You are not logged in.

Pages: 1

#1 2015-11-30 08:36:45

Viatorus
Member
Registered: 2015-11-30
Posts: 4

[SOLVED] Unlock root/home after grub | full encryt, efi, lvm on luks

Hey community,

I try to install arch linux with boot partition encryption like posted here:
https://wiki.archlinux.org/index.php/Dm … .28GRUB.29

I have got:

+---------------+----------------+----------------+----------------+----------------+
|ESP partition: |Boot partition: |Volume 1:       |Volume 2:       |Volume 3:       |
|               |                |                |                |                |
|/boot/efi      |/boot           |root            |swap            |home            |
|               |                |                |                |                |
|               |                |/dev/store/root |/dev/store/swap |/dev/store/home |
|/dev/sda1      |/dev/sda2       +----------------+----------------+----------------+
|unencrypted    |LUKS encrypted  |/dev/sda3 encrypted using LVM on LUKS             |
+---------------+----------------+--------------------------------------------------+

And:

lsblk
NAME              	  MAJ:MIN RM   SIZE RO TYPE  MOUNTPOINT
sda                       8:0      0   200G  0 disk  
├─sda1                    8:1      0   512M  0 part  /boot/efi
├─sda2                    8:2      0   200M  0 part  
│ └─boot		  254:0    0   198M  0 crypt /boot
└─sda3                    8:3      0   100G  0 part  
  └─lvm                   254:1    0   100G  0 crypt 
    ├─MyStorage-swapvol   254:2    0     8G  0 lvm   [SWAP]
    ├─MyStorage-rootvol   254:3    0    15G  0 lvm   /
    └─MyStorage-homevol   254:4    0    77G  0 lvm   /home

Create mkinitcpio with encrypt and lvm2...

Install grub with:

grub-install --target=x86_64-efi --efi-directory=/boot/efi --bootloader-id=grub --recheck

and configure grubs config with:

cryptdevice=/dev/sda3:MyStorage root=/dev/mapper/MyStorage-rootvol

before:

 grub-mkconfig -o /boot/grub/grub.cfg

Okay. After reboot I have to type the password for grub, than for MyStorage /dev/sda3 and than again for /boot /dev/sda2...

With this line in /etc/crypttab (+ register luksAddKey for sda2):

cryptboot  /dev/sda2      /etc/mypass        luks

I don´t have to unlock /boot /dev/sda2 again.

I want to do the same with /dev/sda3 but if I add (+ register luksAddKey for sda3):

MyStorage  /dev/sda3      /etc/mypass        luks

It doesn´t work. It still ask me after grub hast finished:

A password is requiered to access the MyStorage volume: Enter passphrase for /dev/sda3:

Anyone any idea what I missing? Thank you in advance!

Last edited by Viatorus (2015-12-06 17:55:56)

Offline

#2 2015-12-02 19:12:09

Viatorus
Member
Registered: 2015-11-30
Posts: 4

Re: [SOLVED] Unlock root/home after grub | full encryt, efi, lvm on luks

Anyone have an idea? What could be the solution?

Offline

#3 2015-12-02 20:46:19

WorMzy
Administrator
From: Scotland
Registered: 2010-06-16
Posts: 12,608
Website

Re: [SOLVED] Unlock root/home after grub | full encryt, efi, lvm on luks

Viatorus, please don't bump your thread.

https://wiki.archlinux.org/index.php/Fo … te#Bumping

I'm not sure what you're trying to accomplish here. It seems like you're trying to decrypt your storage partition without a password by adding it to the crypttab which is contained within the encrypted storage partition. That doesn't even make sense.

Sakura:-
Mobo: MSI MAG X570S TORPEDO MAX // Processor: AMD Ryzen 9 5950X @4.9GHz // GFX: AMD Radeon RX 5700 XT // RAM: 32GB (4x 8GB) Corsair DDR4 (@ 3000MHz) // Storage: 1x 3TB HDD, 6x 1TB SSD, 2x 120GB SSD, 1x 275GB M2 SSD

Making lemonade from lemons since 2015.

Online

#4 2015-12-03 06:05:11

hydracone
Member
Registered: 2015-06-25
Posts: 24

Re: [SOLVED] Unlock root/home after grub | full encryt, efi, lvm on luks

What you're trying to do is not possible. Your key file is encrypted inside the partition you want to decrypt, so it won't be available for decryption. You'll have to place the key file in an external 'unencrypted' storage like a USB flash drive, to avoid entering the password of your LVM partition during bootup.

Last edited by hydracone (2015-12-03 06:06:12)

Offline

#5 2015-12-05 07:05:46

Viatorus
Member
Registered: 2015-11-30
Posts: 4

Re: [SOLVED] Unlock root/home after grub | full encryt, efi, lvm on luks

You are right. Thank you.

I have: unencrypted /boot/efi, encrypted /boot, encrypted /root home etc... and I would like to do the following: After entering the passphrase for grub, the /root particion should be decrypted automatic.

Inside /etc/mkinitcpio.conf I can add my keyfile (+ mkinitcpio rebuild):

FILE="/etc/keyfile"

And inside /etc/default/grub I can add the option (+ grub-config rebuild):

cryptkey=device:fstype:path

So what is the device/, fstpye and path for my FILE /etc/keyfile inside the kernel image? When I investigate the web for this problem, I only see examples using USB...

Thank you in advance!

Offline

#6 2015-12-05 11:04:03

hydracone
Member
Registered: 2015-06-25
Posts: 24

Re: [SOLVED] Unlock root/home after grub | full encryt, efi, lvm on luks

Do you want to place the keyfile inside the initramfs? If so, then you'll have to change the cryptkey parameter (https://wiki.archlinux.org/index.php/Dm … n#cryptkey) : 

cryptkey=rootfs:/etc/keyfile

Rebuild your initramfs with the key file in it.

Then, rebuild your grub config. That should do it.

Offline

#7 2015-12-06 17:54:04

Viatorus
Member
Registered: 2015-11-30
Posts: 4

Re: [SOLVED] Unlock root/home after grub | full encryt, efi, lvm on luks

Thank you! smile It worked!

Offline

Pages: 1

Board footer

Powered by FluxBB