You are not logged in.

Pages: 1

#1 2022-05-23 16:50:48

kev717
Member
Registered: 2011-06-08
Posts: 67
Website

[solved] LUKS-encrypted root partition setup

I've attempted to follow the arch wiki as well as possible, however I am not able to boot a system with a LUKS-encrypted root partition. 

I've created an encrypted disk using `cryptsetup -y -v luksFormat /dev/sda2`, followed by `cryptsetup open [...]` and `mkfs[...]`

Afterwards, I complete the arch linux installation with a separate (NOT ENCRYPTED) /dev/sda1 boot partition.  I install Grub and modify /etc/default/grub to include 

GRUB_CMDLINE_LINUX="console=ttyS0 cryptdevice=UUID=[...]:root"

GRUB_PRELOAD_MODULES="luks cryptodisk part_gpt part_msdos"

GRUB_ENABLE_CRYPTODISK=y

(note, I've ALSO REMOVED the 'quiet' option from the kernel line) and I've modified the mkinitcpio.conf to include 

HOOKS=(base systemd autodetect  sd-vconsole modconf block sd-encrypt lvm2 filesystems keyboard fsck shutdown)

I would like to see a password prompt to unlock the root partition on boot, but instead I get: 

[  OK  ] Started Dispatch Password ...ts to Console Directory Watch.
[  OK  ] Reached target Local Encrypted Volumes.
[  OK  ] Reached target Local File Systems.
[  OK  ] Reached target Path Units.
[  OK  ] Reached target Slice Units.
[  OK  ] Reached target Swaps.
[  OK  ] Reached target Timer Units.
[  OK  ] Listening on Journal Audit Socket.
[  OK  ] Listening on Journal Socket (/dev/log).
[  OK  ] Listening on Journal Socket.
[  OK  ] Listening on udev Control Socket.
[  OK  ] Listening on udev Kernel Socket.
[  OK  ] Reached target Socket Units.
         Starting Create List of Static Device Nodes...
         Starting Journal Service...
         Starting Load Kernel Modules...
         Starting Coldplug All udev Devices...
[  OK  ] Finished Create List of Static Device Nodes.
[  OK  ] Finished Load Kernel Modules.
         Starting Create Static Device Nodes in /dev...
[  OK  ] Finished Create Static Device Nodes in /dev.
         Starting Rule-based Managefor Device Events and Files...
[  OK  ] Started Rule-based Manager for Device Events and Files.
[  OK  ] Started Journal Service.
[  OK  ] Finished Coldplug All udev Devices.
[  OK  ] Reached target System Initialization.
[  OK  ] Reached target Basic System.
[     *] A start job is running for /dev/dis[...] (28s / 1min 30s)

There are posts online about creating a file /etc/crypttab, however the man page for the crypttab file says not to include the root partition in there. 

How do I get a luks-encrypted root then?

Last edited by kev717 (2022-05-23 18:26:53)

If I code something, it's probably at https://github.com/kellcodes

Do **NOT** expect a response from me.

Offline

#2 2022-05-23 18:09:44

jonno2002
Member
Registered: 2016-11-21
Posts: 684

Re: [solved] LUKS-encrypted root partition setup

lots of mistakes there:

1.

GRUB_PRELOAD_MODULES="luks cryptodisk part_gpt part_msdos"

doesnt need to be changed so revert to:

GRUB_PRELOAD_MODULES="part_gpt part_msdos"

2.

GRUB_ENABLE_CRYPTODISK=Y

is not required as the boot partition is not encrypted so comment that line out

3.

HOOKS=(base systemd autodetect  sd-vconsole modconf block sd-encrypt lvm2 filesystems keyboard fsck shutdown)

should be:

HOOKS=(base udev autodetect keyboard keymap consolefont modconf block encrypt filesystems fsck)

you are using grub not systemd-boot

Offline

#3 2022-05-23 18:19:08

Slithery
Administrator
From: Norfolk, UK
Registered: 2013-12-01
Posts: 5,776

Re: [solved] LUKS-encrypted root partition setup

jonno2002 wrote:
HOOKS=(base systemd autodetect  sd-vconsole modconf block sd-encrypt lvm2 filesystems keyboard fsck shutdown)

should be:

HOOKS=(base udev autodetect keyboard keymap consolefont modconf block encrypt filesystems fsck)

you are using grub not systemd-boot

Incorrect. The systemd hooks have nothing to do with which bootloader you are using.

No, it didn't "fix" anything. It just shifted the brokeness one space to the right. - jasonwryan
Closing -- for deletion; Banning -- for muppetry. - jasonwryan

aur - dotfiles

Offline

#4 2022-05-23 18:25:39

kev717
Member
Registered: 2011-06-08
Posts: 67
Website

Re: [solved] LUKS-encrypted root partition setup

jonno2002 wrote:

lots of mistakes there:

Yeah, after it didn't work following the arch wiki it was a matter of adding random stuff to see if that would fix it.

According to the arch wiki, the mkinitcpio *should* look like

HOOKS=(base udev autodetect keyboard keymap consolefont modconf block encrypt filesystems fsck)

Although while I was setting everything back to original I've discovered that the UUID of the luks volume differs from the UUID of the partition contained within the luks volume.  Modifying the UUID seems to have worked.  I guess I should have double-checked that first.

Thanks all

Last edited by kev717 (2022-05-23 18:26:33)

If I code something, it's probably at https://github.com/kellcodes

Do **NOT** expect a response from me.

Offline

#5 2022-05-23 18:26:55

progandy
Member
Registered: 2012-05-17
Posts: 5,190

Re: [solved] LUKS-encrypted root partition setup

You were using sd-encrypt, but the kernel parameters you used are for a non-systemd initramfs.

For sd-encrypt you'll have to use either /etc/crypttab.initramfs or rd.luks.name
https://wiki.archlinux.org/title/Dm-cry … crypt_hook
Otherwise follow the changes jonno2002 suggested to switch to the non-systemd version.

Last edited by progandy (2022-05-23 18:27:36)

| alias CUTF='LANG=en_XX.UTF-8@POSIX ' |

Offline

Pages: 1

Board footer

Powered by FluxBB