[Solved] Trouble getting a full disk encryption installation working

zakioka · 2012-12-23 17:13:07

I am trying to get full disk encryption working (no lvm) in virtual box with dm-crypt with LUKS. The wiki article seems to be referencing files that no longer exist because of the move from initscripts to systemd. It also references the old install script, and me being new the the scene here, I have no idea what the new files are. Examples are:

/arch/setup
/etc/rc.conf
/boot/grub/menu.lst (although i found a similar file at /etc/default/grub after grub-bios is installed)

The script I made to kind of automate my installation is at https://gist.github.com/4364427

After the first reboot (after properly umounting /mnt/boot and /mnt) it boots into a shell that i cant do anything in.

Last edited by zakioka (2012-12-23 21:28:36)

zakioka · 2012-12-23 18:37:36

The solution was to rerun

mkinitcpio -p linux

After the configuration was made to /etc/mkinitcpio.conf.

Now i get errors http://imgur.com/a/1PDKi, but the system boots, asks for my password (using a wrong password gives expected result) and will allow me to do stuff.

However the system now complains that it is read only. /etc/fstab contains no edits.

This was resolved by booting into the disk, using the cryptsetup tool to open then mount, then edit /etc/fstab properly.

Last edited by zakioka (2012-12-23 18:38:17)

WonderWoofy · 2012-12-23 19:08:33

Please mark your thread as [Solved]. If you feel as though you have learned enough from this venture to be able to better the wiki page, you should go ahead and edit it. Namely, any references to the old install method and rc.conf should be updated to reflect the current status of the system. The wiki only gets better if the community actively maintains it. Welcome to the community!

zakioka · 2012-12-23 21:27:42

Maybe in the future when I have more time and more experience. At this time I do not feel confident in instructing people to properly encrypt their drives. If no one has anything to say about the errors and warnings in post #2, then I guess that is all.

hunterthomson · 2012-12-25 02:14:33

Hum, I should probably go an fix the Arch Wiki. I seem to have a good understanding of how to do this now.... However, I don't have time. I am studying for my CCNP... well the CCNP ROUTE exam.. I have OSPF and EIGRP all down solid. I am working on BGP now.. which is a little hard to debug... After that I need to hammer out IPv6 and I think I should be good to go.

Back on track...
You can simply boot into the Arch install CD/USB create 2 partitions..

/dev/sda1
/dev/sda2

Then encrypt /dev/sda2

cryptsetup -h sha512 -c aes-xts-plain64 -y -s 512 luksFormat --align-payload=8192 /dev/sda2

Now mount it

cryptsetup luksOpen /dev/sda2 root

Create your filesystmes

mkfs.ext4 -b 4096 /dev/sda1
mkfs.ext4 -b 4096 /dev/mapper/root

Now mount /dev/mapper/root to /mnt

mount /dev/mapper/root /mnt

Create the /boot direcotry
And Mount /dev/sda1 to it

mkdir /mnt/boot
mount /dev/sda1 /mnt/boot

Now follow the Arch Beginners' Guide.....

You need to edit /mnt/etc/mkinitcpio.conf

Add this to the MODULES= array

ext4

Add these right before "filesystems" in the HOOKS= array

keymap encrypt

NOW, rebuild the initramfs

mkinitcpio -p linux

Install grub-bios as you normaly would.....

THEN, you need to edit this /mnt/etc/default/grub
You just need to add this one part to make LUKS/dm-crypt work

/mnt/etc/default/grub

GRUB_CMDLINE_LINUX="cryptdevice=/dev/sda2:root"

NOW, rebuild the GRUB2 grub.cfg file

grub-mkconfig -o /boot/grub/grub.cfg

Reboot into you new install. It will ask you for your password and it will all work as you would expect.

Last edited by hunterthomson (2012-12-25 09:36:19)

cfr · 2012-12-25 02:42:23

Shouldn't "/dev/sdb2" be "/dev/sda2" in the first command?

hunterthomson · 2012-12-25 09:36:57

cfr wrote:

Shouldn't "/dev/sdb2" be "/dev/sda2" in the first command?

Awe yes, thanks.

Strike0 · 2012-12-26 20:59:18

@zakioka: It's great of hunterthompson to spoonfeed instructions for you, but I do wonder which wiki pages/sections you reference / attempted to follow when those errors occurred. Maybe it would have worked right away, if you used the genfstab script.

hunterthomson · 2012-12-27 02:58:55

Strike0 wrote:

@zakioka: It's great of hunterthompson to spoonfeed instructions for you, but I do wonder which wiki pages/sections you reference / attempted to follow when those errors occurred. Maybe it would have worked right away, if you used the genfstab script.

Nope, it still would not have worked. GRUB never found the partition to decrypt.

The problem was not fstab it was this...

hunterthomson wrote:

/mnt/etc/default/grub
GRUB_CMDLINE_LINUX="cryptdevice=/dev/sda2:root"
NOW, rebuild the GRUB2 grub.cfg file
grub-mkconfig -o /boot/grub/grub.cfg

Really, I was not spoon feeding him. The Arch Wiki is out of date. That is why there are so many threads about LUKS/dm-crypt. What would be really cool is if you could go and update the Wiki for us. I don't have the time to do it right.

Section one: could basically be my post above

Section two (recommended): LVM on LUKS/dm-crypt

Section three: Put GRUB and /boot in USB

Section four: Put GRUB and /boot on CD-R

Last edited by hunterthomson (2012-12-27 03:07:46)

Strike0 · 2012-12-27 08:15:18

@hunterthompson:
First, I was referring to the OP's problem/question about the wrong fstab and second please take your time to re-read the wiki again before posting. What you reference as "section one" - any outdated bit in there you say?
That section then leads over to the grub bit. How is that different to your grub stuff up there? And how is it outdated?

The LVM stuff in the wiki is outdated yes, partly at least. But the OP is not asking for that.
You are competent about encryption, please do join us in editing it when you find the time! Please leave any suggestions you have (e.g. regarding your ideas about Grub on CD-R) on the wiki talk page. That's the place to do that. If you see outdated bits and don't have the time fixing it, leave comments about them there also. That way all interested wiki contributors who watch the page can pick them up and/or discuss when time permits.
If you see grave outdated bits (grave as they might give others problems), you can also mark them as outdated by the wiki template. But as the above posts show a discussion on the talk page may be more useful at some time.

Darkgod · 2013-02-24 01:46:09

Has anyone here tried to install a Full encrypted system with multiple HDD drives? All the posts I've read are about encrypting multiple partitions not multiple HDD.

Strike0 · 2013-02-24 12:22:50

HIghjack attack .. have a try other seach terms: http://lmgtfy.com/?q=cryptsetup+AND+rai … hlinux.org

Arch Linux

#1 2012-12-23 17:13:07

[Solved] Trouble getting a full disk encryption installation working

#2 2012-12-23 18:37:36

Re: [Solved] Trouble getting a full disk encryption installation working

#3 2012-12-23 19:08:33

Re: [Solved] Trouble getting a full disk encryption installation working

#4 2012-12-23 21:27:42

Re: [Solved] Trouble getting a full disk encryption installation working

#5 2012-12-25 02:14:33

Re: [Solved] Trouble getting a full disk encryption installation working

#6 2012-12-25 02:42:23

Re: [Solved] Trouble getting a full disk encryption installation working

#7 2012-12-25 09:36:57

Re: [Solved] Trouble getting a full disk encryption installation working

#8 2012-12-26 20:59:18

Re: [Solved] Trouble getting a full disk encryption installation working

#9 2012-12-27 02:58:55

Re: [Solved] Trouble getting a full disk encryption installation working

#10 2012-12-27 08:15:18

Re: [Solved] Trouble getting a full disk encryption installation working

#11 2013-02-24 01:46:09

Re: [Solved] Trouble getting a full disk encryption installation working

#12 2013-02-24 12:22:50

Re: [Solved] Trouble getting a full disk encryption installation working

Board footer