You are not logged in.
As stated in the heading; what I am trying to do is create a USB device with grub that contains an encrypted partition containing the key file and header of the system. The encrypted partition is to used a key file as well. I actually plan on figuring out how to do this using a section data on the storage hdd of the system, but for initially figuring out this system I am using a key file on the plaintext partition of the grub usb. The system is seated on a hardware controlled RAID0. The /boot directory is not encrypted in this situation.
I am trying to achieve this through mkinitcpio hooks. I don't want to inject the key files or headers into the kernel as it negates the purpose of encrypting them away on a separate partition.
I have followed the instructions here https://wiki.archlinux.org/index.php/Dm … der_on_USB with no success.
The issue I am currently having is getting dropped into an emergency shell. See
https://mega.nz/#!RcdQCYRa!kYtvG-UTyvjm … v7-xhzp_ec
Because I can't get the system to see the device I cannot test the other arguments in the hook, although that doesn't mean the rest of my script isn't bad. I have spent a long time testing a lot of different hooks and I think I am missing something conceptually. I would love some help.
System Configuration
[root@archiso /]# lsblk -o NAME,SIZE,FSTYPE,TYPE,MOUNTPOINT,UUID
NAME SIZE FSTYPE TYPE MOUNTPOINT UUID
loop0 541.5M squash loop
sda 1.8T disk
`-sda1 1.8T ext4 part 917d90d3-a73e-4a9f-ac07-5d31e2ead086
sdb 232.9G linux_ disk e087de6b-d1c0-f3e2-5004-e9a05ae79b73
`-md127 465.5G raid0
`-cryptrootlm
465.5G LVM2_m crypt MXl8cE-BwqO-r6qM-vYn5-Rtph-921w-GFDywb
|-laughing--man-swap
| 16G swap lvm [SWAP] 120debc0-b275-47be-8026-4446f6cb9e43
|-laughing--man-var
| 300G ext4 lvm /var fe4b11d0-afca-480a-a6cb-0cf918a64e6a
`-laughing--man-root
149.5G btrfs lvm /snapshots ae403958-c279-4b38-a333-f17594bdc8c2
sdc 232.9G linux_ disk e087de6b-d1c0-f3e2-5004-e9a05ae79b73
`-md127 465.5G raid0
`-cryptrootlm
465.5G LVM2_m crypt MXl8cE-BwqO-r6qM-vYn5-Rtph-921w-GFDywb
|-laughing--man-swap
| 16G swap lvm [SWAP] 120debc0-b275-47be-8026-4446f6cb9e43
|-laughing--man-var
| 300G ext4 lvm /var fe4b11d0-afca-480a-a6cb-0cf918a64e6a
`-laughing--man-root
149.5G btrfs lvm /snapshots ae403958-c279-4b38-a333-f17594bdc8c2
sdd 7.5G disk
`-sdd1 7.5G iso966 part 2020-01-01-05-20-18-00
sde 14.5G disk
|-sde1 1M part
|-sde2 300M vfat part /boot/efi C61D-FC9C
|-sde3 4G ext4 part /boot ff92b20f-e9ff-492e-8026-a9983c108487
|-sde4 1G crypto part ba4a64bb-1970-446d-8978-d6a0676d2185
| `-Enc-Kf-H-D-Stor
| 1022M ext4 crypt 97187a52-7773-4110-8ac0-a27eb84f170d
|-sde5 6.4G part
`-sde6 2.8G vfat part 3781-3F52
Hook
/etc/initcpio/hooks/customencrypthook
#!/usr/bin/ash
run_hook() {
modprobe -a -q dm-crypt >/dev/null 2>&1
modprobe loop
[ "${quiet}" = "y" ] && CSQUIET=">/dev/null"
mkdir -p /mnt
mount /dev/disk/by-uuid/ff92b20f-e9ff-492e-8026-a9983c108487 /mnt
cryptsetup --key-file=/mnt/keystor.img /dev/disk/by-uuid/ba4a64bb-1970-446d-8978-d6a0676d2185 open --type luks Enc-Kf-H-D-Stor
umount /mnt
mount /dev/mapper/Enc-Kf-H-D-Stor /mnt
cryptsetup --header /mnt/laughing-man/headers/l-m-root-header.img --key-file=/mnt/laughing-man/key-files/l-m-root-key.img --keyfile-size=4096 open --type luks /dev/disk/by-id/md-uuid-e087de6b:d1c0f3e2:5004e9a0:5ae79b73 cryptrootlm
cryptsetup close Enc-Kf-H-D-Stor
umount /mnt
}
mkinitcpio config
/etc/mkinitcpio.conf
MODULES=(loop dm_mod raid456 ext4 usbcore sd_mod ehci_hcd uhci_hcd usb_storage dm-crypt)
...
BINARIES=(mdmon)
...
HOOKS=(base udev autodetect modconf block mdadm keymap customencrypthook lvm2 btrfs filesystems keyboard fsck)
Grub config
/etc/default/grub
GRUB_CMDLINE_LINUX_DEFAULT="quiet"
GRUB_CMDLINE_LINUX="cryptdevice=/dev/disk/by-id/md-uuid-e087de6b:d1c0f3e2:5004e9a0:5ae79b73:root"
GRUB_ENABLE_CRYPTODISK=y
BTRFS Subvolumes
findmnt -nt btrfs
/ /dev/mapper/laughing--man-root[/@root] btrfs rw,noatime,compress
|-/home /dev/mapper/laughing--man-root[/@home] btrfs rw,noatime,compress
`-/snapshots /dev/mapper/laughing--man-root[/@snapshots] btrfs rw,noatime,compress
Offline
your cryptsetup command is in the wrong order, use 'open /dev/...' instead of '/dev/... open'
this should be the cause of your 'cryptsetup: Unknown action' error
but before that, your mount is already failing. try UUID= instead of /dev/disk/by-uuid. If it's an USB stick, it might also take time to be detected (yes, even if you booted off of it, that was the bootloader - linux has to detect it on its own first)
so you might have to sleep and wait for it to appear
that's assuming the necessary modules for usb etc. are loaded. You can check /proc/partitions, /dev/disk/*, lsmod, dmesg, etc. on the rescue shell
Offline
your cryptsetup command is in the wrong order, use 'open /dev/...' instead of '/dev/... open'
You were right this solved the 'cryptsetup: Unkown action' error
but before that, your mount is already failing. try UUID= instead of /dev/disk/by-uuid. If it's an USB stick, it might also take time to be detected (yes, even if you booted off of it, that was the bootloader - linux has to detect it on its own first)
so you might have to sleep and wait for it to appear
This was the other issue. I put 'sleep 5' statements between all of the commands and it solved the issue. In the process of narrowing down those wait periods now. I had to put /dev/disk/by-id/'uuid' as this is on a hardware controlled raid and the uuid wasn't being picked up properly, and the id had ':' in it hence the ''. That took me an embarrassing long amount of time to figure out -_-
Thank you frostschutz for your help. It's all working now.
Offline