You are not logged in.
- Topics: Active | Unanswered
#1 2020-02-23 21:14:19
- PhiloEpisteme
- Member
- Registered: 2019-11-08
- Posts: 4
LVM on LUKS with Grub failure to prompt for passphrase
Hi folks,
I apologize if this is a repost. I have seen several related threads but have not yet been able to decipher the discussions to resolve my problem.
I am attempting to install arch on an nvme drive where the boot partition is not encrypted but the root, home, and swap partitions are encrypted. I have attempted to follow these instructions as well as other related encryption setup instruction wiki pages.
My system consists of two partitions, /dev/nvme0n1p1 and /dev/nvme0n1p2. The former is the boot partition and the latter is the encrypted lvm partition with a volgroup created as volgroup0 and three logical volumes, lv_root, lv_home, and lv_swap.
Grub was installed with
grub-install --target=i386-pc /dev/nvme0n1/etc/mkinicpio.conf
# vim:set ft=sh
# MODULES
# The following modules are loaded before any boot hooks are
# run. Advanced users may wish to specify all system modules
# in this array. For instance:
# MODULES=(piix ide_disk reiserfs)
MODULES=(dm_mod)
# BINARIES
# This setting includes any additional binaries a given user may
# wish into the CPIO image. This is run last, so it may be used to
# override the actual binaries included by a given hook
# BINARIES are dependency parsed, so you may safely ignore libraries
BINARIES=()
# FILES
# This setting is similar to BINARIES above, however, files are added
# as-is and are not parsed in any way. This is useful for config files.
FILES=()
# HOOKS
# This is the most important setting in this file. The HOOKS control the
# modules and scripts added to the image, and what happens at boot time.
# Order is important, and it is recommended that you do not change the
# order in which HOOKS are added. Run 'mkinitcpio -H <hook name>' for
# help on a given hook.
# 'base' is _required_ unless you know precisely what you are doing.
# 'udev' is _required_ in order to automatically load modules
# 'filesystems' is _required_ unless you specify your fs modules in MODULES
# Examples:
## This setup specifies all modules in the MODULES setting above.
## No raid, lvm2, or encrypted root is needed.
# HOOKS=(base)
#
## This setup will autodetect all modules for your system and should
## work as a sane default
# HOOKS=(base udev autodetect block filesystems)
#
## This setup will generate a 'full' image which supports most systems.
## No autodetection is done.
# HOOKS=(base udev block filesystems)
#
## This setup assembles a pata mdadm array with an encrypted root FS.
## Note: See 'mkinitcpio -H mdadm' for more information on raid devices.
# HOOKS=(base udev block mdadm encrypt filesystems)
#
## This setup loads an lvm2 volume group on a usb device.
# HOOKS=(base udev block lvm2 filesystems)
#
## NOTE: If you have /usr on a separate partition, you MUST include the
# usr, fsck and shutdown hooks.
HOOKS=(base systemd autodetect keyboard modconf block encrypt lvm2 filesystems fsck)
# COMPRESSION
# Use this to compress the initramfs image. By default, gzip compression
# is used. Use 'cat' to create an uncompressed image.
#COMPRESSION="gzip"
#COMPRESSION="bzip2"
#COMPRESSION="lzma"
#COMPRESSION="xz"
#COMPRESSION="lzop"
#COMPRESSION="lz4"
# COMPRESSION_OPTIONS
# Additional options for the compressor
#COMPRESSION_OPTIONS=()/etc/fstab
# Static information about the filesystems.
# See fstab(5) for details.
# <file system> <dir> <type> <options> <dump> <pass>
# /dev/mapper/volgroup0-lv_root
UUID=b5bc4073-ce97-4770-90bc-01871ae1ecbd / ext4 rw,relatime 0 1
# /dev/nvme0n1p1
UUID=4faa8998-b63a-4235-852f-ce383d28d071 /boot ext4 rw,relatime 0 2
# /dev/mapper/volgroup0-lv_home
UUID=e2f00f39-65aa-4a08-9bfd-625dcd7ee837 /home ext4 rw,relatime 0 2
# /dev/mapper/volgroup0-lv_swap
UUID=890e467a-2394-49e5-9cde-15f36fbbfe8d none swap defaults 0 0/etc/crypttab
# Configuration for encrypted block devices.
# See crypttab(5) for details.
# NOTE: Do not list your root (/) partition here, it must be set up
# beforehand by the initramfs (/etc/mkinitcpio.conf).
# <name> <device> <password> <options>
# home UUID=b8ad5c18-f445-495d-9095-c9ec4f9d2f37 /etc/mypassword1
# data1 /dev/sda3 /etc/mypassword2
# data2 /dev/sda5 /etc/cryptfs.key
# swap /dev/sdx4 /dev/urandom swap,cipher=aes-cbc-essiv:sha256,size=256
# vol /dev/sdb7 none/etc/default/grub
# GRUB boot loader configuration
GRUB_DEFAULT=0
GRUB_TIMEOUT=5
GRUB_DISTRIBUTOR="Arch"
GRUB_CMDLINE_LINUX_DEFAULT="loglevel=3 quiet"
GRUB_CMDLINE_LINUX="cryptdevice=UUID=bb41a1fa-869e-4030-a54e-b5d3a44f92b2:cryptlvm root=/dev/volgroup0/lv_root"
GRUB_ENABLE_CRYPTODISK=y
# Preload both GPT and MBR modules so that they are not missed
GRUB_PRELOAD_MODULES="part_gpt part_msdos"
# Uncomment to enable booting from LUKS encrypted devices
#GRUB_ENABLE_CRYPTODISK=y
# Set to 'countdown' or 'hidden' to change timeout behavior,
# press ESC key to display menu.
GRUB_TIMEOUT_STYLE=menu
# Uncomment to use basic console
GRUB_TERMINAL_INPUT=console
# Uncomment to disable graphical terminal
#GRUB_TERMINAL_OUTPUT=console
# The resolution used on graphical terminal
# note that you can use only modes which your graphic card supports via VBE
# you can see them in real GRUB with the command `vbeinfo'
GRUB_GFXMODE=auto
# Uncomment to allow the kernel use the same resolution used by grub
GRUB_GFXPAYLOAD_LINUX=keep
# Uncomment if you want GRUB to pass to the Linux kernel the old parameter
# format "root=/dev/xxx" instead of "root=/dev/disk/by-uuid/xxx"
#GRUB_DISABLE_LINUX_UUID=true
# Uncomment to disable generation of recovery mode menu entries
GRUB_DISABLE_RECOVERY=true
# Uncomment and set to the desired menu colors. Used by normal and wallpaper
# modes only. Entries specified as foreground/background.
#GRUB_COLOR_NORMAL="light-blue/black"
#GRUB_COLOR_HIGHLIGHT="light-cyan/blue"
# Uncomment one of them for the gfx desired, a image background or a gfxtheme
#GRUB_BACKGROUND="/path/to/wallpaper"
#GRUB_THEME="/path/to/gfxtheme"
# Uncomment to get a beep at GRUB start
#GRUB_INIT_TUNE="480 440 1"
# Uncomment to make GRUB remember the last selection. This requires
# setting 'GRUB_DEFAULT=saved' above.
#GRUB_SAVEDEFAULT="true"/boot/grub/grub.cfg
#
# DO NOT EDIT THIS FILE
#
# It is automatically generated by grub-mkconfig using templates
# from /etc/grub.d and settings from /etc/default/grub
#
### BEGIN /etc/grub.d/00_header ###
insmod part_gpt
insmod part_msdos
if [ -s $prefix/grubenv ]; then
load_env
fi
if [ "${next_entry}" ] ; then
set default="${next_entry}"
set next_entry=
save_env next_entry
set boot_once=true
else
set default="0"
fi
if [ x"${feature_menuentry_id}" = xy ]; then
menuentry_id_option="--id"
else
menuentry_id_option=""
fi
export menuentry_id_option
if [ "${prev_saved_entry}" ]; then
set saved_entry="${prev_saved_entry}"
save_env saved_entry
set prev_saved_entry=
save_env prev_saved_entry
set boot_once=true
fi
function savedefault {
if [ -z "${boot_once}" ]; then
saved_entry="${chosen}"
save_env saved_entry
fi
}
function load_video {
if [ x$feature_all_video_module = xy ]; then
insmod all_video
else
insmod efi_gop
insmod efi_uga
insmod ieee1275_fb
insmod vbe
insmod vga
insmod video_bochs
insmod video_cirrus
fi
}
if [ x$feature_default_font_path = xy ] ; then
font=unicode
else
insmod lvm
insmod ext2
set root='lvmid/m5h54U-CDjB-m0Xf-FPoM-xTXW-SmTg-UmdBLf/mP1UyG-3iPL-Wa57-tBEt-p6i6-jtAT-dbbCBj'
if [ x$feature_platform_search_hint = xy ]; then
search --no-floppy --fs-uuid --set=root --hint='lvmid/m5h54U-CDjB-m0Xf-FPoM-xTXW-SmTg-UmdBLf/mP1UyG-3iPL-Wa57-tBEt-p
6i6-jtAT-dbbCBj' b5bc4073-ce97-4770-90bc-01871ae1ecbd
else
search --no-floppy --fs-uuid --set=root b5bc4073-ce97-4770-90bc-01871ae1ecbd
fi
font="/usr/share/grub/unicode.pf2"
fi
if loadfont $font ; then
set gfxmode=auto
load_video
insmod gfxterm
set locale_dir=$prefix/locale
set lang=en_US
insmod gettext
fi
terminal_input console
terminal_output gfxterm
if [ x$feature_timeout_style = xy ] ; then
set timeout_style=menu
set timeout=5
# Fallback normal timeout code in case the timeout_style feature is
# unavailable.
else
set timeout=5
fi
### END /etc/grub.d/00_header ###
### BEGIN /etc/grub.d/10_linux ###
menuentry 'Arch Linux' --class arch --class gnu-linux --class gnu --class os $menuentry_id_option 'gnulinux-simple-b5b
c4073-ce97-4770-90bc-01871ae1ecbd' {
load_video
set gfxpayload=keep
insmod gzio
insmod part_msdos
insmod ext2
if [ x$feature_platform_search_hint = xy ]; then
search --no-floppy --fs-uuid --set=root 4faa8998-b63a-4235-852f-ce383d28d071
else
search --no-floppy --fs-uuid --set=root 4faa8998-b63a-4235-852f-ce383d28d071
fi
echo 'Loading Linux linux ...'
linux /vmlinuz-linux root=/dev/mapper/volgroup0-lv_root rw cryptdevice=UUID=bb41a1fa-869e-4030-a54e-b5d3a44f
92b2:cryptlvm root=/dev/volgroup0/lv_root loglevel=3 quiet
echo 'Loading initial ramdisk ...'
initrd /intel-ucode.img /initramfs-linux.img
}
submenu 'Advanced options for Arch Linux' $menuentry_id_option 'gnulinux-advanced-b5bc4073-ce97-4770-90bc-01871ae1ecbd
' {
menuentry 'Arch Linux, with Linux linux' --class arch --class gnu-linux --class gnu --class os $menuentry_id_o
ption 'gnulinux-linux-advanced-b5bc4073-ce97-4770-90bc-01871ae1ecbd' {
load_video
set gfxpayload=keep
insmod gzio
insmod part_msdos
insmod ext2
if [ x$feature_platform_search_hint = xy ]; then
search --no-floppy --fs-uuid --set=root 4faa8998-b63a-4235-852f-ce383d28d071
else
search --no-floppy --fs-uuid --set=root 4faa8998-b63a-4235-852f-ce383d28d071
fi
echo 'Loading Linux linux ...'
linux /vmlinuz-linux root=/dev/mapper/volgroup0-lv_root rw cryptdevice=UUID=bb41a1fa-869e-4030-a54e-
b5d3a44f92b2:cryptlvm root=/dev/volgroup0/lv_root loglevel=3 quiet
echo 'Loading initial ramdisk ...'
initrd /intel-ucode.img /initramfs-linux.img
}
menuentry 'Arch Linux, with Linux linux (fallback initramfs)' --class arch --class gnu-linux --class gnu --cla
ss os $menuentry_id_option 'gnulinux-linux-fallback-b5bc4073-ce97-4770-90bc-01871ae1ecbd' {
load_video
set gfxpayload=keep
insmod gzio
insmod part_msdos
insmod ext2
if [ x$feature_platform_search_hint = xy ]; then
search --no-floppy --fs-uuid --set=root 4faa8998-b63a-4235-852f-ce383d28d071
else
search --no-floppy --fs-uuid --set=root 4faa8998-b63a-4235-852f-ce383d28d071
fi
echo 'Loading Linux linux ...'
linux /vmlinuz-linux root=/dev/mapper/volgroup0-lv_root rw cryptdevice=UUID=bb41a1fa-869e-4030-a54e-
b5d3a44f92b2:cryptlvm root=/dev/volgroup0/lv_root loglevel=3 quiet
echo 'Loading initial ramdisk ...'
initrd /initramfs-linux-fallback.img
}
}
### END /etc/grub.d/10_linux ###
### BEGIN /etc/grub.d/20_linux_xen ###
### END /etc/grub.d/20_linux_xen ###
### BEGIN /etc/grub.d/30_os-prober ###
### END /etc/grub.d/30_os-prober ###
### BEGIN /etc/grub.d/40_custom ###
# This file provides an easy way to add custom menu entries. Simply type the
# menu entries you want to add after this comment. Be careful not to change
# the 'exec tail' line above.
### END /etc/grub.d/40_custom ###
### BEGIN /etc/grub.d/41_custom ###
if [ -f ${config_directory}/custom.cfg ]; then
source ${config_directory}/custom.cfg
elif [ -z "${config_directory}" -a -f $prefix/custom.cfg ]; then
source $prefix/custom.cfg;
fi
### END /etc/grub.d/41_custom ###When installing mkinitcpio with mkinitcpio -p linux
==> Building image from preset: /etc/mkinitcpio.d/linux.preset: 'default'
-> -k /boot/vmlinuz-linux -c /etc/mkinitcpio.conf -g /boot/initramfs-linux.img
==> Starting build: 5.5.2-arch2-2
-> Running build hook: [base]
-> Running build hook: [systemd]
-> Running build hook: [autodetect]
-> Running build hook: [keyboard]
-> Running build hook: [modconf]
-> Running build hook: [block]
-> Running build hook: [encrypt]
-> Running build hook: [lvm2]
-> Running build hook: [filesystems]
-> Running build hook: [fsck]
==> Generating module dependencies
==> Creating gzip-compressed initcpio image: /boot/initramfs-linux.img
==> Image generation successful
==> Building image from preset: /etc/mkinitcpio.d/linux.preset: 'fallback'
-> -k /boot/vmlinuz-linux -c /etc/mkinitcpio.conf -g /boot/initramfs-linux-fallback.img -S autodetect
==> Starting build: 5.5.2-arch2-2
-> Running build hook: [base]
-> Running build hook: [systemd]
-> Running build hook: [keyboard]
-> Running build hook: [modconf]
-> Running build hook: [block]
==> WARNING: Possibly missing firmware for module: aic94xx
==> WARNING: Possibly missing firmware for module: wd719x
-> Running build hook: [encrypt]
-> Running build hook: [lvm2]
-> Running build hook: [filesystems]
-> Running build hook: [fsck]
==> Generating module dependencies
==> Creating gzip-compressed initcpio image: /boot/initramfs-linux-fallback.img
==> Image generation successfulWhen installing grub config with grub-mkconfig -o /boot/grub/grub.cfg
Generating grub configuration file ...
Found linux image: /boot/vmlinuz-linux
Found initrd image: /boot/intel-ucode.img /boot/initramfs-linux.img
Found fallback initrd image(s) in /boot: initramfs-linux-fallback.img
doneMy lsblk for the relevant drives is as follows
$ lsblk -o name,uuid
nvme0n1
├─nvme0n1p1 4faa8998-b63a-4235-852f-ce383d28d071
└─nvme0n1p2 bb41a1fa-869e-4030-a54e-b5d3a44f92b2
└─luks P1NnCC-HHkG-cFCf-HucT-I1ld-32f5-Y0e5bO
├─volgroup0-lv_root b5bc4073-ce97-4770-90bc-01871ae1ecbd
├─volgroup0-lv_swap 890e467a-2394-49e5-9cde-15f36fbbfe8d
└─volgroup0-lv_home e2f00f39-65aa-4a08-9bfd-625dcd7ee837 When I attempt to boot from this new disk I am able to select Arch from the boot screen. After a short period of time I am shown the following screen, no passphrase prompt appears.
A start job is running for /dev/volgroup0/lv_root (1s/1m 30s)I am able to drop into a shell, manually unlock my device, and then exit the shell for normal boot after that. Why am I not being prompted for the passphrase to begin with though? I have clearly missed some install step but I have so far been unsuccessful at identifying where I have erred. Any specific advice or recommendations would be greatly appreciated.
Offline
#2 2020-02-23 21:23:19
- frostschutz
- Member
- Registered: 2013-11-15
- Posts: 1,504
Re: LVM on LUKS with Grub failure to prompt for passphrase
Why am I not being prompted for the passphrase to begin with though?
mkinitcpio has two different modes of operation.
one is without systemd, and regular hooks like encrypt, mdadm, lvm2, ...
the other is with systemd. once you use the systemd hooks, most of the regular hooks simply stop working. instead you get systemd variants of hooks like sd-encrypt, sd-lvm2, ...
if you want to use systemd in initcpio, note that the sd-hooks also use different kernel parameters; read mkinitcpio -H hookname for any hook you use
Online
#3 2020-02-23 22:54:12
- PhiloEpisteme
- Member
- Registered: 2019-11-08
- Posts: 4
Re: LVM on LUKS with Grub failure to prompt for passphrase
Ah, you're right. That was an oversight. I had, in the past, tried with both sets of hooks. I have changed them as follows
HOOKS=(base udev resume autodetect keyboard modconf block encrypt lvm2 filesystems fsck)And reinstalled both mkinitcpio and grub configs. The reboot worked fine. I think in the past my grub config files were not correct. This corrected my issue though, thank you.
Offline