You are not logged in.

#1 2012-12-22 22:30:27

ineb
Member
Registered: 2011-07-25
Posts: 7

trouble with luks non root partition

hello,

today i struggled with creating an encryptet archlinux installation.

what i want is to encrypt my root and all other partitions with luks.

basically i used the guide on the archwiki ( https://wiki.archlinux.org/index.php/Dm-crypt_with_LUKS ),
but iam always failing at the same point.

my setup is a bit more complex, but to describe my problem i want to use a simple testcase

/dev/sda with 2 partitions
  /dev/sda1    as /boot
  /dev/sda2    as crypto_LUKS

/dev/sdb with 1 partition
  /dev/sdb1    as crypto_LUKS

/dev/sda2 should be / and /dev/sdb1 f.eks. /home

iam using passphrases for both partitions.

i edited the HOOKS line in mkinitcpio.conf and added "encrypt" before "filesystems",
and i also edited the crypttab to somethink like this:

sdb1_crypt /dev/sdb1 none luks

my fstab entry for /home looks like

/dev/mapper/sdb1_crypt /home ext4 rw,relatime,data=ordered 0 1

so far so good, when iam booting iam prompted for passphrases 2 times. first time to encrypt and mount the root-partition, which works fine.
second time for the /home partition, but then the boot process stucks and systemd times out

[ OK ] Found device /dev/mapper/sdb1_crypt
[ OK ] Started Cryptography Setup for sdb1_crypt
[ OK ] Reached target Encryptet Volumes
[ TIME ] Timed out waiting for device dev-mapper/sdb1_crypt
[ DEPEND ] Dependency failed for /home
[ DEPEND ] Dependency failed for Local File Systems

iam thrown to emergency shell then.
/dev/mapper/sdb1_crypt exists, but when iam trying to mount it with

mount /dev/mapper/sdb1_crypt /mnt

it says

mount: special device /dev/mapper/sdb1_crypt does not exist

cryptsetyp says , that /dev/mapper/sdb1_crypt is inactive.

anyway i can luksOpen it manually with

cryptsetup luksOpen /dev/sdb1 foo

enter passphrase again and now iam able to mount /dev/mapper/foo


what am i missing in my here?

thanks for helping !
ineb

Offline

#2 2012-12-23 02:03:24

cfr
Member
From: Cymru
Registered: 2011-11-27
Posts: 7,130

Re: trouble with luks non root partition

I believe that the standard hook cannot cope with multiple encrypted disks.


CLI Paste | How To Ask Questions

Arch Linux | x86_64 | GPT | EFI boot | refind | stub loader | systemd | LVM2 on LUKS
Lenovo x270 | Intel(R) Core(TM) i5-7200U CPU @ 2.50GHz | Intel Wireless 8265/8275 | US keyboard w/ Euro | 512G NVMe INTEL SSDPEKKF512G7L

Offline

#3 2012-12-23 08:22:23

yuanzhi
Member
Registered: 2012-12-19
Posts: 15

Re: trouble with luks non root partition

Maybe you can try changing /dev/sdb1 to a persistent symlink in /etc/crypttab.

Offline

#4 2012-12-23 11:05:06

ineb
Member
Registered: 2011-07-25
Posts: 7

Re: trouble with luks non root partition

cfr wrote:

I believe that the standard hook cannot cope with multiple encrypted disks.

yes, thats right. therefore i made the crypttab entry. the devices listed there dont need the encrypt hook (only the root filesystem really does).

@yuanzhi
i already tried that via UUID. with a wrong device there it wouldnt ask my for a 2nd passphrase anyway.

Last edited by ineb (2012-12-23 11:06:00)

Offline

#5 2012-12-23 11:25:23

yuanzhi
Member
Registered: 2012-12-19
Posts: 15

Re: trouble with luks non root partition

ineb wrote:

i already tried that via UUID. with a wrong device there it wouldnt ask my for a 2nd passphrase anyway.

Have you tried a persistent symlink by id?

Offline

#6 2012-12-23 12:09:51

jjacky
Member
Registered: 2011-11-09
Posts: 347
Website

Re: trouble with luks non root partition

The setup you're describing should work, so there must be something else. Have you tried looking at the journal, see if you maybe can find more info about what's (not) happenning? (maybe with a higher loglevel if needed) What's the status of the systemd-cryptsetup@sdb1_crypt.service (not sure that would be its exact name) when you boot?

Offline

#7 2012-12-23 23:31:17

ineb
Member
Registered: 2011-07-25
Posts: 7

Re: trouble with luks non root partition

unfortunately i needed a working linux installation with luks (and lvm) asap, so i skipped arch this time and went to ubuntu.
ill rebuild my setup in a vm tomorrow and look into it

Offline

#8 2012-12-25 02:35:57

hunterthomson
Member
Registered: 2008-06-22
Posts: 794
Website

Re: trouble with luks non root partition

I just worte this. It dose not cover the LVM part. However, you do not need to do anything for that.

Just add this between "keymap encrypt" and "filesystems" in the HOOKS= array

lvm2

Also, becuase you have more then mone parition that is encrypted and needs to be decrypted at boot, you may need to have this the the /etc/default/grub instead of what what I put in the post I linked to.

GRUB_CMDLINE_LINUX="cryptdevice=/dev/sda2:root cryptdevice=/dev/sdb1:home"

The `grub-mkconfig -o /boot/grub/grub.cfg` command WILL find all your LVM2 lv's with no problem and configure grub.cfg correctly. You just need to edit /etc/default/grub and use that command to rebuild the grub.cfg

Other then that this post should solve your problems.

https://bbs.archlinux.org/viewtopic.php … 2#p1209702

Last edited by hunterthomson (2012-12-25 02:40:23)


OpenBSD-current Thinkpad X230, i7-3520M, 16GB CL9 Kingston, Samsung 830 256GB
Contributor: linux-grsec

Offline

#9 2013-01-23 15:54:33

ineb
Member
Registered: 2011-07-25
Posts: 7

Re: trouble with luks non root partition

hello,

sorry for my very late answer. i was heavily into exams.

anyway i managed to successfully create the setup described in my first post.

thank you,  hunterthomson - multiple cryptdevices entrys in /etc/default/grub led to succes.

/etc/crypttab isnt needed at all.

but i still have one question:

when using keyfiles for encryption one need to add to GRUB_CMDLINE_LINUX an entry like

cryptkey=/dev/disk/by-uuid/3848-EFD5:vfat:/keyfile

how is the behaviour on multiple cryptdevice entrys? do i need to add a cryptkey line after each cryptkey file, or is one key used for all cryptdevices or what?

unfortunately iam unable to test this right now

thanks in advance
ineb

Last edited by ineb (2013-01-23 15:55:38)

Offline

Board footer

Powered by FluxBB