[SOLVED]Installing Arch with full disk encryption, won't boot

ArchWorshiper · 2016-06-25 03:14:03

I've been using Arch as my main OS for about a year, and I've decided to re-install with full disk encryption. I followed the instructions in the wiki, but after rebooting and removing the installation flash drive, Arch does not appear as an option in the boot menu.

For the encryption I went with LVM on LUKS. My laptop has UEFI so I created a FAT32 boot partition in addition to the LUKS container, and then set up my system partitions as logical volumes. I edited the grub config file to mount the encrypted root partition, and followed all the other instructions from the wiki. But when I tried booting from the SSD there's just no option for Arch in the boot menu.

I'm not sure what I missed. I'm a little confused about the UEFI stuff, but I think I followed the instructions right. I made the boot partition FAT32 and set the boot flag to on. Is there something else I'm supposed to do for that part? Or maybe something else I'm missing?

Last edited by ArchWorshiper (2016-06-27 02:28:12)

Fred7109 · 2016-06-25 15:03:01

I am certainly not an expert, but I followed this guide - and of course also the wiki - last weekend where I did an reinstall with full disk encryption on my Arch machine. So my best advice would be to look through the link, and of course the wiki one more time, to see if there are something you missed.

ArchWorshiper · 2016-06-25 17:20:23

Thanks, I'll try using that tutorial. I noticed that it uses msdos instead of GPT for the partition table. The wiki recommends GPT and it seems like the more modern option. Are there any disadvantages to using msdos? Or should I be OK substituting GPT for msdos if using that tutorial?

Also, will msdos even work if I have a UEFI motherboard? The "Partitioning" section of the wiki says the following:

"It is recommended to use always GPT for UEFI boot as some UEFI firmwares do not allow UEFI-MBR boot." So if I use that tutorial should I change my laptop's boot mode to legacy? I'd like to get my encrypted Arch system running on the more modern systems, but at this point I'll go with anything that just works.

Last edited by ArchWorshiper (2016-06-25 17:21:17)

Fred7109 · 2016-06-25 18:45:22

I would also recommend using GPT, especially when using UEFI, which I also use myself - on my primary workstation. However, the only limitations between the two formats is that MBR works with disks up to two terabytes, and that MBR only supports up to four primary partitions. Furthermore, the partitioning and boot data is stored in one place when using MBR, and across the disk when using GPT. So GPT is more robust and can better recover the data if some data is corrupted - plus GPT uses cyclic redundancy check (CRC) values in order to check that the data is intact, where it then will attempt to recover the data if it is corrupt.

So you could substitute GPT with MBR when using the tutorial, and then use legacy instead of UEFI - so you don't take any chances. That was what I did when I made my last reinstall. However, my last reinstall was not a reinstall of my primary workstation with important data, because if it had been, I would have used GPT.

When I installed my primary workstation with full disk encryption, where I used GPT, I didn't use UEFI - so I hope some others from the forum can help you with the UEFI stuff then.

Last edited by Fred7109 (2016-06-25 18:47:24)

Slithery · 2016-06-25 18:52:39

Have you tried...

https://wiki.archlinux.org/index.php/GR … ot_manager

Rethil · 2016-06-26 02:10:18

Let's say your disk is listed as sda and you single boot Arch on it.

If you're using EFI (as you mentioned, you do) create GPT table, I would say, with fdisk. Now create 2 partitions with same tool. Set type of sda1 as EFI partition, and type of sda2 as Linux LVM.
Ok, we are ready to make some magic.

1. Create file system on EFI partition (FAT16 or FAT32).

mkfs.fat -f 32 /dev/sda1

2. Create LUKS container on sda2.

cryptsetup --cipher aes-xts-plain64 --key-size 512 --hash sha512 --iter-time 5000 --use-random --verify-passphrase luksFormat /dev/sda2

3. Open LUKS container.

cryptsetup open --type luks /dev/sda2 lvm

4. Create LVM physical volume on our LUKS container.

pvcreate /dev/mapper/lvm

5. Create volume group with our physical volume.

vgcreate system /dev/mapper/lvm

6. Create LVM volumes for your system, let's say root, boot, home and swap.

lvcreate -L 8G system -n swap_vol
lvcreate -L 256M system -n boot_vol
lvcreate -L 20G system -n root_vol
lvcreate -l 100%FREE system -n home_vol

7. Create file systems on those volumes, let's say ext4 for root and boot, and xfs for home.

mkswap /dev/mapper/system-swap_vol
mkfs.ext4 /dev/mapper/system-boot_vol
mkfs.ext4 /dev/mapper/system-root_vol
mkfs.xfs -m crc=0,finobt=0 /dev/mapper/system-home_vol

8. Mount them.

mount /dev/mapper/system-root_vol /mnt
mkdir -p /mnt/{boot,home}
mount /dev/mapper/system-boot_vol /mnt/boot
mkdir /mnt/boot/EFI
mount /dev/sda1 /mnt/boot/EFI
mount /dev/mapper/system-home_vol /mnt/home
swapon /dev/mapper/system-swap_vol

9. Install base system.
10. Chroot to it.
11. Do what you usually do.
12. Edit /etc/mkinitcpio.conf

HOOKS="... encrypt lvm2 ... filesystems ..."

13. Create an initial ramdisk.
14. Install GRUB

grub-install --target=x86_64-efi --efi-directory=/boot/EFI --bootloader-id=grub

15. Edit /etc/default/grub

GRUB_CMDLINE_LINUX="cryptdevice=UUID=xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx:lvm root=/dev/mapper/system-root_vol"
GRUB_ENABLE_CRYPTODISK=y

16. Generate GRUB config.

grub-mkconfig -o /boot/grub/grub.cfg

17. Do what you usually do.
18. Enjoy
BONUS:
With similar setup to this one you will be asked for password 2 times, to prevent that you could make LUKS key and store it inside initial ramdisk, as initial ramdisk is stored inside encrypted volume it should be safe.
19. Create random key.

dd bs=512 count=4 if=/dev/urandom of=/crypto_keyfile.bin
cryptsetup luksAddKey /dev/sda1 /crypto_keyfile.bin
chmod 000 /crypto_keyfile.bin

20. Edit /etc/mkinitcpio.conf

FILES=/crypto_keyfile.bin

21. Regenerate initial ramdisk.
22. ???
23. PROFIT

STATEMENT: You should follow Arch Wiki, what I've posted is not a guide, but an example.

Last edited by Rethil (2016-06-26 10:42:06)

ArchWorshiper · 2016-06-26 05:48:23

Thanks for all your replies. Slithery, that link worked for getting arch to show up on my laptop's boot menu. I just had to re-name the grubx64.efi file to bootx64.efi and move it to another directory. But now when I boot into Arch, I get the following error message:

ERROR: device '/dev/mapper/MyVol-root' not found. Skipping fsck.
ERROR: Unable to find root device '/dev/mapper/MyVol-root'.

Then it sends me to a recovery shell and I'm stuck there.

I set up the luks container and logical volumes as described in the wiki, and added the parameters to the config files. The problem seems to be that it's not decrypting the luks container, because it doesn't even ask for my decryption password. It just goes straight to the error message about not finding the logical root partition.

Last edited by ArchWorshiper (2016-06-26 06:48:56)

Rethil · 2016-06-26 10:36:09

Did you made needed changes to grub and mkinitcpio confs in same fashion as in my prev post?
Do you store kernel initrd at esp?

Post your /etc/default/grub, /etc/mkinitcpio.conf and /etc/fstab.

Last edited by Rethil (2016-06-26 10:37:57)

ArchWorshiper · 2016-06-26 18:19:47

Rethil wrote:

Did you made needed changes to grub and mkinitcpio confs in same fashion as in my prev post?
Do you store kernel initrd at esp?
Post your /etc/default/grub, /etc/mkinitcpio.conf and /etc/fstab.

Yes I edited the grub and mkinitcpio config files as detailed in beginner's guide. It would be very time consuming to copy all 3 of those files here by hand. I added 'encrypt' and 'lvm2' to the hooks in mkinitcpio, and 'cryptdevice' and 'root' entries to the grub file. Grub now shows up in the boot menu, but when I boot into it I get the error messages from my previous post. For some reason it's not decrypting the root directory, so that it can't find the lvm root device. I've gone through every step 3 times and I have no idea what's causing this. I guess I'll just start over and try using systemd instead of grub.

Last edited by ArchWorshiper (2016-06-26 18:20:13)

jasonwryan · 2016-06-26 18:26:47

ArchWorshiper wrote:

It would be very time consuming to copy all 3 of those files here by hand.

https://wiki.archlinux.org/index.php/Li … in_clients

ArchWorshiper · 2016-06-26 20:36:15

Wow pastebin is awesome, thanks for the link jasonwryan.

Here are the 3 files:

mkinitcpio.conf:

# vim:set ft=sh
# MODULES
# The following modules are loaded before any boot hooks are
# run.  Advanced users may wish to specify all system modules
# in this array.  For instance:
#     MODULES="piix ide_disk reiserfs"
MODULES=""

# BINARIES
# This setting includes any additional binaries a given user may
# wish into the CPIO image.  This is run last, so it may be used to
# override the actual binaries included by a given hook
# BINARIES are dependency parsed, so you may safely ignore libraries
BINARIES=""

# FILES
# This setting is similar to BINARIES above, however, files are added
# as-is and are not parsed in any way.  This is useful for config files.
FILES=""

# HOOKS
# This is the most important setting in this file.  The HOOKS control the
# modules and scripts added to the image, and what happens at boot time.
# Order is important, and it is recommended that you do not change the
# order in which HOOKS are added.  Run 'mkinitcpio -H <hook name>' for
# help on a given hook.
# 'base' is _required_ unless you know precisely what you are doing.
# 'udev' is _required_ in order to automatically load modules
# 'filesystems' is _required_ unless you specify your fs modules in MODULES
# Examples:
##   This setup specifies all modules in the MODULES setting above.
##   No raid, lvm2, or encrypted root is needed.
#    HOOKS="base"
#
##   This setup will autodetect all modules for your system and should
##   work as a sane default
#    HOOKS="base udev autodetect block filesystems"
#
##   This setup will generate a 'full' image which supports most systems.
##   No autodetection is done.
#    HOOKS="base udev block filesystems"
#
##   This setup assembles a pata mdadm array with an encrypted root FS.
##   Note: See 'mkinitcpio -H mdadm' for more information on raid devices.
#    HOOKS="base udev block mdadm encrypt filesystems"
#
##   This setup loads an lvm2 volume group on a usb device.
#    HOOKS="base udev block lvm2 filesystems"
#
##   NOTE: If you have /usr on a separate partition, you MUST include the
#    usr, fsck and shutdown hooks.
HOOKS="base encrypt lvm2 udev autodetect modconf block filesystems keyboard fsck"

# COMPRESSION
# Use this to compress the initramfs image. By default, gzip compression
# is used. Use 'cat' to create an uncompressed image.
#COMPRESSION="gzip"
#COMPRESSION="bzip2"
#COMPRESSION="lzma"
#COMPRESSION="xz"
#COMPRESSION="lzop"
#COMPRESSION="lz4"

# COMPRESSION_OPTIONS
# Additional options for the compressor
#COMPRESSION_OPTIONS=""

fstab:

# /dev/mapper/MyVol-root
UUID=701d88ee-4168-456d-80b8-e021c380c7b7	/         	ext4      	rw,relatime,data=ordered	0 1

# /dev/mapper/MyVol-home
UUID=12acc986-6fcd-4969-834a-6b9c62f3e8b5	/home     	ext4      	rw,relatime,data=ordered	0 2

# /dev/sda1
UUID=0A2D-F960      	/boot     	vfat      	rw,relatime,fmask=0022,dmask=0022,codepage=437,iocharset=iso8859-1,shortname=mixed,errors=remount-ro	0 2

grub:

GRUB_DEFAULT=0
GRUB_TIMEOUT=5
GRUB_DISTRIBUTOR="Arch"
GRUB_CMDLINE_LINUX_DEFAULT=""
GRUB_CMDLINE_LINUX="cryptdevice=UUID=4e95841e-9308-4d7a-8a81-44b6b6271803:lvm root=/dev/mapper/MyVol-root quiet"

# Preload both GPT and MBR modules so that they are not missed
GRUB_PRELOAD_MODULES="part_gpt part_msdos"

# Uncomment to enable Hidden Menu, and optionally hide the timeout count
#GRUB_HIDDEN_TIMEOUT=5
#GRUB_HIDDEN_TIMEOUT_QUIET=true

# Uncomment to use basic console
GRUB_TERMINAL_INPUT=console

# Uncomment to disable graphical terminal
#GRUB_TERMINAL_OUTPUT=console

# The resolution used on graphical terminal
# note that you can use only modes which your graphic card supports via VBE
# you can see them in real GRUB with the command `vbeinfo'
GRUB_GFXMODE=auto

# Uncomment to allow the kernel use the same resolution used by grub
GRUB_GFXPAYLOAD_LINUX=keep

# Uncomment if you want GRUB to pass to the Linux kernel the old parameter 
# format "root=/dev/xxx" instead of "root=/dev/disk/by-uuid/xxx" 
#GRUB_DISABLE_LINUX_UUID=true

# Uncomment to disable generation of recovery mode menu entries
GRUB_DISABLE_RECOVERY=true

# Uncomment and set to the desired menu colors.  Used by normal and wallpaper 
# modes only.  Entries specified as foreground/background.
#GRUB_COLOR_NORMAL="light-blue/black"
#GRUB_COLOR_HIGHLIGHT="light-cyan/blue"

# Uncomment one of them for the gfx desired, a image background or a gfxtheme
#GRUB_BACKGROUND="/path/to/wallpaper"
#GRUB_THEME="/path/to/gfxtheme"

# Uncomment to get a beep at GRUB start
#GRUB_INIT_TUNE="480 440 1"

#GRUB_SAVEDEFAULT="true"

Last edited by ArchWorshiper (2016-06-26 20:41:51)

jasonwryan · 2016-06-26 20:45:47

Reread the mkinitcpio section again: your hooks are incorrectly ordered...

ArchWorshiper · 2016-06-26 23:09:49

jasonwryan wrote:

Reread the mkinitcpio section again: your hooks are incorrectly ordered...

The dm-crypt page from the wiki has the following note:

The order of both hooks no longer matters with the current implementation of lvm2.

I looked at the wiki page for mkinitcpio but there's nothing there about the order of the hooks. Where should I move the 'encrypt' and 'lvm2' hooks?

Last edited by ArchWorshiper (2016-06-26 23:10:11)

jasonwryan · 2016-06-26 23:22:12

https://wiki.archlinux.org/index.php/Dm … mkinitcpio

ArchWorshiper · 2016-06-27 02:25:37

jasonwryan wrote:

https://wiki.archlinux.org/index.php/Dm … mkinitcpio

That did it! I moved the 'encrypt' hook to after 'udev' and it's now working. I might have spent the rest of my life trying to figure out what the issue was and never caught that, so words cannot begin to express my thanks for all of your help and advice!

Arch rules!!

jasonwryan · 2016-06-27 02:28:30

Cool. Please remember to mark your thread as [Solved] by editing your first post and prepending it to the title.

Arch Linux

#1 2016-06-25 03:14:03

[SOLVED]Installing Arch with full disk encryption, won't boot

#2 2016-06-25 15:03:01

Re: [SOLVED]Installing Arch with full disk encryption, won't boot

#3 2016-06-25 17:20:23

Re: [SOLVED]Installing Arch with full disk encryption, won't boot

#4 2016-06-25 18:45:22

Re: [SOLVED]Installing Arch with full disk encryption, won't boot

#5 2016-06-25 18:52:39

Re: [SOLVED]Installing Arch with full disk encryption, won't boot

#6 2016-06-26 02:10:18

Re: [SOLVED]Installing Arch with full disk encryption, won't boot

#7 2016-06-26 05:48:23

Re: [SOLVED]Installing Arch with full disk encryption, won't boot

#8 2016-06-26 10:36:09

Re: [SOLVED]Installing Arch with full disk encryption, won't boot

#9 2016-06-26 18:19:47

Re: [SOLVED]Installing Arch with full disk encryption, won't boot

#10 2016-06-26 18:26:47

Re: [SOLVED]Installing Arch with full disk encryption, won't boot

#11 2016-06-26 20:36:15

Re: [SOLVED]Installing Arch with full disk encryption, won't boot

#12 2016-06-26 20:45:47

Re: [SOLVED]Installing Arch with full disk encryption, won't boot

#13 2016-06-26 23:09:49

Re: [SOLVED]Installing Arch with full disk encryption, won't boot

#14 2016-06-26 23:22:12

Re: [SOLVED]Installing Arch with full disk encryption, won't boot

#15 2016-06-27 02:25:37

Re: [SOLVED]Installing Arch with full disk encryption, won't boot

#16 2016-06-27 02:28:30

Re: [SOLVED]Installing Arch with full disk encryption, won't boot

Board footer