(Solved) Encrypted Grub not Loading Encrypted Rootfs

Ryonez · 2016-02-18 06:38:15

Right, after +24 hours pf trying to to sort this problem I've shown up here to ask for some help.

I've encrypted my rootfs and /boot separately. Grub asks for the password and successfully unlocks /boot, however, no password is requested for the rootfs.
Instead, the kernel seems to try and mount the rootfs straight away.

Checks I've preformed:

Encrypted Grub asks for password then loads menu: Yes
Kernel asks for password then loads rootfs: No
When Kernel drops to recovery menu, can open the rootfs's LUKS container: Yes
vgscan + vgchange is missing from the recovery menu? (it shouldn't bother with these until it's asked for the rootfs password anyway)

After selecting the menu item, grub does show:

loading Linux linux
loading initial ramdisk

Then it says it can't find the rootfs at the UUID for the rootfs (which is still encrypted).

Some of the links for info I've used to compile the build guide below:

https://wiki.archlinux.org/index.php/Dm … .28GRUB.29
https://wiki.archlinux.org/index.php/In … e_packages
https://wiki.archlinux.org/index.php/GR … _partition
https://wiki.archlinux.org/index.php/Dm … cryptoboot
https://wiki.archlinux.org/index.php/Mk … ypted_root
https://wiki.archlinux.org/index.php/Dm … mkinitcpio
https://wiki.archlinux.org/index.php/LV … al_volumes

http://unix.stackexchange.com/questions … n-lvm-disk
For fixing the lvm warnings grub was making before.

Where I think the issue is:
Because grub is prompting and unlocking fine, I think the crypt tools are working fine. The initial ramdisk is loading and doesn't ask for a password before attempting to mount the, at the time, hidden rootfs. So maybe grub isn't passing along (or the kerenl doesn't understand) the GRUB_CMDLINE_LINUX?

I've come back and tidied this up a lot and created the build guide below.
I'd appreciate any insight as to what I may have done wrong here.

BUILD INSTRUCTIONS

Device: HP Mini 2140
Device Notes: Doesn't support UEFI, can load grub from GPT disk.

Pre-installation

Download and boot the installation medium as explained in Category:Getting and installing Arch, then proceed with the rest of this guide.

Notes: Created Liveusb with the arch install image.

The installation process needs to retrieve packages from a remote repository, therefore a working internet connection is required.

Set the keyboard layout

The default keyboard layout is US.

Notes: Left on default

Connect to the Internet

Internet service via DHCP discovery is enabled on boot for supported wired devices; read more at Network configuration

Notes: I have the device cabled and it connected automaticlly.

Update the system clock

See systemd-timesyncd.

The ''systemd-timesyncd'' service is available with systemd >= 213. To start and enable it, simply run:

 
 # timedatectl set-ntp true 
 #timedatectl status

Notes: Time is correct, but off by an hour due to daylight saveings.

Partition, Format and Mount the disks

See Partitioning for details; some special partitions may be needed, see EFI System Partition and GRUB BIOS boot partition. If wanting to create any stacked block devices for LVM, disk encryption or RAID, do it now.

Notes: Set up partitions and encryption.

Target Disk Layout:

 +---------------------+----------------+---------------------------------+---------------------------------+
 |bios_grub partition: |Boot partition: |Volume 1:                        |Volume 2:                        |
 |                     |                |                                 |                                 |
 |                     |/boot           |swap                             |root                             |
 |                     |                |                                 |                                 |
 |                     |                |/dev/mapper/ryonez_Shard-swapvol |/dev/mapper/ryonez_Shard-rootvol |
 |/dev/sda1            |/dev/sda2       +---------------------------------+---------------------------------+
 |      unencrypted    |LUKS encrypted  |/dev/sda3 encrypted using LVM on LUKS                              |
 +---------------------+----------------+---------------------------------+---------------------------------+

  
 #gdisk /dev/sda
 o  # create new empty GUID partition table
 n  # partition 1 [enter], from beginning [enter], to [+1M], bios_grub type [ef02]
 n  # partition 2 [enter], from beginning [enter], to  [+200M], linux fs type [enter]
 n  # partition 3 [enter], from beginning [enter], to  [enter], linux fs type [8e00]
 print # View and check partition layout.
 w  # Saves changes to disk

Create LUKS container for /boot and the LVM for the system:

  
 # cryptsetup luksFormat /dev/sda2  
 # cryptsetup luksFormat /dev/sda3

Unlock containers:

 
 # cryptsetup open --type luks /dev/sda2 cryptboot
 # cryptsetup open --type luks /dev/sda3 lvm

Setup lvm:

 
 # pvcreate /dev/mapper/lvm  
 # vgcreate ryonez_Shard /dev/mapper/lvm
 # lvcreate -L 2G ryonez_Shard -n swapvol
 # lvcreate -L 150G ryonez_Shard -n rootvol

Format Filesystems:

 
 # mkfs.ext2 /dev/mapper/cryptboot
 # mkfs.ext4 /dev/mapper/ryonez_Shard-rootvol
 # mkswap /dev/mapper/ryonez_Shard-swapvol

Mount Filesystems:

 
 # mount /dev/mapper/ryonez_Shard-rootvol /mnt
 # mkdir /mnt/boot
 # mount /dev/mapper/cryptboot /mnt/boot
 # swapon /dev/mapper/ryonez_Shard-swapvol

Notes: To correct lvm warnings from grub(Continues after arch-chroot):

 
 # mkdir /mnt/hostrun
 # mount --bind /run /mnt/hostrun

Select the mirrors

Edit /etc/pacman.d/mirrorlist and select a download mirror(s). Regional mirrors usually work best; however, other criteria may be necessary to discern, read more on Mirrors. This copy of the mirrorlist file will later be copied on the new system by 'pacstrap', so it is worth getting it right.

Notes: Moved the clossest mirror to the tope of the list.

Install the base packages

Use the pacstrap script to install the base group:

 
 # pacstrap /mnt base

Other packages or groups can be installed by appending their names to the above command (space separated), possibly including the boot loader.

Configure the system

Generate an fstab file (use -U or -L to define by UUID or labels):

 
 # genfstab -pU /mnt >> /mnt/etc/fstab

[[Change root]] into the new system READ NOTE FIRST:

 
 # arch-chroot /mnt /bin/bash

Note: Get the timezone you need first from

 
 # timedatectl list-timezones

I was unable to get it using this while chrooting. Needed for setting the timezone below.
Note: To correct lvm warnings from grub(Continued):

 
 # mkdir /run/lvm
 # mount --bind /hostrun/lvm /run/lvm

Set the hostname:

 
 # echo ''Shard'' > /etc/hostname

Set the time zone:

 
 # ln -s /usr/share/zoneinfo/Pacific/Aucklank /etc/localtime

Uncomment the needed locales in /etc/locale.gen, then generate them with:

 
 # locale-gen

Notes: I selected 'en_NZ.UTF-8 UTF-8' and 'en_NZ ISO-8859-1'

Set locale preferences in /etc/locale.conf and possibly $HOME/.config/locale.conf:

 
 # echo LANG=en_NZ.UTF-8 UTF-8 > /etc/locale.conf

Notes: /etc/locale.conf shows 'LANG=enNZ.UTF-8'

Add console keymap and font preferences in /etc/vconsole.conf.

Notes: Skipped

Configure the network for the newly installed environment: see Network configuration and Wireless network configuration.

Notes: Skipped using cable for now

Configure /etc/mkinitcpio.conf if additional features are needed. Create a new initial RAM disk with:

Add the encrypt and lvm2 hooks to mkinitcpio.conf:

 
 # nano /etc/mkinitcpio.conf

Edit the 'HOOKS' line to :
HOOKS="base udev autodetect modconf keyboard encrypt lvm2 block filesystems fsck"

Create kernel + init radmdisk

 
 # mkinitcpio -p linux

Set the root password:

 
 # passwd

Notes: Skipped for now.

Install a boot loader

See Boot loaders for the available choices and configuration.

Using grub:
Install:

 
 #pacman -S grub

Edit /etc/default/grub

Edit 'GRUB_CMDLINE_LINUX'to 'GRUB_CMDLINE_LINUX="cryptdevice=UUID=<uuid of system luks container>:ryonez_Shard"'
Add 'GRUB_ENABLE_CRYPTODISK=y'

Run:

 
 # grub-install --target=i386-pc /dev/sda
 # grub-mkconfig -o /boot/grub/grub.cfg

Reboot

Run(if you had to bind /run/lvm):

 
 #umount /run/lvm

Exit the chroot environment by typing exit or pressing ic|Ctrl+D.

Optionally manually unmount all the partitions with {{ic|umount -R /mnt}}: this allows noticing any "busy" partitions, and finding the cause with [[Wikipedia:fuser_(Unix)|fuser]].

Finally, restart the machine by typing {{ic|reboot}}: any partitions still mounted will be automatically unmounted by ''systemd''. Remember to remove the installation media and then login into the new system with the root account.

Last edited by Ryonez (2016-02-22 09:23:02)

Strike0 · 2016-02-20 23:17:49

Ryonez wrote:

Edit /etc/default/grub
Edit 'GRUB_CMDLINE_LINUX'to 'GRUB_CMDLINE_LINUX="cryptdevice=UUID=<uuid of system luks container>:ryonez_Shard"'

<uuid of system luks container> must be the UUID of your sda3.
Post the output of blkid after you either booted it or mounted the root manually _and_ also the kernel line (from /boot/grub/grub.cfg) generated by grub-mkconfig.

Ryonez · 2016-02-21 10:01:44

Hi Strike0.

To save some time and provide more info, I'll provide the full files.

Here is the output from blkid after I've chrooted onto the system.

/dev/sda1: PARTLABEL="BIOS boot partition" PARTUUID="5f4c9fe0-023a-4d77-9473-0995a6fb7e03"
/dev/sda2: UUID="c066ecb8-a531-40fc-9e38-b70864d8c44f" TYPE="crypto_LUKS" PARTLABEL="Linux filesystem" PARTUUID="e2d846cb-0efd-4779-8ead-3cba9ba1bd09"
/dev/sda3: UUID="8c3e3042-9e95-471b-bef5-97c4c61ccf89" TYPE="crypto_LUKS" PARTLABEL="Linux LVM" PARTUUID="89650694-6dfe-4e09-ba1c-719b443ba720"
/dev/sdb1: LABEL="ARCH_201602" UUID="B032-BC64" TYPE="vfat" PARTUUID="0233eb86-01"
/dev/loop0: TYPE="squashfs"
/dev/mapper/lvm: UUID="eg0T5v-po3g-QAYl-CmDh-GagD-yr96-UsQYKI" TYPE="LVM2_member"
/dev/mapper/ryonez_Shard-swapvol: UUID="70021203-631c-48d9-873e-89a7abcd0710" TYPE="swap"
/dev/mapper/ryonez_Shard-rootvol: UUID="28fb8b81-0ee9-43c6-a653-9c76ada4634f" TYPE="ext4"
/dev/mapper/cryptboot: UUID="a6ac87c1-672f-4a09-8deb-fa03b93d176e" TYPE="ext2"

This is /etc/default/grub:

GRUB_DEFAULT=0
GRUB_TIMEOUT=5
GRUB_DISTRIBUTOR="Arch"
GRUB_CMDLINE_LINUX_DEFAULT="quiet"

# Preload both GPT and MBR modules so that they are not missed
GRUB_PRELOAD_MODULES="part_gpt part_msdos"

# Uncomment to enable Hidden Menu, and optionally hide the timeout count
#GRUB_HIDDEN_TIMEOUT=5
#GRUB_HIDDEN_TIMEOUT_QUIET=true

# Uncomment to use basic console
GRUB_TERMINAL_INPUT=console

# Uncomment to disable graphical terminal
#GRUB_TERMINAL_OUTPUT=console

# The resolution used on graphical terminal
# note that you can use only modes which your graphic card supports via VBE
# you can see them in real GRUB with the command `vbeinfo'
GRUB_GFXMODE=auto

# Uncomment to allow the kernel use the same resolution used by grub
GRUB_GFXPAYLOAD_LINUX=keep

# Uncomment if you want GRUB to pass to the Linux kernel the old parameter 
# format "root=/dev/xxx" instead of "root=/dev/disk/by-uuid/xxx" 
#GRUB_DISABLE_LINUX_UUID=true

# Uncomment to disable generation of recovery mode menu entries
GRUB_DISABLE_RECOVERY=true

# Uncomment and set to the desired menu colors.  Used by normal and wallpaper 
# modes only.  Entries specified as foreground/background.
#GRUB_COLOR_NORMAL="light-blue/black"
#GRUB_COLOR_HIGHLIGHT="light-cyan/blue"

# Uncomment one of them for the gfx desired, a image background or a gfxtheme
#GRUB_BACKGROUND="/path/to/wallpaper"
#GRUB_THEME="/path/to/gfxtheme"

# Uncomment to get a beep at GRUB start
#GRUB_INIT_TUNE="480 440 1"

#GRUB_SAVEDEFAULT="true"

GRUB_ENABLE_CRYPTODISK=y
GRUB_CMDLINE_LINUX="cryptdevice=UUID=8c3e3042-9e95-471b-bef5-97c4c61ccf89:ryonez_Shard"

and last, /boot/grub/grub.conf

#
# DO NOT EDIT THIS FILE
#
# It is automatically generated by grub-mkconfig using templates
# from /etc/grub.d and settings from /etc/default/grub
#

### BEGIN /etc/grub.d/00_header ###
insmod part_gpt
insmod part_msdos
if [ -s $prefix/grubenv ]; then
  load_env
fi
if [ "${next_entry}" ] ; then
   set default="${next_entry}"
   set next_entry=
   save_env next_entry
   set boot_once=true
else
   set default="0"
fi

if [ x"${feature_menuentry_id}" = xy ]; then
  menuentry_id_option="--id"
else
  menuentry_id_option=""
fi

export menuentry_id_option

if [ "${prev_saved_entry}" ]; then
  set saved_entry="${prev_saved_entry}"
  save_env saved_entry
  set prev_saved_entry=
  save_env prev_saved_entry
  set boot_once=true
fi

function savedefault {
  if [ -z "${boot_once}" ]; then
    saved_entry="${chosen}"
    save_env saved_entry
  fi
}

function load_video {
  if [ x$feature_all_video_module = xy ]; then
    insmod all_video
  else
    insmod efi_gop
    insmod efi_uga
    insmod ieee1275_fb
    insmod vbe
    insmod vga
    insmod video_bochs
    insmod video_cirrus
  fi
}

if [ x$feature_default_font_path = xy ] ; then
   font=unicode
else
insmod part_gpt 
insmod cryptodisk luks gcry_rijndael gcry_rijndael gcry_sha256 lvm 
insmod ext2
cryptomount -u 8c3e30429e95471bbef597c4c61ccf89 
set root='lvmid/o7yZH9-2BQu-WGMR-tOP6-sYFB-Bl5s-KKGKb5/ASIwj8-tNgb-Alxn-KsNg-7fx5-K4AQ-kyuAwq'
if [ x$feature_platform_search_hint = xy ]; then
  search --no-floppy --fs-uuid --set=root --hint='lvmid/o7yZH9-2BQu-WGMR-tOP6-sYFB-Bl5s-KKGKb5/ASIwj8-tNgb-Alxn-KsNg-7fx5-K4AQ-kyuAwq'  28fb8b81-0ee9-43c6-a653-9c76ada4634f
else
  search --no-floppy --fs-uuid --set=root 28fb8b81-0ee9-43c6-a653-9c76ada4634f
fi
    font="/usr/share/grub/unicode.pf2"
fi

if loadfont $font ; then
  set gfxmode=auto
  load_video
  insmod gfxterm
  set locale_dir=$prefix/locale
  set lang=en_US
  insmod gettext
fi
terminal_input console
terminal_output gfxterm
if [ x$feature_timeout_style = xy ] ; then
  set timeout_style=menu
  set timeout=5
# Fallback normal timeout code in case the timeout_style feature is
# unavailable.
else
  set timeout=5
fi
### END /etc/grub.d/00_header ###

### BEGIN /etc/grub.d/10_linux ###
menuentry 'Arch Linux' --class arch --class gnu-linux --class gnu --class os $menuentry_id_option 'gnulinux-simple-28fb8b81-0ee9-43c6-a653-9c76ada4634f' {
	load_video
	set gfxpayload=keep
	insmod gzio
	insmod part_gpt 
	insmod cryptodisk luks gcry_rijndael gcry_rijndael gcry_sha256 
	insmod ext2
	cryptomount -u c066ecb8a53140fc9e38b70864d8c44f 
	set root='cryptouuid/c066ecb8a53140fc9e38b70864d8c44f'
	if [ x$feature_platform_search_hint = xy ]; then
	  search --no-floppy --fs-uuid --set=root --hint='cryptouuid/c066ecb8a53140fc9e38b70864d8c44f'  a6ac87c1-672f-4a09-8deb-fa03b93d176e
	else
	  search --no-floppy --fs-uuid --set=root a6ac87c1-672f-4a09-8deb-fa03b93d176e
	fi
	echo	'Loading Linux linux ...'
	linux	/vmlinuz-linux root=UUID=28fb8b81-0ee9-43c6-a653-9c76ada4634f rw cryptdevice=UUID=8c3e3042-9e95-471b-bef5-97c4c61ccf89:ryonez_Shard quiet
	echo	'Loading initial ramdisk ...'
	initrd	 /initramfs-linux.img
}
submenu 'Advanced options for Arch Linux' $menuentry_id_option 'gnulinux-advanced-28fb8b81-0ee9-43c6-a653-9c76ada4634f' {
	menuentry 'Arch Linux, with Linux linux' --class arch --class gnu-linux --class gnu --class os $menuentry_id_option 'gnulinux-linux-advanced-28fb8b81-0ee9-43c6-a653-9c76ada4634f' {
		load_video
		set gfxpayload=keep
		insmod gzio
		insmod part_gpt 
		insmod cryptodisk luks gcry_rijndael gcry_rijndael gcry_sha256 
		insmod ext2
		cryptomount -u c066ecb8a53140fc9e38b70864d8c44f 
		set root='cryptouuid/c066ecb8a53140fc9e38b70864d8c44f'
		if [ x$feature_platform_search_hint = xy ]; then
		  search --no-floppy --fs-uuid --set=root --hint='cryptouuid/c066ecb8a53140fc9e38b70864d8c44f'  a6ac87c1-672f-4a09-8deb-fa03b93d176e
		else
		  search --no-floppy --fs-uuid --set=root a6ac87c1-672f-4a09-8deb-fa03b93d176e
		fi
		echo	'Loading Linux linux ...'
		linux	/vmlinuz-linux root=UUID=28fb8b81-0ee9-43c6-a653-9c76ada4634f rw cryptdevice=UUID=8c3e3042-9e95-471b-bef5-97c4c61ccf89:ryonez_Shard quiet
		echo	'Loading initial ramdisk ...'
		initrd	 /initramfs-linux.img
	}
	menuentry 'Arch Linux, with Linux linux (fallback initramfs)' --class arch --class gnu-linux --class gnu --class os $menuentry_id_option 'gnulinux-linux-fallback-28fb8b81-0ee9-43c6-a653-9c76ada4634f' {
		load_video
		set gfxpayload=keep
		insmod gzio
		insmod part_gpt 
		insmod cryptodisk luks gcry_rijndael gcry_rijndael gcry_sha256 
		insmod ext2
		cryptomount -u c066ecb8a53140fc9e38b70864d8c44f 
		set root='cryptouuid/c066ecb8a53140fc9e38b70864d8c44f'
		if [ x$feature_platform_search_hint = xy ]; then
		  search --no-floppy --fs-uuid --set=root --hint='cryptouuid/c066ecb8a53140fc9e38b70864d8c44f'  a6ac87c1-672f-4a09-8deb-fa03b93d176e
		else
		  search --no-floppy --fs-uuid --set=root a6ac87c1-672f-4a09-8deb-fa03b93d176e
		fi
		echo	'Loading Linux linux ...'
		linux	/vmlinuz-linux root=UUID=28fb8b81-0ee9-43c6-a653-9c76ada4634f rw cryptdevice=UUID=8c3e3042-9e95-471b-bef5-97c4c61ccf89:ryonez_Shard quiet
		echo	'Loading initial ramdisk ...'
		initrd	 /initramfs-linux-fallback.img
	}
}

### END /etc/grub.d/10_linux ###

### BEGIN /etc/grub.d/20_linux_xen ###
### END /etc/grub.d/20_linux_xen ###

### BEGIN /etc/grub.d/30_os-prober ###
### END /etc/grub.d/30_os-prober ###

### BEGIN /etc/grub.d/40_custom ###
# This file provides an easy way to add custom menu entries.  Simply type the
# menu entries you want to add after this comment.  Be careful not to change
# the 'exec tail' line above.
### END /etc/grub.d/40_custom ###

### BEGIN /etc/grub.d/41_custom ###
if [ -f  ${config_directory}/custom.cfg ]; then
  source ${config_directory}/custom.cfg
elif [ -z "${config_directory}" -a -f  $prefix/custom.cfg ]; then
  source $prefix/custom.cfg;
fi
### END /etc/grub.d/41_custom ###

### BEGIN /etc/grub.d/60_memtest86+ ###
### END /etc/grub.d/60_memtest86+ ###

Strike0 · 2016-02-21 20:40:55

Hi Ryonez, thanks - seeing the full files is better anyway. Unfortunately I don't spot anything wrong in them yet.
Couple of things I am unsure about:
1. your cryptdevice=UUID=1234:ryonez_Shard uses "ryonez_Shard" as mapper name, which is the same as the volumegroup name. Maybe that is confusing something. Before booting the kernel, try using another dmname, e.g. ":Shardroot" for the cryptdevice.
2. If (1) does not help (still no password prompt), reboot right away and try these kernel parameters: root=/dev/mapper/ryonez_Shard-rootvol cryptdevice=/dev/sda3:Shard
3. The lvm article says the lvm2 hook should go _after_ "block". I don't think this matters, but have not looked into it further.

Hope it helps or someone else spots an error.

Ryonez · 2016-02-22 08:44:18

Hi Strike0.

Thank you very much. I'm not sure if it was 1 or 3 that did it, but it does boot.

There is an issue with mounting the boot device, however I know what's happened there. Not sure if that is what is causing the system to drop to maintenance, but I'm able to move forward now.

Thank you so much!

I'm not sure if I can do this, but I'm happy for this to be marked as solved.

WorMzy · 2016-02-22 09:20:43

Please do so by editing your first post and amending the topic title, thanks.

Ryonez · 2016-02-22 09:23:23

Cheers, have done so!

Arch Linux

#1 2016-02-18 06:38:15