[SOLVED] Entirely encrypted system not booting after installation

slaecker · 2017-05-01 11:48:47

Hi everybody,

I'm trying to set up an entirely encrypted headless system using LUKS.

I have 2 SATA HDDs of 500 GB for the system and a 512 MB SDCARD to store the LUKS key file.

I mainly followed these sources (to name a few):
Blog article covering the topic
Arch Linux Wiki article on entire system encryption
Arch Linux Wiki article about keyfile on external media

To roughly summarize what I've done: I securely wiped the disks, created the grub bios boot, boot, swap and system partitions on the first disk.
Then I used cryptsetup to encrypt below sda3, sda4 and sdc with the keyfile stored on the sdcard. I opened the dm volumes, formatted sda3 and sdc with btrfs in RAID1 and sda4 with ext2 and mounted everything in place. Then I created some BTRFS subvolumes, mounted them and installed the system. At the end I installed grub to sda. Afterwards I created additional encrypt hooks, edited /etc/mkinitcpio.conf and /etc/default/grub and used mkinitcpio and grub-mkconfig to generate boot files.

Now when booting grub asks for one passphrase for hd0,gpt4 (UUID matches below sda4). Afterwards no more prompts are shown (for the other 2 encrypt hooks) and ...

starting version 232
Scanning for Btrfs filesystems
ERROR: device '/dev/mapper/crypt_syspool1' not found. Skipping fsck.
mount: special device /dev/mapper/crypt_syspool1 does not exist
You are now being dropped into an emergeny shell.
sh: can't access tty; job control turned off

Disks/Partitions

NAME               FSTYPE      LABEL        UUID
sda                                         
├─sda1                                      
├─sda2             ext2        crypt_swap   26704f4e-6e1b-4fd7-be6c-23f76b3eb57e
├─sda3             crypto_LUKS              99c394e0-fd11-445b-bf66-0f793fa95b28
│ └─crypt_syspool1 btrfs       crypt_system 205580f0-4e2b-4676-acdb-d740bbf20df8
└─sda4             crypto_LUKS              149e37fc-60e0-4dfb-8358-0dfea778b235
  └─crypt_boot     ext2        crypt_boot   909a1263-1a5b-41f6-8207-2c055b442544
[...]
sdc                crypto_LUKS              44f99e33-8c87-4ab7-bc61-2c5419f99ddc
└─crypt_syspool2   btrfs       crypt_system 205580f0-4e2b-4676-acdb-d740bbf20df8
[...]
mmcblk0                                     
└─mmcblk0p1        ext2                     61a162f8-3d24-4ee7-becf-088dd97fb6e9

/etc/default/grub

GRUB_DEFAULT=0
GRUB_TIMEOUT=1
GRUB_DISTRIBUTOR="Arch"
GRUB_CMDLINE_LINUX_DEFAULT="cryptdevice=UUID=909a1263-1a5b-41f6-8207-2c055b442544:crypt_boot cryptdevice2=UUID=205580f0-4e2b-4676-acdb-d740bbf20df8:crypt_syspool1 cryptdevice3=UUID=205580f0-4e2b-4676-acdb-d740bbf20df8:crypt_syspool2 root=/dev/mapper/crypt_syspool1 rootflags=subvol=@ cryptkey=/dev/disk/by-uuid/61a162f8-3d24-4ee7-becf-088dd97fb6e9:ext2:/sculpture-2209152_640.jpg cryptkey2=/dev/disk/by-uuid/61a162f8-3d24-4ee7-becf-088dd97fb6e9:ext2:/sculpture-2209152_640.jpg c
ryptkey3=/dev/disk/by-uuid/61a162f8-3d24-4ee7-becf-088dd97fb6e9:ext2:/sculpture-2209152_640.jpg quiet rw"
GRUB_CMDLINE_LINUX=""
GRUB_PRELOAD_MODULES="part_gpt part_msdos"
GRUB_TERMINAL_INPUT=console
GRUB_GFXMODE=auto
GRUB_GFXPAYLOAD_LINUX=keep
GRUB_DISABLE_RECOVERY=true
GRUB_ENABLE_CRYPTODISK=y
GRUB_BTRFS_SUBMENUNAME="Snapshots"
GRUB_BTRFS_DISPLAY_PATH_SNAPSHOT="false"
GRUB_BTRFS_LIMIT="100"
GRUB_BTRFS_SUBVOLUME_SORT="descending"
GRUB_BTRFS_SHOW_SNAPSHOTS_FOUND="true"
GRUB_BTRFS_SHOW_TOTAL_SNAPSHOTS_FOUND="true"

/etc/mkinitcpio.conf

MODULES="nls_cp437 ext2"
BINARIES="/usr/bin/btrfs"
FILES=""
HOOKS="base udev autodetect keyboard keymap consolefont modconf block encrypt encrypt2 encrypt3 filesystems fsck btrfs"

Additional Encrypt Hooks

As described in the blog entry linked above I created additional mkinitcpio hooks.
In /lib/initcpio/hooks I copied "encrypt" to "encrypt2" and "encrypt3". Same in /lib/initcpio/install.
Then I edited /lib/initcpio/hooks/encrypt2 and /lib/initcpio/hooks/encrypt3 and replaced 'cryptkey' with 'cryptkey2/3', 'cryptdevice' with 'cryptdevice2/3' and removed the line "mkdir /ckey".

Example /lib/initcpio/hooks/encrypt2

#!/usr/bin/ash

run_hook() {
    modprobe -a -q dm-crypt >/dev/null 2>&1
    [ "${quiet}" = "y" ] && CSQUIET=">/dev/null"

    # Get keyfile if specified
    ckeyfile="/crypto_keyfile.bin"
    if [ -n "$cryptkey2" ]; then
        IFS=: read ckdev ckarg1 ckarg2 <<EOF
$cryptkey2
EOF

        if [ "$ckdev" = "rootfs" ]; then
            ckeyfile=$ckarg1
        elif resolved=$(resolve_device "${ckdev}" ${rootdelay}); then
            case ${ckarg1} in
                *[!0-9]*)
                    # Use a file on the device
                    # ckarg1 is not numeric: ckarg1=filesystem, ckarg2=path
                    mount -r -t "$ckarg1" "$resolved" /ckey
                    dd if="/ckey/$ckarg2" of="$ckeyfile" >/dev/null 2>&1
                    umount /ckey
                    ;;
                *)
                    # Read raw data from the block device
                    # ckarg1 is numeric: ckarg1=offset, ckarg2=length
                    dd if="$resolved" of="$ckeyfile" bs=1 skip="$ckarg1" count="$ckarg2" >/dev/null 2>&1
                    ;;
            esac
        fi
        [ ! -f ${ckeyfile} ] && echo "Keyfile could not be opened. Reverting to passphrase."
    fi

    if [ -n "${cryptdevice2}" ]; then
        DEPRECATED_CRYPT=0
        IFS=: read cryptdev cryptname cryptoptions <<EOF
$cryptdevice2
EOF
    else
        DEPRECATED_CRYPT=1
        cryptdev="${root}"
        cryptname="root"
    fi

    warn_deprecated() {
        echo "The syntax 'root=${root}' where '${root}' is an encrypted volume is deprecated"
        echo "Use 'cryptdevice2=${root}:root root=/dev/mapper/root' instead."
    }

    for cryptopt in ${cryptoptions//,/ }; do
        case ${cryptopt} in
            allow-discards)
                cryptargs="${cryptargs} --allow-discards"
                ;;
            *)
                echo "Encryption option '${cryptopt}' not known, ignoring." >&2
                ;;
        esac
[...]

I hope somebody can push me in the right direction.

Regs, Dennis

Last edited by slaecker (2017-05-02 17:33:01)

p0x8 · 2017-05-01 15:01:29

Just to make sure all the basics are covered: the initramfs was regenerated after updating the HOOKS in mkinitcpio.conf?

mkinicpio -p linux

slaecker · 2017-05-01 15:21:58

Yes, that's what I meant with

[...] and used mkinitcpio and grub-mkconfig [...]

Sorry for being not specific enough.

p0x8 · 2017-05-01 21:07:44

No, my bad, I glanced over it. Some troubleshooting ideas:

- removing the quiet argument may increase verbosity and output useful information
- swapping cryptdevice and cryptdevice2 to check if it still complains about the same missing volume
- removing the cryptkeys to check if you get prompted for passwords

EDIT: just noticed the cryptdevice entries are using the UUID of the filesystem instead of the LUKS partition - I'd start by changing that.

Last edited by p0x8 (2017-05-01 21:39:55)

slaecker · 2017-05-02 17:32:18

Thanks p0x8, you are totally right, looks like I got lost in UUIDs. I replaced those with the ones of the LUKS "partitions" (sda3...) and boot worked like a charm.

Arch Linux

#1 2017-05-01 11:48:47

[SOLVED] Entirely encrypted system not booting after installation

#2 2017-05-01 15:01:29

Re: [SOLVED] Entirely encrypted system not booting after installation

#3 2017-05-01 15:21:58

Re: [SOLVED] Entirely encrypted system not booting after installation

#4 2017-05-01 21:07:44

Re: [SOLVED] Entirely encrypted system not booting after installation

#5 2017-05-02 17:32:18

Re: [SOLVED] Entirely encrypted system not booting after installation

Board footer