Arch Linux

skeptic

Member

Registered: 2015-08-06

Posts: 2

[SOLVED]Full disk encryption (dm-crypt: LVM on LUKS) failing with grub

Hi
I've previously sucessfully set up an arch system by following the beginner's guide (https://wiki.archlinux.org/index.php/Beginners%27_guide), but now I wanted to repeat the process with full disk encryption using LUKS and then inside the encrypted drive LVM. For that I followed https://wiki.archlinux.org/index.php/Dm … VM_on_LUKS.

I'm having a lot of trouble identifying what steps to take at which moment since the two wiki pages have to bee combined in order to set everything up. Here's what I've tried:

1. Boot Arch Linux installation from USB drive

2. In parted: Create a boot and a crypt partition

   (parted) mklabel msdos
   (parted) mkpart primary ext4 1MiB 100MiB
   (parted) set 1 boot on
   (parted) mkpart primary ext4 100MiB 100%

   So now I have /dev/sda1 for boot and /dev/sda2 for the luks partition.

3. Then I switched to the dm-crypt wiki tutorial to create the encrypted container. This is now pretty much copy/paste from the tutorial:

   Create a physical volume on top of the opened LUKS container:

   # pvcreate /dev/mapper/lvm

   Create the volume group named MyStorage, adding the previously created physical volume to it:

   # vgcreate MyStorage /dev/mapper/lvm

   Create all logical volumes on the volume group:

   # lvcreate -L 4G MyStorage -n swapvol
   # lvcreate -L 40G MyStorage -n rootvol
   # lvcreate -l +100%FREE MyStorage -n homevol

   Format filesystems on each logical volume:

   # mkfs.ext4 /dev/mapper/MyStorage-rootvol
   # mkfs.ext4 /dev/mapper/MyStorage-homevol
   # mkswap /dev/mapper/MyStorage-swapvol

   Mount filesystems:

   # mount /dev/MyStorage/rootvol /mnt
   # mkdir /mnt/home
   # mount /dev/MyStorage/homevol /mnt/home
   # swapon /dev/MyStorage/swapvol

   Then prepare the boot partition

   # mkfs.ext4 /dev/sda1
   # mkdir /mnt/boot
   # mount /dev/sdbY /mnt/boot

   Configuring /etc/mkinitcpio.conf by adding the hooks. Is doing this here in the booted installation correct? I have the feeling it should be done in the rootvolume's /etc, i.e. after doing arch-chroot

   HOOKS="... encrypt lvm2 ... filesystems ..."

   Lastly, configuring the boot loader by adding the following to /etc/default/grub

   cryptdevice=/dev/sda2:MyStorage root=/dev/mapper/MyStorage-rootvol

   so the top of the file now reads

   GRUB_DEFAULT=0
   GRUB_TIMEOUT=5
   GRUB_DISTRIBUTION="Arch"
   GRUB_CMDLINE_LINUX_DEFAULT="quiet"
   GRUB_CMDLINE_LINUX="cryptdevice=/dev/sda2:MyStorage root=/dev/mapper/MyStorage-rootvol"

   Again, I'm still in the installation file tree! I'm pretty sure this is the wrong place to be editing /etc/default/grub. And is this even the file I need to edit? The wiki is just saying "Edit the bootloader".

4. Now I went back to the beginner's guide, selected a mirror, installed the base system, generated fstab

5. Then the chroot part:

    # arch-chroot /mnt /bin/bash 

   Setting lovale, console font and keymap. Also set up timezone, hostname and root password.

6. then comes "Install and configure a bootloader" and I guess this is where I blew it

   # pacman -S grub os-prober
   # grub-install --recheck /dev/sda
   # grub-mkconfig -o /boot/grub/grub.cfg

   Here it fails! I get a ton of, followed by a 'done':

   /run/lvm/lvmetad.socket: connect failed: No such file or directory
   WARNING: Failed to connect to lvmtad. Falling back to internal scanning.
   ...
   /run/lvm/lvmetad.socket: connect failed: No such file or directory
   WARNING: Failed to connect to lvmtad. Falling back to internal scanning.
   done

   First of all I'm confused as to what the difference between /boot and /mnt/boot is. Should I have mounted /mnt/boot here? And is it necessary to mounted in the installation (the outside-system) AND the newly installed system after doing arch-chroot?
   Needless to say when I reboot the system, Grub gives errors and goes into recovery mode...

I'm sorry for the long post, but I'm really confused about the order in which these things need to be done. I've been trying for the whole day now so I hope it's okay to ask.

Do I, after doing arch-chroot, have to open the encrypted luks partition with cryptsetup again? And also mount /mnt, /mnt/boot and /mnt/home?

Last edited by skeptic (2015-08-08 14:48:23)

Rethil

Member

Registered: 2014-08-21

Posts: 83

Re: [SOLVED]Full disk encryption (dm-crypt: LVM on LUKS) failing with grub

Configuring /etc/mkinitcpio.conf by adding the hooks. Is doing this here in the booted installation correct? I have the feeling it should be done in the rootvolume's /etc, i.e. after doing arch-chroot

No, it's not. You need to edit your /mnt/etc/mkinitcpio.conf after base system installation with pacstrap.

Lastly, configuring the boot loader by adding the following to /etc/default/grub

Same as above but for /mnt/etc/default/grub after grub install.

I would do it that way:

1. Boot Arch Linux installation
2. Prepere partitions with fdisk, one for boot, and one for lvm.
3. Create and mount LUKS container encypted with dm-crypt (let's say for sda2)

# cryptsetup --cipher aes-xts-plain64 --key-size 512 --hash sha512 --iter-time 5000 --use-random --verify-passphrase luksFormat /dev/sda2
# cryptsetup open --type luks /dev/sda2 crypt

4. Now for LVM

# pvcreate /dev/mapper/crypt
# vgcreate system /dev/mapper/crypt
# lvcreate -L 4G system -n swap
# lvcreate -L 40G system -n root
# lvcreate -l +100%FREE system -n home

5. Format (for boot on sda1)

# mkfs.ext4 /dev/sda1
# mkfs.ext4 /dev/mapper/system-root
# mkfs.ext4 /dev/mapper/system-home
# mkswap /dev/mapper/system-swap

6. Mount

# mount /dev/mapper/system-root /mnt
# mkdir /mnt/{home,boot}
# mount /dev/mapper/system-home /mnt/home
# mount /dev/sda1 /mnt/boot
# swapon /dev/mapper/system-swap

7. Install

# pacstrap -i /mnt base base-devel
# genfstab -U -p /mnt >> /mnt/etc/fstab
# arch-chroot /mnt

8. Do other things

9.

Configuring /etc/mkinitcpio.conf by adding the hooks.

HOOKS="... encrypt lvm2 ... filesystems ..."

10. Install grub

# pacman -S grub os-prober
# grub-install --target=i386-pc --recheck --debug /dev/sda

11.

Lastly, configuring the boot loader by adding the following to /etc/default/grub

GRUB_CMDLINE_LINUX="cryptdevice=/dev/sda2:crypt root=/dev/mapper/system-root"

12. Rebuild kernel img

# mkinitcpio -p linux

13. Create grub config

# grub-mkconfig -o /boot/grub/grub.cfg

14. Exit chroot

15. Umount

# umount -R /mnt

16. Boot your new Arch Linux.

Also ignore errors related to lvm in grub-mkconfig output.

First of all I'm confused as to what the difference between /boot and /mnt/boot is.

Before arch-chroot /boot is a directory in your installation media. /mnt/boot is your self-made-and-mounted boot partition.

Needless to say when I reboot the system, Grub gives errors and goes into recovery mode...

Because you did edit wrong files.

Last edited by Rethil (2015-08-07 13:25:51)

skeptic

Member

Registered: 2015-08-06

Posts: 2

Re: [SOLVED]Full disk encryption (dm-crypt: LVM on LUKS) failing with grub

Thank you very much. It's working now and I think I understood everything and know why it's working

MisterChoc

Member

Registered: 2013-02-17

Posts: 74

Re: [SOLVED]Full disk encryption (dm-crypt: LVM on LUKS) failing with grub

Exactly what I did a month ago and now I can't boot anymore : ( see https://bbs.archlinux.org/viewtopic.php?id=200853