You are not logged in.
Hello! I am having issues with configuring GRUB to read from a USB that contains a keyfile.
For context, I have followed the arch dm-crypt Encrypted /boot Partition guide through step 8.5, with no issue. When not using the GRUB image that attempts to look for a keyfile on the USB, Arch boots perfectly fine after being prompted once for the LUKS2 password.
I've opted to use a btrfs file system for my root and home partitions within the LUKS2 partition, while my USB is formatted with an exfat filesystem. I have an EFI system, and my efi partition is separate from the LUKS partition. I'm also using a systemd based initramfs instead of busybox based.
I've ensured that all 3 of my LUKS2 keys use PBKDF2, as opposed to Argon2ID, since GRUB2 doesn't support Argon2ID. (1st key is password, 2nd key is made from step 8.5, and 3rd key is the usb key).
Within /etc/default/grub, I have GRUB_ENABLE_CRYPTODISK=y uncommented, and GRUB_DISABLE_LINUX_UUID=true commented out.
Here is what I have inside my grub-pre.cfg file, which is located within /boot/grub/grub-pre.cfg:
set crypto_uuid=[UUID of /dev/nvme0n1p2]
set key_disk=[UUID of usb drive]
cryptomount -u $crypto_uuid -k ($key_disk)/Desktop/cryptlvm-usb.key
set root=[UUID of MyVolGroup-root]
set prefix=($root)/boot/grub
insmod normal
normal
I'm in the arch install live environment. Within arch-chroot /mnt, I make the grub image with:
grub-mkimage -p /boot/grub -O x86_64-efi -c /boot/grub/grub-pre.cfg -o /tmp/grubx64.efi part_gpt part_msdos luks2 cryptodisk gcry_rijnadel gcry_sha512 lvm ext2 exfat fat ntfs
Then I install with:
install -v /tmp/grubx64.efi /efi/EFI/GRUB/grubx64.efi
When I exit chroot and reboot, I'm presented with the grub rescue screen, and the following errors:
error: disk '[UUID of usb]' not found.
error: disk '[UUID of MyVolGroup-root]' not found.
Unknown command 'normal'.
error: disk '[UUID of MyVolGroup-root]' not found.
Entering rescue mode...
What I believe is happening is that the USB isn't found, which leads to not being able to cryptomount, leading to not finding the MyVolGroup-root UUID, which leads to not setting root and prefix correctly.
Within rescue mode, typing in 'ls' shows all drives attached, including the USB, which is hd0,gpt1. Typing in 'ls (hd0,gpt1)/' shows all folders on the drive, which tells me GRUB recognizes the USB, just not by UUID.
Here are things I've tried which had no effect:
Replaced the luks2 grub module in the image creation with luks
Replaced the gcry_sha512 grub module in the image creation with gcry_sha256
Changed the file system type of the USB, then recopying the key over to the USB
Added 'UUID=' in front of the UUIDs of the grub-pre.cfg file (key_disk=UUID=[UUID of usb disk], then re-making the image and reinstalling to /etc/ETC/GRUB/grubx64.efi
Added quotation marks around the UUIDs in grub-pre.cfg (), then re-making and reinstalling GRUB
Regenerating the usb key file and adding the new file to the list of LUKS2 keys
The only thing I've tried which had any effect was replacing the UUIDs in grub-pre.cfg with the corresponding GRUB style hdX,gptY entries. This leads to a different grub rescue error: 'No such cryptodisk found'
I am at my wits end. Any help would be much appreciated! Thank you!
Offline
When I exit chroot and reboot, I'm presented with the grub rescue screen, and the following errors:
Is the entire /boot on that usb key or only the keyfile?
If you want to boot from a usb key I'd suggest to install grub there and boot from the usb key, not to boot grub from some internal drive and then have it collect its stuff from an external drive.
Although
Within rescue mode, typing in 'ls' shows all drives attached, including the USB, which is hd0,gpt1. Typing in 'ls (hd0,gpt1)/' shows all folders on the drive, which tells me GRUB recognizes the USB, just not by UUID.
So… what if you address the partitions by that syntax instead of the UUID?
Also https://askubuntu.com/questions/228031/ … ub2-prompt
Offline
I make the grub image with:
grub-mkimage -p /boot/grub -O x86_64-efi -c /boot/grub/grub-pre.cfg -o /tmp/grubx64.efi part_gpt part_msdos luks2 cryptodisk gcry_rijnadel gcry_sha512 lvm ext2 exfat fat ntfs
I think you might need the btrfs module as well.
Para todos todo, para nosotros nada
Offline
Is the entire /boot on that usb key or only the keyfile?
/boot is on the same lvm as root and /swap space. Its in the same lvm partition as root. Since my machine is UEFI, I have an /efi partition completely seperate from the LUKS2. It follows an identical disk layout to this chart , save for the disk being on an nvme drive, not a sata drive
So... what if you address the partitions by that syntax instead of the UUID?
I'm assuming you mean within grub-pre.cfg? In that case, it leads to a 'No such cryptodisk found' error on reboot. I would also prefer referencing by UUID if possible, as it would prevent trying to read from the wrong USB if multiple thumb drives are plugged in at boot time.
I would think its possible, since this step in the wiki states to use UUID's, and not the hdX,gptY grub syntax.
I think you might need the btrfs module as well
I added this, good catch! But it still gives the original grub error of "disk [UUID of USB] not found..."
Offline
Having the same issue. I'm wondering if anyone found a solution.
Offline