You are not logged in.

#1 2024-06-02 12:19:46

tooooomy
Member
Registered: 2024-05-26
Posts: 7

[SOLVED] GRUB Full Disk Encryption: Invalid passphrase, disk not found

Hi,

I'm creating my installation script with full disk encryption using GRUB. After running the script successfully in a virtual machine, I can't boot into the new system.

Could you take a look at the script and identify any mistakes I've made? Thank you!

Click here to see the screenshot with the error message (imgur.com)

(almost all variables are left empty for privacy reasons)

#!/bin/bash

console_font=""
drive="/dev/vda"
efi_part="${drive}1"
root_part="${drive}2"
luks_label=""
luks_password=""
hostname=""
username=""
user_password=""

setfont $console_font

timedatectl set-ntp true

parted --script ${drive} \
       mklabel gpt \
       mkpart EFI fat32 0% 513MiB \
       set 1 esp on \
       mkpart ROOT btrfs 513MiB 100%

echo ${luks_password} | cryptsetup -q --type luks2 --pbkdf pbkdf2 --key-size 512 --hash sha512 --use-urandom --key-file - luksFormat ${root_part}
echo ${luks_password} | cryptsetup --key-file - luksOpen ${root_part} ${luks_label}

mkfs.btrfs -L ROOT /dev/mapper/${luks_label}
mount /dev/mapper/${luks_label} /mnt

btrfs subvolume create /mnt/@
btrfs subvolume create /mnt/@home
btrfs subvolume create /mnt/@snapshots

umount /mnt
mount -o noatime,compress=zstd,subvol=@ /dev/mapper/${luks_label} /mnt
mkdir /mnt/{boot,efi,home,.snapshots}
mount -o noatime,compress=zstd,subvol=@home /dev/mapper/${luks_label} /mnt/home
mount -o noatime,compress=zstd,subvol=@snapshots /dev/mapper/${luks_label} /mnt/.snapshots

mkfs.fat -F 32 -n EFI ${efi_part}
mount ${efi_part} /mnt/efi

reflector --latest 5 --protocol https --sort rate --save /etc/pacman.d/mirrorlist
sed -i "/ParallelDownloads/s/^#//g" /etc/pacman.conf

pacman -Sy archlinux-keyring --noconfirm
pacstrap -K /mnt base linux-lts cryptsetup grub efibootmgr grub-btrfs btrfs-progs snapper networkmanager terminus-font neovim

genfstab -U /mnt > /mnt/etc/fstab

arch-chroot /mnt ln -sf /usr/share/zoneinfo/$(curl https://ipapi.co/timezone) /etc/localtime
arch-chroot /mnt hwclock --systohc

arch-chroot /mnt sed -i "/en_US.UTF-8/s/^#//" /etc/locale.gen
arch-chroot /mnt locale-gen
echo "LANG=en_US.UTF-8" > /mnt/etc/locale.conf
echo "FONT=${console_font}" > /mnt/etc/vconsole.conf

echo "${hostname}" > /mnt/etc/hostname

sed -i "s/MODULES=(.*)/MODULES=(btrfs)/" /mnt/etc/mkinitcpio.conf
sed -i "s/BINARIES=(.*)/BINARIES=(\/usr\/bin\/btrfs)/" /mnt/etc/mkinitcpio.conf
sed -i "s/HOOKS=(.*)/HOOKS=(base systemd autodetect modconf sd-vconsole block sd-encrypt btrfs filesystems keyboard fsck)/" /mnt/etc/mkinitcpio.conf
arch-chroot /mnt mkinitcpio -P

arch-chroot /mnt useradd -m -G wheel -s /bin/bash ${username}
echo "${username}:${user_password}" | arch-chroot /mnt chpasswd

ROOT_UUID=$(blkid -o value -s UUID ${root_part})
sed -i "/GRUB_ENABLE_CRYPTODISK=y/s/^#//" /mnt/etc/default/grub
sed -i "s|GRUB_CMDLINE_LINUX_DEFAULT=\".*\"|GRUB_CMDLINE_LINUX_DEFAULT=\"rd.luks.name=${ROOT_UUID}=${luks_label} rd.luks.options=discard root=/dev/mapper/${luks_label} rootflags=subvol=/@ rw\"|" /mnt/etc/default/grub
arch-chroot /mnt grub-install --target=x86_64-efi --efi-directory=/efi --bootloader-id=GRUB
arch-chroot /mnt grub-mkconfig -o /boot/grub/grub.cfg

Last edited by tooooomy (2024-06-16 14:54:16)

Offline

#2 2024-06-04 00:00:31

yataro
Member
Registered: 2024-03-09
Posts: 76

Re: [SOLVED] GRUB Full Disk Encryption: Invalid passphrase, disk not found

From man cryptsetup.8:

Note that if --key-file=- is used for reading the key from stdin,
       trailing newlines are not stripped from the input.

Try echo -n ${luks_password} | cryptsetup ...

Offline

#3 2024-06-05 11:50:27

tooooomy
Member
Registered: 2024-05-26
Posts: 7

Re: [SOLVED] GRUB Full Disk Encryption: Invalid passphrase, disk not found

yataro wrote:

From man cryptsetup.8:
Try echo -n ${luks_password} | cryptsetup ...

Sadly, did not help, still getting the same boot error.

I tried to manually close and open the LUKS container just in case, and it seems to work as expected. Maybe the GRUB config is messed up?

Last edited by tooooomy (2024-06-05 12:00:08)

Offline

#4 2024-06-05 16:05:07

yataro
Member
Registered: 2024-03-09
Posts: 76

Re: [SOLVED] GRUB Full Disk Encryption: Invalid passphrase, disk not found

Does the error appear after a while or immediately?

Offline

#5 2024-06-05 16:08:31

tooooomy
Member
Registered: 2024-05-26
Posts: 7

Re: [SOLVED] GRUB Full Disk Encryption: Invalid passphrase, disk not found

Immediately

Offline

#6 2024-06-05 16:13:33

yataro
Member
Registered: 2024-03-09
Posts: 76

Re: [SOLVED] GRUB Full Disk Encryption: Invalid passphrase, disk not found

Then something is wrong with your grub configuration. luks2 is a lot of headache with grub... Can you consider using luks1?
What does lsmod output in the rescue shell?

Offline

#7 2024-06-05 16:21:52

tooooomy
Member
Registered: 2024-05-26
Posts: 7

Re: [SOLVED] GRUB Full Disk Encryption: Invalid passphrase, disk not found

I thought of not encrypting /boot at all but using Secure Boot instead as there's apparently nothing confidential to hide in /boot. Would that be rational?

I'm currently away of my system.

Offline

#8 2024-06-05 16:29:28

yataro
Member
Registered: 2024-03-09
Posts: 76

Re: [SOLVED] GRUB Full Disk Encryption: Invalid passphrase, disk not found

It is more than rational, you can avoid storing encryption key in the CPIO image or re-entering passphrase when booting Linux. There are some caveats though, but they're well described in the corresponding archwiki page

Offline

#9 2024-06-05 16:36:08

tooooomy
Member
Registered: 2024-05-26
Posts: 7

Re: [SOLVED] GRUB Full Disk Encryption: Invalid passphrase, disk not found

Thank you, you're the only person who responded so far smile
Then I'll label the topic solved. Have a fantastic day!


Edit: The issue was caused by LUKS2. GRUB v2.12 refuses to boot even after specifying PBKDF2. Let's wait for the next major release.

Last edited by tooooomy (2024-06-16 14:55:17)

Offline

Board footer

Powered by FluxBB