You are not logged in.

#1 2017-10-14 05:41:12

Z32O
Member
From: BerlinBerlin
Registered: 2017-05-24
Posts: 8

[SOLVED] dm-crypt+luks+systemd: Options in /boot/loader/entries/*.conf

Hi everyone,

I'm currently occupied with the installation of Arch Linux with full disk encryption using dm-crypt + luks, which uses UEFI and systemd-boot to boot.
I have created two partitions, sda1 for /boot, unencrypted, and sda2, encrypted with luks, and the encrypted container within, mapped in /dev/mapper as cryptroot. I'm using a passphrase to unlock the crypto device. This is the framework:

sda
  |__sda1                       vfat                       /boot
  |__sda2                       crypto_LUKS
          |__cryptroot         ext4                      /


Now I'll post my setting files:

fstab:

# /etc/fstab: static file system information
#
# <file system> <dir>   <type>  <options>       <dump>  <pass>
# UUID=11a43200-0ac2-872e-00c1-ej4e5c015e11
/dev/mapper/cryptroot       /                 ext4            rw,relatime,data=ordered        0 1

# UUID=B8D8-22F9
/dev/sda1                          /boot          vfat             rw,relatime,fmask=0022,dmask=0022,codepage=437,iocharset=iso8859-1,shortname=mixed,errors=remount-ro    0 2

mkinitcpio.conf:

HOOKS="base systemd autodetect keyboard sd-encrypt modconf block filesystems fsck"

loader.conf:

timeout 10
default arch

arch.conf (/boot/loader/entries/*.conf):

title Arch Linux Encrypted
linux /vmlinuz-linux
initrd /intel-ucode.img
initrd /initramfs-linux.img
options luks.uuid=998c11ac-6520-61m9-bf10-79u19eh87b7 luks.name=cryptroot root=UUID=11a43200-0ac2-872e-00c1-ej4e5c015e11 rw

Now, the only one thing that I have changed from the instruction that comes from the official guide, which allowed me to boot into my system inserting the passphrase to unlock the crypto device without any error, is:

options luks.uuid=998c11ac-6520-61m9-bf10-79u19eh87b7 luks.name=cryptroot root=UUID=11a43200-0ac2-872e-00c1-ej4e5c015e11 rw

According to the official guide (https://wiki.archlinux.org/index.php/Dm … crypt_hook) and (http://jlk.fjfi.cvut.cz/arch/manpages/m … enerator.8) the luks.name parameter would be used in this way:

luks.name

luks.name=UUID=name

Specify the name of the mapped device after the LUKS partition is open. For example, specifying UUID=cryptroot causes the unlocked device to be located at /dev/mapper/cryptroot. If this is not specified the mapped device will be located at /dev/mapper/luks-UUID where UUID is the UUID of the LUKS partition. 

but, with my setup, which I took from an old arch board post (https://bbs.archlinux.org/viewtopic.php?id=223206) from the user tnek, I'm able to boot without errors, but the mapper device name will be "luks-998c11ac-6520-61m9-bf10-79u19eh87b7" and not cryptroot, as I wish. Despite the official guide say clearly: "specifying UUID=cryptroot causes the unlocked device to be located at /dev/mapper/cryptroot.", it is not true, at least for my case, because if I change my kernel hook in:

options luks.uuid=998c11ac-6520-61m9-bf10-79u19eh87b7 luks.name=11a43200-0ac2-872e-00c1-ej4e5c015e11=cryptroot root=UUID=11a43200-0ac2-872e-00c1-ej4e5c015e11 rw

or even in:

options luks.uuid=998c11ac-6520-61m9-bf10-79u19eh87b7 luks.name=11a43200-0ac2-872e-00c1-ej4e5c015e11=cryptroot luks.options=rw

In the first case I'm able to boot into the system, but it asks two times the passphrase for unlocking the crypto device (???) and with a lot of warnings, whereas in the second case I'm unable to boot, and the system switch to an emergency shell.

My consideration about it is that the official guide need clarification, there is a lot of good information on it, but with a terrible path sometimes.

...considering what I have showed, how can I set the crypto device name in /dev/mapper to be cryptroot and not luks-UUID?


Thanks

Last edited by Z32O (2017-10-17 19:25:41)


"Il carattere legato alla tua origine, frammentato in singole unità, è il prodotto di ogni singolo passo, e di un'equa ripartizione per divenire perfezione. In un tutt'uno tutto e nulla."

Offline

#2 2017-10-14 09:16:35

Slithery
Administrator
From: Norfolk, UK
Registered: 2013-12-01
Posts: 5,776

Re: [SOLVED] dm-crypt+luks+systemd: Options in /boot/loader/entries/*.conf

Your HOOKS are in the wrong order, sd-encrypt needs to be after block and before filsystems. As it is you're trying to decrypt before the system knows what block devices exist.

Last edited by Slithery (2017-10-14 09:16:52)


No, it didn't "fix" anything. It just shifted the brokeness one space to the right. - jasonwryan
Closing -- for deletion; Banning -- for muppetry. - jasonwryan

aur - dotfiles

Offline

#3 2017-10-14 10:29:59

loqs
Member
Registered: 2014-03-06
Posts: 18,633

Re: [SOLVED] dm-crypt+luks+systemd: Options in /boot/loader/entries/*.conf

@Z320 have you tried

options luks.name=998c11ac-6520-61m9-bf10-79u19eh87b7=cryptroot root=UUID=11a43200-0ac2-872e-00c1-ej4e5c015e11 rw

or

options luks.uuid=998c11ac-6520-61m9-bf10-79u19eh87b7 luks.name=998c11ac-6520-61m9-bf10-79u19eh87b7=cryptroot root=UUID=11a43200-0ac2-872e-00c1-ej4e5c015e11 rw

or
Use /etc/crypttab.initramfs

@slithery have you tried that?  Both block and sd-encrypt are install only with no run time hook,  systemd-cryptsetup-generators start condition is ordered by systemd.

Offline

#4 2017-10-14 14:40:38

Slithery
Administrator
From: Norfolk, UK
Registered: 2013-12-01
Posts: 5,776

Re: [SOLVED] dm-crypt+luks+systemd: Options in /boot/loader/entries/*.conf

loqs wrote:

@slithery have you tried that?  Both block and sd-encrypt are install only with no run time hook,  systemd-cryptsetup-generators start condition is ordered by systemd.

Cheers for the correction, I've only ever used encryption with the non-systemd hooks where order is important.


No, it didn't "fix" anything. It just shifted the brokeness one space to the right. - jasonwryan
Closing -- for deletion; Banning -- for muppetry. - jasonwryan

aur - dotfiles

Offline

#5 2017-10-15 02:20:22

Z32O
Member
From: BerlinBerlin
Registered: 2017-05-24
Posts: 8

Re: [SOLVED] dm-crypt+luks+systemd: Options in /boot/loader/entries/*.conf

slithery wrote:

Your HOOKS are in the wrong order, sd-encrypt needs to be after block and before filesystems. As it is you're trying to decrypt before the system knows what block devices exist.

Thank you very much for your tips, and for the explanation, now I have moved it.


loqs wrote:

@Z320 have you tried

options luks.uuid=998c11ac-6520-61m9-bf10-79u19eh87b7 luks.name=998c11ac-6520-61m9-bf10-79u19eh87b7=cryptroot root=UUID=11a43200-0ac2-872e-00c1-ej4e5c015e11 rw

Thanks, man, this configuration worked perfectly, and now my crypto device name is "cryptroot".

The correct sequence for *.conf file in /boot/loader/entries/ is:

options luks.uuid=<sda2 UUID> luks.name=<sda2 UUID>=cryptroot root=UUID=<crypto device UUID> rw

Where <sda2 UUID> is the UUID of the device to be decrypted, and <crypto device UUID> is the UUID of the already decrypted device. (Do not include the <> brackets)



How can I improve the "Using sd-encrypt hook" section within the Arch Wiki?

Last edited by Z32O (2017-10-15 02:21:24)


"Il carattere legato alla tua origine, frammentato in singole unità, è il prodotto di ogni singolo passo, e di un'equa ripartizione per divenire perfezione. In un tutt'uno tutto e nulla."

Offline

Board footer

Powered by FluxBB