You are not logged in.
Hi,
I'm creating my installation script with full disk encryption using GRUB. After running the script successfully in a virtual machine, I can't boot into the new system.
Could you take a look at the script and identify any mistakes I've made? Thank you!
Click here to see the screenshot with the error message (imgur.com)
(almost all variables are left empty for privacy reasons)
#!/bin/bash
console_font=""
drive="/dev/vda"
efi_part="${drive}1"
root_part="${drive}2"
luks_label=""
luks_password=""
hostname=""
username=""
user_password=""
setfont $console_font
timedatectl set-ntp true
parted --script ${drive} \
mklabel gpt \
mkpart EFI fat32 0% 513MiB \
set 1 esp on \
mkpart ROOT btrfs 513MiB 100%
echo ${luks_password} | cryptsetup -q --type luks2 --pbkdf pbkdf2 --key-size 512 --hash sha512 --use-urandom --key-file - luksFormat ${root_part}
echo ${luks_password} | cryptsetup --key-file - luksOpen ${root_part} ${luks_label}
mkfs.btrfs -L ROOT /dev/mapper/${luks_label}
mount /dev/mapper/${luks_label} /mnt
btrfs subvolume create /mnt/@
btrfs subvolume create /mnt/@home
btrfs subvolume create /mnt/@snapshots
umount /mnt
mount -o noatime,compress=zstd,subvol=@ /dev/mapper/${luks_label} /mnt
mkdir /mnt/{boot,efi,home,.snapshots}
mount -o noatime,compress=zstd,subvol=@home /dev/mapper/${luks_label} /mnt/home
mount -o noatime,compress=zstd,subvol=@snapshots /dev/mapper/${luks_label} /mnt/.snapshots
mkfs.fat -F 32 -n EFI ${efi_part}
mount ${efi_part} /mnt/efi
reflector --latest 5 --protocol https --sort rate --save /etc/pacman.d/mirrorlist
sed -i "/ParallelDownloads/s/^#//g" /etc/pacman.conf
pacman -Sy archlinux-keyring --noconfirm
pacstrap -K /mnt base linux-lts cryptsetup grub efibootmgr grub-btrfs btrfs-progs snapper networkmanager terminus-font neovim
genfstab -U /mnt > /mnt/etc/fstab
arch-chroot /mnt ln -sf /usr/share/zoneinfo/$(curl https://ipapi.co/timezone) /etc/localtime
arch-chroot /mnt hwclock --systohc
arch-chroot /mnt sed -i "/en_US.UTF-8/s/^#//" /etc/locale.gen
arch-chroot /mnt locale-gen
echo "LANG=en_US.UTF-8" > /mnt/etc/locale.conf
echo "FONT=${console_font}" > /mnt/etc/vconsole.conf
echo "${hostname}" > /mnt/etc/hostname
sed -i "s/MODULES=(.*)/MODULES=(btrfs)/" /mnt/etc/mkinitcpio.conf
sed -i "s/BINARIES=(.*)/BINARIES=(\/usr\/bin\/btrfs)/" /mnt/etc/mkinitcpio.conf
sed -i "s/HOOKS=(.*)/HOOKS=(base systemd autodetect modconf sd-vconsole block sd-encrypt btrfs filesystems keyboard fsck)/" /mnt/etc/mkinitcpio.conf
arch-chroot /mnt mkinitcpio -P
arch-chroot /mnt useradd -m -G wheel -s /bin/bash ${username}
echo "${username}:${user_password}" | arch-chroot /mnt chpasswd
ROOT_UUID=$(blkid -o value -s UUID ${root_part})
sed -i "/GRUB_ENABLE_CRYPTODISK=y/s/^#//" /mnt/etc/default/grub
sed -i "s|GRUB_CMDLINE_LINUX_DEFAULT=\".*\"|GRUB_CMDLINE_LINUX_DEFAULT=\"rd.luks.name=${ROOT_UUID}=${luks_label} rd.luks.options=discard root=/dev/mapper/${luks_label} rootflags=subvol=/@ rw\"|" /mnt/etc/default/grub
arch-chroot /mnt grub-install --target=x86_64-efi --efi-directory=/efi --bootloader-id=GRUB
arch-chroot /mnt grub-mkconfig -o /boot/grub/grub.cfg
Last edited by tooooomy (2024-06-16 14:54:16)
Offline
From man cryptsetup.8:
Note that if --key-file=- is used for reading the key from stdin,
trailing newlines are not stripped from the input.
Try echo -n ${luks_password} | cryptsetup ...
Offline
From man cryptsetup.8:
Try echo -n ${luks_password} | cryptsetup ...
Sadly, did not help, still getting the same boot error.
I tried to manually close and open the LUKS container just in case, and it seems to work as expected. Maybe the GRUB config is messed up?
Last edited by tooooomy (2024-06-05 12:00:08)
Offline
Does the error appear after a while or immediately?
Offline
Immediately
Offline
Then something is wrong with your grub configuration. luks2 is a lot of headache with grub... Can you consider using luks1?
What does lsmod output in the rescue shell?
Offline
I thought of not encrypting /boot at all but using Secure Boot instead as there's apparently nothing confidential to hide in /boot. Would that be rational?
I'm currently away of my system.
Offline
It is more than rational, you can avoid storing encryption key in the CPIO image or re-entering passphrase when booting Linux. There are some caveats though, but they're well described in the corresponding archwiki page
Offline
Thank you, you're the only person who responded so far
Then I'll label the topic solved. Have a fantastic day!
Edit: The issue was caused by LUKS2. GRUB v2.12 refuses to boot even after specifying PBKDF2. Let's wait for the next major release.
Last edited by tooooomy (2024-06-16 14:55:17)
Offline