Arch Linux

porcupene

Member

Registered: 2010-03-01

Posts: 34

encrypt a system

I'm trying to install archlinux using plain dm-crypt encryption (I'm using the wiki guides)

After screwing up numerous times (first time I'm installing arch on a UEFI system) I finally got the system to boot.

I now get the following error once the system boots and I input the password:

 Name "/dev/mapper/enc" invalid. It contains "/".

Is it something I can fix or do I have to format and start from the beginning? (this would be the 6th time )

EscapedNull

Member

Registered: 2013-12-04

Posts: 129

Re: encrypt a system

You don't need to format. It sounds like a misconfiguration of the mkinitcpio 'crypt' hook. I'm guessing you wrote something like

cryptdevice=/dev/sda:/dev/mapper/enc root=/dev/mapper/enc

when it should be

cryptdevice=/dev/sda:enc root=/dev/mapper/enc

The second parameter of 'cryptdevice' is the mapped name of the volume, not the full device path. Try editing your /etc/default/grub (or otherwise modify your kernel parameters). If that doesn't work, please describe what you see prior to that error so we can figure out where it happens within the boot process.

porcupene

Member

Registered: 2010-03-01

Posts: 34

Re: encrypt a system

Indeed I had

cryptdevice=/dev/sda:/dev/mapper/enc

instead of

cryptdevice=/dev/sda:enc

I changed that by editing the grub startup script to the line you indicated.

Depending on whether I also add or not

root=/dev/mapper/enc

two things happen.
1. If not I get:

ERROR: device 'UUID=210f6601 etc etc' not found. Skipping fsck.
ERROR: device 'UUID=210f6601 etc etc' not found. You are being dropped to a recovery shell

2. If I add it I get:

:: performing fsck on '/dev/mapper/enc'  
fsck: error 2 (no such file or directory)
ERROR: fsck failed on '/dev/mapper/enc'
:: mounting 'dev/mapper/enc' on real root
mount: you must specify the filesystem type
You are now being dropped into an emergency shell

EscapedNull

Member

Registered: 2013-12-04

Posts: 129

Re: encrypt a system

Can you post your HOOKS line from /etc/mkinitcpio.conf? Also try to unlock the volume from the recovery shell using cryptsetup, and make sure /dev/mapper/enc appears, then try to mount it. If you can manually mount it from the recovery shell, then probably there is a misconfiguration in your bootloader or mkinitcpio.conf. Don't forget the crypto= parameter when using plain dm-crypt, and cryptkey= if you're using a keyfile. For example:

cryptdevice=/dev/sdX:enc cryptkey=/dev/sdZ:0:512 crypto=sha512:twofish-xts-plain64:512:0:

porcupene

Member

Registered: 2010-03-01

Posts: 34

Re: encrypt a system

I tried unlocking the volume from the recovery shell. After I input the passphrase it says:

Command failed with code 17: Device enc already exists.

Also

cryptsetup status enc

says

/dev/mapper/enc is active

I also noticed the crypto line in the grub script looks like this

crypto=::::

Weren't there supposed to be some options there?

EscapedNull

Member

Registered: 2013-12-04

Posts: 129

Re: encrypt a system

crypto=::::

means use the default option for every field. These should match the options you used when you created the volume. If you created it with the defaults, then this is fine. You may want to write the options explicitly in case they change in the future, however.

I don't know if cryptsetup does any checking when it unlocks a plain volume (e.g. magic string), but if it doesn't, then it could be unlocking the volume with the wrong options, causing the filesystem to appear corrupt. This would prevent fsck and mount from recognizing the fs type. The "fsck: error 2 (no such file or directory)" error leads me to believe that /dev/mapper/enc doesn't exist at all when fsck is run, however.

Try unlocking the volume from the recovery shell (if its not already opened), then try mounting the filesystem. E.g.

#unlock read-only, you don't want to write to a volume with the wrong crypto options!
cryptsetup -r --plain --open /dev/sda1 enc #see cryptsetup(8) for usage and plain options
mount -r -t ext4 /dev/mapper/enc /mnt #substitute ext4 for your fs type

If you can't mount the fs manually, then it is probably being unlocked with the wrong options, or is really corrupt. If you can, then there is probably a misconfiguration still in the initcpio/kernel parameters.

Another possibility is that your hooks are out of order. encrypt must come before filesystems and fsck, but after block.

See where this gets you, and we'll go from there.

John0000

Member

Registered: 2012-04-12

Posts: 40

Re: encrypt a system

To clarify you used the plain mode not the luks extension? If that's the case you need to specify the same options (if you changed the cipher or hashing algorithm for example) each time you want to decrypt the disk manually (or you specify them in grub if your whole system is encrypted)
Example manual:

#with default options
cryptsetup create mappingName /dev/sdX
#OR with custom options
cryptsetup -v --cipher=aes-xts-plain64 --key-size=512 --hash=sha512 -i 12345 create mappingName /dev/sdX

#If there already a filesystem on /dev/mapper/mappingName
mount /dev/mapper/mappingName /mnt

umount /mnt
cryptsetup close mappingName

Each time you want to decrypt the disk you specify the 'create' command (confusing: you are not re-creating the encryption) with correct options. If an option is different it wll still ask your passphrase but it will be decrypted incorrectly and you won't be able to mount the disk.

Example in grub with custom options:

linux /vmlinuz-linux root=/dev/mapper/root cryptdevice=/dev/sdX:mappingName crypto=sha512:aes-xts-plain64:512:0:0 ro quiet

The definition of the crypto option (taken from the crypt hook)

crypto=<hash>:<cipher>:<keysize>:<offset>:<skip>

porcupene

Member

Registered: 2010-03-01

Posts: 34

Re: encrypt a system

Well I probably will have to redo the whole system from the start (makes for good practice, no?), so here's the command I used:

cryptsetup --hash=ripemd160 --cipher=aes-xts-essiv:sha256 --verify-passphrase --verbose open --type=plain /dev/sda enc

I think my problem is I can't seem to figure out what my crypto line in the grub script should look like.

John0000

Member

Registered: 2012-04-12

Posts: 40

Re: encrypt a system

I've given you the formula for the grub line. If you can't open it manually then it was probably corrupted somehow and yes you have to reinstall.
Either way it's easier to setup the LUKS standard because cryptsetup will know from the header of your disk what parameters you used. So the crypto option is not necessary anymore.