvmDvc-root:LuksDvc-root root=/dev/mapper/LuksDvc-root quiet\\\""
grep -q "$search" "$file" && sed -i "s#$search#$replace#" "$file" || echo "$replace" >> "$file"

search="^\s*GRUB_DISABLE_LINUX_UUID=.*$"
replace="GRUB_DISABLE_LINUX_UUID=true"
grep -q "$search" "$file" && sed -i "s#$search#$replace#" "$file" || echo "$replace" >> "$file"

arch-chroot /mnt/archbox grub-mkconfig -o /boot/grub/grub.cfg

Does anything stick out as blatantly wrong? What should I be doing differently? Can I provide additional/specific information?

tl;dr - Install script seems to work, but I can't decrypt the system at boot. Halp!

EDIT: GPT label, not MBR

Last edited by chpatton013 (2014-05-07 17:26:45)

clfarron4

Member

From: London, UK

Registered: 2013-06-28

Posts: 2,163

Website

Re: [SOLVED] Why isn't my fully automated installer working?

Raw Partitions
+-----------+------+-------+-----------+
| Partition | Name | Size  | Flags     |
+-----------+------+-------+-----------+
| /dev/sda1 | grub | 2MB   | bios_grub |
| /dev/sda2 | boot | 200MB | boot      |
| /dev/sda3 | lvm  |       | lvm       |
+-----------+------+-------+-----------+

I am making the assumption this is a BIOS system with GPT partitioning, not MBR partitioning, right?

---

Claire is fine.
Problems? I have dysgraphia, so clear and concise please.
My public GPG key for package signing
My x86_64 package repository

chpatton013

Member

Registered: 2014-05-07

Posts: 4

Re: [SOLVED] Why isn't my fully automated installer working?

I am making the assumption this is a BIOS system with GPT partitioning, not MBR partitioning, right?

Yes, that's right. I should have mentioned that.

chpatton013

Member

Registered: 2014-05-07

Posts: 4

Re: [SOLVED] Why isn't my fully automated installer working?

I've found the main problem with this script: the options being passed to `cryptsetup` for the root volume are wrong. Removing `--key-file -` fixes the problem I'm seeing, but uncovers some more issues. I'll come back after I've tried to handle them.