You are not logged in.
Hi Arch community!
Each year for the past 3 years I've tried setting up Arch using UEFI/GRUB2 with LUKS2 disk encryption on different laptops. It's basically become a tradition at this point.
Every time I've been thwarted with errors I seemingly couldn't solve within a couple of days so every time I've decided to use the good old MBR/GRUB and be done with it.
This time I've decided would be different but again I reached a wall I couldn't climb, which is why I would like you smart people's help.
Unfortunately I cannot remember the errors I got the previous years but this time it's: `error: disk lvmid/x/y not found` when booting the system as it puts me in the grub rescue shell.
I also went deep into the "GRUB2 is not compatible with LUKS2" issue and found the bug: https://savannah.gnu.org/bugs/?55093 and this gentleman's post: https://askubuntu.com/a/1259424
I followed it by adding the `--pbkdf pbkdf2` parameter on the `cryptsetup` binary. (cryptsetup --verbose --cipher aes-xts-plain64 --key-size 512 --hash sha512 --iter-time 5000 --use-random --pbkdf pbkdf2 luksFormat /dev/nvme0n1p2) This gives me the same error as above however.
I was going to try using LUKS1 next but the error being the same got me questioning if I'm really encountering the "GRUB2+LUKS2" incompatibility or if I'm doing something completely wrong on the UEFI side of things.
After 3 years of using Arch I have the installation process noted down in a separate file which I use step by step alongside the Arch installation page but it's quite long so I'm going to try and post the most relevant commands.
The filesystem layout looks something like this (except sdc became nvme0n1) (https://wiki.archlinux.org/title/Dm-cry … VM_on_LUKS):
/dev/sdc (DISK)
/dev/sdc1 (BOOT) [1GB EFI SYSTEM]
/dev/sdc2 (ENCRYPTED LVM PARTITION) [1TB LINUX FILESYSTEM]
cryptroot
lvm pv
lvm vg vg0
lvm lv
swap [32GB SWAP]
root [300GB EXT4]
home [6??GB EXT4]
```
# I mount the volumes
$ mount /dev/vg0/root /mnt
$ mount /dev/nvme0n1p1 /mnt/efi
$ mount /dev/vg0/home /mnt/home
# pacstrap and arch-chroot happens
# I move keyboard to the front, add keymap, encrypt and lvm to the HOOKS param. I do this because I used to use AZERTY and want my keyboard to be loaded when the disk encryption prompt appears. I use QWERTY now though so this may not be necessary.
$ vim /etc/mkinitcpio.conf
HOOKS=(base udev autodetect keyboard keymap modconf block encrypt lvm2 filesystems fsck)
$ mkinitcpio -p linux
$ pacman -S grub efibootmgr
# I temporarily add the volume path, later when it boots I switch it to a /dev/disk/by-uuid path.
$ vim /etc/default/grub
GRUB_CMDLINE_LINUX="cryptdevice=/dev/nvme0n1p2:cryptroot"
# This is the part I'm very unsure about. With MBR I put everything under /boot. Now config is devided between /boot and /efi.
$ grub-install --target=x86_64-efi --efi-directory=/efi --bootloader-id=arch-linux-grub
$ grub-mkconfig -o /boot/grub/grub.cfg
```
That's basically it. After that I unmount and close cryptsetup.
I can provide additional info of course, either from the grub rescue shell or from the thumb drive.
I eagerly await your valuable insights (even if not related to the error)!!
Knoebst
Last edited by knoebst (2021-06-17 21:25:08)
Offline
After looking at this post https://tonisagrista.com/blog/2020/arch-encryption/, I think my problem may be that the /boot folder is in the encrypted (second) partition and unable to be accessed by grub? Or should the initramfs under the first partition be able to deal with this? Are 3 partitions necessary for this kind of setup involving UEFI?
Last edited by knoebst (2021-06-17 17:39:18)
Offline
Regarding GRUB support for LUKS2,
Support for LUKS2 has just been added with GRUB 2.06. Check /var/log/pacman.log to be certain, if GRUB verison is 2.04, update it.
Regarding /boot,
I am just guessing, this may or may not work:
Boot the usb drive, mount the EFI system partition to /mnt/efi and the root volume to /mnt.
Copy every file and folder on /mnt/boot to /mnt/efi. So kernel, initrd and necessary files for GRUB will be accessible. Do not copy the folder. Copy the contents.
Unmount EFI system partition. Remount it at /mnt/boot.
Arch-chroot to /mnt.
Reinstall grub with
grub-install --target=x86_64-efi --efi-directory=/boot/ --boot-directory=/boot/ --bootloader-id=arch-linux-grubRegenerate the grub.cfg with
grub-mkconfig -o /boot/grub/grub.cfgModify the /etc/fstab, the efi system partition should be mounted at /boot, not /efi.
Exit chroot.
With these, the EFI system partition will serve as both /boot and /efi.
I am repeating, I am not sure. This may or may not work or cause more trouble.
One more thing, you probably need to modify the initrd. Required things may not be available by default. Check https://wiki.archlinux.org/title/Mkinitcpio.
Offline
After looking at this post https://tonisagrista.com/blog/2020/arch-encryption/, I think my problem may be that the /boot folder is in the encrypted (second) partition and unable to be accessed by grub?
grub can access LUKS encrypted volume, LUKS2 support is still incomplete as has already been covered.
Or should the initramfs under the first partition be able to deal with this? Are 3 partitions necessary for this kind of setup involving UEFI?
If the initramfs and kernel are on the ESP then grub does not need to decrypt anything. It loads the unencyprted kernel which loads the ramdisk also unencrypted and early userspace will perform the decryption.
Encrypting_an_entire_system#Encrypted_boot_partition_(GRUB) is the layout where grub performs decryption and the kernel and ramdisk would be in an encrypted volume.
For GPT/EFI the minimum number of partitions is two the ESP and the root filesystem, which may be in an encrypted container. What moves between the two setups is if the ESP is mounted to /boot which will decide if the kernel and ramdisk are encrypted or not.
Last edited by loqs (2021-06-17 20:41:05)
Offline
@loqs Thanks for the insight! It's very helpful.
@Mr Victory Thanks for the troubleshooting steps!
Grub's version is indeed 2.06
$ pacman -Q grub
grub 2:2.06-1
I tried your suggestions and it solves the issue of the lvmid not being found.
The loading sequence goes past grub but now fails in the filesystem loading step. Strangely enough I don't get a prompt asking to decrypt the encrypted partition. I think I'm in initrd?
Starting version xxx arch
ERROR: device /dev/mapper/vg0-root not found. Skipping fsck.
...
[rootfs ]#
I will double check the grub config and if that doesn't solve it I'll try an install from scratch tomorrow with /boot as both the boot and efi directory, since I noticed that copying the files over results in different permissions due to my users umask (not sure if this is an issue anyway but don't have any other leads).
I'll update the thread as I find solutions to my problems.
Thanks again all!
Last edited by knoebst (2021-06-17 21:09:56)
Offline
I immediately found '/dev/nvme0v1p2' in my /etc/default/grub and fixed it to '/dev/nvme0n1p2'.
I did an 'mkinitcpio -P', rebooted, was then able to enter my password and login to arch! Great success!
summary for clean install:
* I THINK I can just use default luks2 with grub2 since grub is 2.06-1 and supports it.
* grub-install both efi and boot in /boot and dont be fancy with /efi
* dont mess up default grub config and use uuid instead
Thank you all! I'll mark this as SOLVED
Last edited by knoebst (2021-06-17 21:22:32)
Offline
From the rescue prompt check the contents of /dev/mapper to see if the LUKS volume was opened.
Edit:
A grub-install both efi and boot in /boot will place the kernel and initrd on the ESP and grub will not need to decrypt anything.
Last edited by loqs (2021-06-17 21:25:24)
Offline
> A grub-install both efi and boot in /boot will place the kernel and initrd on the ESP and grub will not need to decrypt anything.
This is fine right? I dont really care about the boot as long as my home data is encrypted and OS cannot be accessed without a password. Is there some config I can leave out? Or something I'm doing that doesn't make sense?
Last edited by knoebst (2021-06-17 21:34:15)
Offline
> A grub-install both efi and boot in /boot will place the kernel and initrd on the ESP and grub will not need to decrypt anything.
This is fine right? I dont really care about the boot as long as my home data is encrypted and OS cannot be accessed without a password. Is there some config I can leave out? Or something I'm doing that doesn't make sense?
Yes, it is fine. Just in post #6 you wrote.
* I THINK I can just use default luks2 with grub2 since grub is 2.06-1 and supports it.
Which is partially correct (cryptsetup default options are LUKS2 with argon2 which grub2 does not yet support in any release) but not relevant for the setup you are planning. So I just wanted to clarify.
Offline
Ah I see so I'll still have to use the pbkdf2 encryption method, yes I forgot, thanks!
Offline
Ah I see so I'll still have to use the pbkdf2 encryption method, yes I forgot, thanks!
No
> A grub-install both efi and boot in /boot will place the kernel and initrd on the ESP and grub will not need to decrypt anything.
This is fine right? I dont really care about the boot as long as my home data is encrypted and OS cannot be accessed without a password. Is there some config I can leave out? Or something I'm doing that doesn't make sense?
All bootloaders supporting EFI can load the kernel from an unencrypted FAT ESP.
Offline