Encrypted GPT on LUKS: GRUB cryptodisk boot error: no such device

anacron · 2020-06-19 20:06:42

I have a working LVM on LUKS installation with an encrypted /boot directory. I'm testing a new installation in Virtualbox which is mostly identical, except LVM is removed (for simplicity) and replaced with plain GPT partitions.

But GRUB isn't prompting me for a password; it's giving this error:

Welcome to GRUB!
error: no such device: e6ef6948-b5cc-4fbc-b191-fd3c60bd85b1 ##This is the correct root partition
error: unknown filesystem.
Entering rescue mode...

lsblk

NAME           MAJ:MIN RM   SIZE RO TYPE  MOUNTPOINT
loop0            7:0    0 629.6M  1 loop  /run/archiso/sfs/airootfs
sda              8:0    0   200G  0 disk  
├─sda1           8:1    0   256M  0 part  
└─sda2           8:2    0 199.8G  0 part  
  └─obelisk    254:0    0 199.8G  0 crypt 
    ├─obelisk1 254:1    0    24G  0 part  
    └─obelisk2 254:2    0 175.8G  0 part  
sr0             11:0    1   748M  0 rom   /run/archiso/bootmnt

blkid

/dev/sda1: SEC_TYPE="msdos" LABEL_FATBOOT="ESP" LABEL="ESP" UUID="AAFE-C5DA" BLOCK_SIZE="512" TYPE="vfat" PARTLABEL="Obelisk ESP" PARTUUID="a7f4844e-3890-9a46-94fd-bd5f039757b3"
/dev/sda2: UUID="86b40927-7d9e-4da2-ac37-be7e6dfa4c69" TYPE="crypto_LUKS" PARTLABEL="Obelisk LUKS" PARTUUID="dcae5b4e-a7b5-674c-b3f4-b5df141408e8"
/dev/sr0: BLOCK_SIZE="2048" UUID="2020-06-19-14-32-27-00" LABEL="ACRORAT_ARCH_LINUX" TYPE="iso9660" PTUUID="6f1ff73b" PTTYPE="dos"
/dev/loop0: TYPE="squashfs"
/dev/mapper/obelisk1: LABEL="Obelisk Swap" UUID="116d3016-026a-41ad-ba05-faa2f2eee1ec" TYPE="swap" PARTLABEL="Obelisk Swap" PARTUUID="879b442a-f0ea-3f45-9e06-9516d12147e4"
/dev/mapper/obelisk2: LABEL="Obelisk Root" UUID="e6ef6948-b5cc-4fbc-b191-fd3c60bd85b1" UUID_SUB="00e85d7b-c266-413f-aec4-42048bad5fe2" BLOCK_SIZE="4096" TYPE="btrfs" PARTLABEL="Obelisk Root" PARTUUID="9966976b-5e8d-dc46-921c-b1573f56545f"
/dev/mapper/obelisk: PTUUID="55907d12-15e6-de46-ab22-65ee0a04ed9b" PTTYPE="gpt"

/etc/fstab

/dev/mapper/obelisk2                  / btrfs rw,noatime,ssd,subvol=/@ 0 0
/dev/mapper/obelisk2                  /run/btrfs btrfs rw,noatime,ssd,subvol=/ 0 0
/dev/mapper/obelisk1                  none swap defaults 0 0
/dev/sda1                             /boot/ESP vfat rw,noatime,utf8 0 2

/etc/default/grub

GRUB_DEFAULT=0
GRUB_TIMEOUT=5
GRUB_DISTRIBUTOR="Arch"
GRUB_CMDLINE_LINUX="cryptdevice=/dev/sda2:obelisk root=/dev/mapper/obelisk2 cryptkey=rootfs:/root/obelisk.keyfile"
GRUB_PRELOAD_MODULES="cryptodisk luks part_gpt part_msdos"
GRUB_ENABLE_CRYPTODISK=y

/etc/mkinitcpio.conf

MODULES=(btrfs)
FILES=(/root/obelisk.keyfile)
HOOKS=(base udev autodetect keyboard block encrypt filesystems)

I did these steps during installation (via a custom script):

arch-chroot /mnt mkinitcpio -p linux
arch-chroot /mnt grub-install --target=x86_64-efi --efi-directory=/boot/ESP --bootloader-id=GRUB
arch-chroot /mnt grub-mkconfig -o /boot/grub/grub.cfg

Last edited by anacron (2020-06-21 02:30:27)

Cxpher · 2020-06-20 22:26:44

Try this.

GRUB_CMDLINE_LINUX_DEFAULT="cryptdevice=UUID=86b40927-7d9e-4da2-ac37-be7e6dfa4c69:obelisk root=/dev/mapper/obelisk cryptkey=rootfs:/root/obelisk.keyfile"

anacron · 2020-06-21 02:46:39

Hi, thanks for your reply. It was getting lonely.

I tried your suggestion, which involved changing cryptdevice to the corresponding filesystem UUID, and removing the partition number "2" from "root=/dev/mapper/obelisk2", but unfortunately I got the same "no such device" error.

I also tried it with both cryptdevice and root set to UUIDs

GRUB_CMDLINE_LINUX="cryptdevice=UUID=86b40927-7d9e-4da2-ac37-be7e6dfa4c69:obelisk root=UUID=e6ef6948-b5cc-4fbc-b191-fd3c60bd85b1 cryptkey=rootfs:/root/obelisk.keyfile"

But the problem remains the same.

anacron · 2020-06-21 03:07:20

I just confirmed in a VM that my configuration works when using LVM. I use a script to install from scratch each time I test it out, rather than modifying the previous installation. The exact same installation with these small changes makes everything work:

1. Make the swap and root partitions on logical volumes instead of GPT partitions.
2. Add "lvm2" to the mkinitcpio hooks array.
3. Add "lvm" to the GRUB preload modules array (probably unnecessary).

And GRUB prompts for a password on boot.

I'm beginning to think it's just not designed to work without LVM. So much for my "simplifying" things without LVM.

nl6720 · 2020-06-21 10:07:26

GPT on LUKS (or anything other that a disk) is not really a standard or common setup. The GPT partitions will not be automatically mapped, so a custom udev rule or similar will be needed. And as can be seen from your first post, such a setup may not be supported by GRUB.
If you're interested, there's a wiki discussion about a similar scenario (GPT on plain dm-crypt)—Talk:Dm-crypt/Encrypting an entire system#Can we rename "Plain dm-crypt" to "LVM on plain dm-crypt" .

Arch Linux

#1 2020-06-19 20:06:42

Encrypted GPT on LUKS: GRUB cryptodisk boot error: no such device

#2 2020-06-20 22:26:44

Re: Encrypted GPT on LUKS: GRUB cryptodisk boot error: no such device

#3 2020-06-21 02:46:39

Re: Encrypted GPT on LUKS: GRUB cryptodisk boot error: no such device

#4 2020-06-21 03:07:20

Re: Encrypted GPT on LUKS: GRUB cryptodisk boot error: no such device

#5 2020-06-21 10:07:26

Re: Encrypted GPT on LUKS: GRUB cryptodisk boot error: no such device

Board footer