Arch Linux

qwwyzq

Member

Registered: 2014-06-10

Posts: 8

encrypt netbook completely

Ahoy there!

I'd like to encrypt my netbook completely - as the topic allready meantioned it...
The following is what i want:
Formatting my Disk(sda) and build a big encrypted container on it.
Within this container there shell be Logical Volumes for:
/root
/swap
/home
The boot-partition shell be installed seperatelyon my usb(sdb).
Correct me if i'm false, but i think that's called LVM on Luks - with a seperate boot-partition.

i found this instruction:
https://wiki.archlinux.org/index.php/Dm … VM_on_LUKS

I tried that in a VM.
The installation went fine, no failures.

After i installed everything i rebooted.
The machine started up an.....

booting...

...nothing more...

Where's my failure?

I think the mistake i made(obviously) must be somewhere on my usb.

So here's all i did with it:

With gdisk i created a 500MB-partition with typ 8300.

mkfs.ext2 /dev/sdb1

mkdir /mnt/boot

mount /dev/sdb1 /mnt/boot

parted /dev/sdb set 1 bios_grub on

after that i installed grub

grub-mkconfig -o /boot/grub/grub.cfg

and last but not least

grub-install /dev/sdb

R3D

Member

Registered: 2014-01-12

Posts: 14

Re: encrypt netbook completely

Are these the only commands you ran?
You should really read through https://wiki.archlinux.org/index.php/be … ion_scheme
if you have a bios motherboard you need to create a bios boot partition. not a linux partition.
And are you mounting your hard drive on /mnt before creating the boot directory and mounting the flash drive?

---

"Do not attribute to malice that which can be explained through incompetence"

qwwyzq

Member

Registered: 2014-06-10

Posts: 8

Re: encrypt netbook completely

if you have a bios motherboard you need to create a bios boot partition. not a linux partition.

Ops...I tried it again with making a bios partition...same problem -.-"

Are these the only commands you ran?

No, here's my COMPLETE installation process:

Creating a bios partition on sdb, 500MB, typ ef02

creating an encrypted container on sda, max size, typ 8E00

cryptsetup luksFormat /dev/sda1

cryptsetup open --type luks /dev/sda1 lvm

pvcreate /dev/mapper/lvm

vgcreate Main /dev/mapper/lvm

lvcreate -L 8G Main -n rootvol

lvcreate -L 3G Main -n homevol

lvcreate -L 1G Main -n swapvol

mkfs.ext4 /dev/mapper/Main-rootvol

mkfs.ext4 /dev/mapper/Main-homevol

mkswap /dev/mapper/Main-swapvol

mount /dev/Main/rootvol /mnt

mkdir /mnt/home

mount /dev/Main/homevol /mnt/home

mkdir /mnt/boot

mount /dev/sdb1 /mnt/boot

swapon /dev/mapper/Main-swapvol

Then i edited /etc/pacman.d/mirrorlist for my needs.
I installed the basic-system with pacstrap /mnt base base-devel

created the fstab:

 genfstab -p /mnt > /mnt/etc/fstab

Then:

arch-chroot /mnt/

set the computername, Language settings, keyboardsettings, localtime, edited locale.gen (all that standard procedure)

after that i edited /etc/mkinitcpio.conf
and added encrypt and lvm2 in the HOOKS line

mkinitcpio -p linux

setting the root password, installing grub

cryptdevice=/dev/sda:Main root=/dev/mapper/Main-rootvol

grub-mkconfig -o /boot/grub/grub.cfg

after that the installation of grub onto the usb

grub-install /dev/sdb

Here's the point where i exit chroot and umount the drives.
i rebooted and here we are back again at the good old

booting...

and nothing more

[EDIT]
Meanwhile i also tried something different.
I didn't typed

cryptdevice=/dev/sda:Main root=/dev/mapper/Main-rootvol

but i changed the line GRUB_CMDLINE_LINUX_DEFAULT in /etc/default/grub to:

GRUB_CMDLINE_LINUX_DEFAULT="cryptdevice=/dev/sda1:main"

Nothing helps. I feel like i tried 100 things now(at least).
...I'm going to become insane...

Last edited by qwwyzq (2014-06-11 15:51:12)

R3D

Member

Registered: 2014-01-12

Posts: 14

Re: encrypt netbook completely

try specifying --target=i386-pc in grub-install. otherwise it defaults to x86_64-efi, and you dont have a UEFI motherboard... I hope. Do you? Please Verify this, if so you shouldnt be using a bios boot partition but an efi 'ef00' type partition.

---

"Do not attribute to malice that which can be explained through incompetence"

R3D

Member

Registered: 2014-01-12

Posts: 14

Re: encrypt netbook completely

also run grub install before grub-mkconfig

---

"Do not attribute to malice that which can be explained through incompetence"

qwwyzq

Member

Registered: 2014-06-10

Posts: 8

Re: encrypt netbook completely

try specifying --target=i386-pc in grub-install. otherwise it defaults to x86_64-efi, and you dont have a UEFI motherboard... I hope. Do you? Please Verify this, if so you shouldnt be using a bios boot partition but an efi 'ef00' type partition.

Nope, no UEFI!
He did the target thing all the time on his own. This time i although putted it there, still doesn't work.

also run grub install before grub-mkconfig

Did that, too. It's not working

albinhere

Member

Registered: 2014-06-13

Posts: 7

Re: encrypt netbook completely

I didn't see where you created a boot partition on /dev/sdb in your install process.

If you are usig GPT, using gdisk:

gdisk /dev/sdb
o                 #to create a new GPT boot sector
n                 #create a new partition - BIOS boot - sdb1
+1M            #size for the BIOS boot
ef02             #BIOS boot partition
n            #create another new partition for boot - sdb2)
+256M         #256MB or whatever size you choose
w                 #write the partition table to /dev/sdb
Y                 #confirm and write

Then, create your encrypted partition (LVM/LUKS) on /dev/sda.  Now when you mont your volumes, mount the boot partition (now /dev/sdb2) to /mnt/boot.

I have LVM on LUKS but boot is on the same disk and not USB.

Edit: Changed sdb1 from "BIOS GRUB" to "BIOS boot".

Last edited by albinhere (2014-06-16 21:50:56)

qwwyzq

Member

Registered: 2014-06-10

Posts: 8

Re: encrypt netbook completely

I wrote that in my second post.

Creating a bios partition on sdb, 500MB, typ ef02

I have LVM on LUKS but boot is on the same disk and not USB.

Yeah, that's no problem. I've tried that too, works fine for me but with the USB-Stick it's realy annoying to do that.
You should read this article, he explains how to pwn lvm on luks if the boot-partition is on the same drive.

https://twopointfouristan.wordpress.com … ncryption/

gdisk /dev/sdb
o                 #to create a new GPT boot sector
n                 #create a new partition - BIOS GRUB - sdb1
+1M            #size for the BIOS GRUB
ef02             #BIOS boot partition
n            #create another new partition for boot - sdb2)
+256M         #256MB or whatever size you choose
w                 #write the partition table to /dev/sdb
Y                 #confirm and write

why there are two bios grub partition? What shell this be good for?

Last edited by qwwyzq (2014-06-16 20:03:36)

albinhere

Member

Registered: 2014-06-13

Posts: 7

Re: encrypt netbook completely

I wrote that in my second post.

Yes, i did see that.  However, from your procedure outlined above, it was apparent that you were using BIOS and booting GPT.  As per the wiki, you will need a separate BIOS boot partition along with a separate /boot partition:

Note: To boot from a GPT partitioned disk on a BIOS based system using GRUB, you have to create, preferably at the disk's beginning, a BIOS boot partition.

Wiki:
https://wiki.archlinux.org/index.php/Pa … tion_Table

Yeah, that's no problem. I've tried that too, works fine for me but with the USB-Stick it's realy annoying to do that.
You should read this article, he explains how to pwn lvm on luks if the boot-partition is on the same drive.

https://twopointfouristan.wordpress.com … ncryption/

Thanks, I will take a look.

why there are two bios grub partition? What shell this be good for?

See my comment above.  This is for bash shell.

Edit: I now see what is confusing about my previous post.  The first partition on sdb should have been labeled "BIOS boot" and not "BIOS GRUB". My mistake

Last edited by albinhere (2014-06-16 21:48:26)

qwwyzq

Member

Registered: 2014-06-10

Posts: 8

Re: encrypt netbook completely

Just to be clear here.
I start my installation with the following commands:

gdisk /dev/sdb

o, n , +250M, type=ef02 => /dev/sdb1

n, +500M, type=i leave it default!? => /dev/sdb2

w, Y

When i'm in the opened luks-container i make alle the stuff with /dev/sda and i type

mkfs.ext2 /dev/sdb2

?

after that

mkdir /mnt/home

mount /dev/sdb2 /mnt/home

and later

grub-install /dev/sdb

Last edited by qwwyzq (2014-06-16 21:51:19)

firecat53

Member

From: Lake Stevens, WA, USA

Registered: 2007-05-14

Posts: 1,542

Website

Re: encrypt netbook completely

I just happened to recently record my notes for this (except with btrfs instead of lvm and without swap) here. I hope it helps! I didn't see any super obvious mistakes in your procedure but I'll try to look at it again when I'm not on my phone.

Scott

Edit: post the output of gdisk -l for sda and sdb

Last edited by firecat53 (2014-06-16 23:01:17)

---

Github

albinhere

Member

Registered: 2014-06-13

Posts: 7

Re: encrypt netbook completely

The BIOS boot partition (sdb1) only needs to be 1MB.

The linux boot partition only needs about 100MB but if you use multiple kernels or boot images you'll need more room.  250MB should be a safe size.

Let's recap:
on sdb:
1.  Clear old partition data and create a new GPT
2.  Create a 1MB BIOS boot partition (sdb1)
3.  Create a 256MB linux boot partition (sdb2)

on sda:
4.  Create one new partition
5.  Create your Luks encrypted container
6.  Open your Luks encrypted container
7.  Create your physical volume
8.  Create your volume group
9.  Create your logical volumes for root, home, swap, etc...
10. Make your file system on your boot partition (sdb2).  I like to use ext2
11. Make your file systems on your logical volumes
12. If you use swap, "mkswap" on your swap logical volume

Mount your volumes
13. Mount logical volume root to /mnt
14. Make home directory in /mnt
15. Mount logical volume home to /mnt/home
16. "swapon" /dev/mapper/yourVolGroupSwapName
17. Make boot directory in /mnt
18. Mount boot partition (sdb2) to /mnt/boot

Now continue with the rest of the installation (edit mirrors, install the base system, etc.).  It probably won't matter too much but I like to use UUIDs instead of block labels so i edit my fstab and incorporate this info.  Don't forget to add encrypt and lvm2 hooks!

qwwyzq

Member

Registered: 2014-06-10

Posts: 8

Re: encrypt netbook completely

I did the 25252525th installation...it failed again -.-"

i tried it with the two boot-partitions like u said

on sdb:
1.  Clear old partition data and create a new GPT
2.  Create a 1MB BIOS boot partition (sdb1)
3.  Create a 256MB linux boot partition (sdb2)

still the

Booting...

crap.

I'm going banana. What am i missing?

albinhere

Member

Registered: 2014-06-13

Posts: 7

Re: encrypt netbook completely

So you were able to see the GRUB menu, and entered your Luks password? Or did it not even get that far?

firecat53

Member

From: Lake Stevens, WA, USA

Registered: 2007-05-14

Posts: 1,542

Website

Re: encrypt netbook completely

Post the output of gdisk -l for sda and sdb. Did you check out the procedure in my post above?

---

Github

qwwyzq

Member

Registered: 2014-06-10

Posts: 8

Re: encrypt netbook completely

So you were able to see the GRUB menu, and entered your Luks password? Or did it not even get that far?

Nope, i don't get that far.

Post the output of gdisk -l for sda and sdb. Did you check out the procedure in my post above?

Yap, i checked that out. I didn't see anything i could need. Or did i miss a thing there?

Here's the output:

/dev/sda

GPT fdisk (gdisk) version 0.8.10

Partition table scan:
MBR: protective
BSD: not present
APM: not present
GPT: present

Fount valid GPT with protective MBR; using GPT.
Disk /dev/sda: 34672896 sectors, 16.5 GiB
Logical sector size: 512 bytes
Disk Identifier (GUID): AA7FF6B0-36CF-4751-9283-64A8B05F00BD
Partition table holds up to 128 entries
First usable sector is 34, last usable sector is 34672862
Partitions will be aligned on 2048-sector boundaries
Total free space is 2014 sectors (1007.0 KiB)

Number     Start (sector)      End (sector)        Size                Code        Name
1                 2048                    34672862           16.5 GiB          8E00       Linux LVM

/dev/sdb

GPT fdisk (gdisk) version 0.8.10

Partition table scan:
MBR: protective
BSD: not present
APM: not present
GPT: present

Fount valid GPT with protective MBR; using GPT.
Disk /dev/sdb: 15974400 sectors, 7.6 GiB
Logical sector size: 512 bytes
Disk Identifier (GUID): C9E7C4F9-BB8B-4AAA-BD27-252AB6D051E1
Partition table holds up to 128 entries
First usable sector is 34, last usable sector is 1594366
Partitions will be aligned on 2048-sector boundaries
Total free space is 14948285 sectors (7.1 GiB)

Number     Start (sector)      End (sector)        Size                Code        Name
1                 2048                   4095                    1024.0KiB       EF02       BIOS boot partition
2                 4096                   1028095               500.0 MiB       8300      Linux filesystem

[EDIT]
After i posted this text, i saved the session in the VM, made a copy and started the original one.
The VM showed the text i also had bevore and did that:

1 root@archiso ~ # [4348.156047] sd 5:0:0:0: [sdc] No Caching mode page found(
[4348.158463] sd 5:0:0:0: [sdc] Assuming drive cache: write through
[4348.212074] sd 5:0:0:0: [sdc] No Caching mode page found
[4348.213992] sd 5:0:0:0: [sdc] Assuming drive cache: write through
[4348.425626] sd 5:0:0:0: [sdc] No Caching mode page found
[4348.427097] sd 5:0:0:0: [sdc] Assuming drive cache: write through

WHY sdc? Don't have any other device on my computer - especially not activated in the VM.

And i couldn't open gdisk -l /dev/sdb anymore, because:

GPT fdisk (gdisk) version 0.8.10

Problem opening /dev/sdb for reading! Error is 2.
The specified file does not exist!

Maybe thats the problem all the time, that he can't find sdb anymore!?

Last edited by qwwyzq (2014-06-17 19:01:33)

firecat53

Member

From: Lake Stevens, WA, USA

Registered: 2007-05-14

Posts: 1,542

Website

Re: encrypt netbook completely

It looks like you don't have the bootable flag set on your /boot partition on the flash drive. The filesystem should be 'ef00', not '8300'. You either set the filesystem with gdisk as 'ef00' or use parted to toggle the bootable flag.

Scott

---

Github

ajbibb

Member

Registered: 2012-02-12

Posts: 142

Re: encrypt netbook completely

GPT is known to not work on some, supposedly rare, types of BIOS. Ran across it a year ago on a desktop with an Intel BIOS.  I recall on mine the machine put up a message saying searching for boot device, then it just sat there with the message blinking.

Have you ever booted the netbook from GPT disk before?  If not you may want try a traditional fdisk on the boot device (USB).  You can keep the GPT on the encrypted disk in the notebook. If is is this BIOS bug once you get past the early boot stage GPT will work fine.

qwwyzq

Member

Registered: 2014-06-10

Posts: 8

Re: encrypt netbook completely

It looks like you don't have the bootable flag set on your /boot partition on the flash drive. The filesystem should be 'ef00', not '8300'. You either set the filesystem with gdisk as 'ef00' or use parted to toggle the bootable flag.

The filesystem 'ef00' is EFI and i have BIOS(or i think the VM has kinda), does that matter?
I've tried to do

parted /dev/sdb set 2 bios_grub on

(just to remember: sdb1 = BIOS grub, typ ef02 :: sdb2= Linux filesystem, typ 8300)

The terminal's answer was:

Information: You may need to update /etc/fstab

So i created the fstab with

genfstab -p -U /mnt > /mnt/etc/fstab

Still the same message.

GPT is known to not work on some, supposedly rare, types of BIOS. Ran across it a year ago on a desktop with an Intel BIOS.  I recall on mine the machine put up a message saying searching for boot device, then it just sat there with the message blinking.

Have you ever booted the netbook from GPT disk before?  If not you may want try a traditional fdisk on the boot device (USB).  You can keep the GPT on the encrypted disk in the notebook. If is is this BIOS bug once you get past the early boot stage GPT will work fine.

I'm still trying do all this in a VM, not on the netbook.
Therefore this hint is, in this case, unfortunately not helpful

albinhere

Member

Registered: 2014-06-13

Posts: 7

Re: encrypt netbook completely

I'm still trying do all this in a VM, not on the netbook.
Therefore this hint is, in this case, unfortunately not helpful

I thought you were done with your VM install.  You may encounter a whole set of different issues when you install on your netbook.  Then again, it may just work....I dunno.

In any case, you're still not getting to the grub menu.  Let's concentrate on that for a moment.  Did you make your USB boot partition bootable? You created grub under chroot, yes? Are you using UUUDs instead of labels? Did you add your encrypted device to GRUB kernel parameters:

"cryptdevice=/dev/disk/by-uuid/xxxxxxxxxx:Main root=/dev/mapper/Main-rootvol"
or
"cryptdevice=/dev/sda1:Main root=/dev/mapper/Main-rootvol"

Did you add the "encrypt" and "lvm2" hooks in mkinitcpio.conf and regenerate mkinitcpio?

firecat53

Member

From: Lake Stevens, WA, USA

Registered: 2007-05-14

Posts: 1,542

Website

Re: encrypt netbook completely

Your first and only goal at this point is to get the grub menu from your flash drive on boot. You don't even need the VM for this...install grub on the flash drive and then make sure your netbook boots to the grub menu!

Scott

---

Github