You are not logged in.
- Topics: Active | Unanswered
#1 2017-12-20 19:39:18
- auguzanellato
- Member
- Registered: 2016-05-26
- Posts: 7
[SOLVED] Full disk encryption keyfile position
Hi guys.
I’m trying to installing arch on a full encrypted disk. I am following step by step the guide related to Btrfs: https://wiki.archlinux.org/index.php/Dm … _with_swap
I am now at the “create keyfile” (https://wiki.archlinux.org/index.php/Dm … _initramfs) phase, but I am not sure about a thing: where have I to place the “crypto_keyfile.bin”?
I am now not in “arch-chroot mode”, so I am still on the live USB. So I guess that the “crypto_keyfile.bin” have to be placed somewhere like /mnt OR /mnt/boot OR /mnt/boot/efi.
Can you help me out?
Thanks
Last edited by auguzanellato (2017-12-21 17:24:37)
Dell XPS 15 9560 Late 2017: Intel Core i7 7700HQ, 32 GB RAM DDR4, 1 TB NVMe SSD, Nvidia GTX1050, 4K IPS glossy display
Offline
#2 2017-12-21 09:36:25
- nl6720
- The Evil Wiki Admin
- Registered: 2016-07-02
- Posts: 671
Re: [SOLVED] Full disk encryption keyfile position
The keyfile needs to be somewhere on the encrypted device.
/mnt
Yes, although not very pretty.
/mnt/boot
Yes. The initramfs with the embeded keyfile will be right next to too.
/mnt/boot/efi
NO! The EFI system partition is not and can not be encrypted, storing the keyfile on it would defeat the whole point of encryption (unless ESP is on separate removable drive that is protected by other means).
Offline
#3 2017-12-21 10:47:52
- deepInTheKernel
- Member
- Registered: 2017-12-21
- Posts: 4
Re: [SOLVED] Full disk encryption keyfile position
The keyfile needs to be somewhere on the encrypted device.
auguzanellato wrote:/mnt
Yes, although not very pretty.
auguzanellato wrote:/mnt/boot
Yes. The initramfs with the embeded keyfile will be right next to too.
auguzanellato wrote:/mnt/boot/efi
NO! The EFI system partition is not and can not be encrypted, storing the keyfile on it would defeat the whole point of encryption (unless ESP is on separate removable drive that is protected by other means).
I am replying as I am the one who wanted to open this thread, @augustozanellato just opened this thread for me. Yesterday I just want able (had some problems with the security question, as I didn’t set daylight saving option).
First things first: thanks for the fast reply.
So.. I AM in “arch-chroot”: I generated the keyfile, added it as LUKS key, “Include the key in mkinitcpio's FILES array“, added “encrypt” hook to mkinitcpio.conf and (half) installed Grub. Now, I am having problems with Grub. So, I run grub-install to /boot/efi, and it created the .efi file (into /boot/efi/EFI/grub/). I also generated the configuration file to /boot/efi/EFI/grub/grub.cfg. After leaving the chroot, un-mounting the partitions and launched “reboot”, I changed the boot order to start grub. After starting it, it ask the password to unlock the encrypted partition (I think that is normal right now). After typing that, Grub starts in “minimal Bash-like”. I now don’t really know what to do...
Any ideas?
Thanks
Offline
#4 2017-12-21 11:04:39
- nl6720
- The Evil Wiki Admin
- Registered: 2016-07-02
- Posts: 671
Re: [SOLVED] Full disk encryption keyfile position
(half) installed Grub. Now, I am having problems with Grub.
What does half installed mean? Post your grub.cfg .
Offline
#5 2017-12-21 11:24:09
- deepInTheKernel
- Member
- Registered: 2017-12-21
- Posts: 4
Re: [SOLVED] Full disk encryption keyfile position
It now starts. I just regenerated all files present on /boot.
P.S. grub.cfg have to be placed on /boot/grub/grub.cfg
Last edited by deepInTheKernel (2017-12-21 11:58:47)
Offline
#6 2017-12-21 11:50:52
- lo1
- Member
- Registered: 2017-09-25
- Posts: 584
Re: [SOLVED] Full disk encryption keyfile position
https://wiki.archlinux.org/index.php/Co … ow_to_post
Open a new thread because this deals with an issue that @nl6720 helped you solve. Asking support for more than a issue in a single thread is discouraged and usually leads to confusion.
If you want, you can link to your previous thread for completeness.
Choose an appropriate title for the new thread and describe the issue carefully, post *any* useful log/config files.
Hint: you will surely need to post
cat /etc/mkinitcpio.conf
cat /etc/fstabOffline
#7 2017-12-21 11:55:45
- deepInTheKernel
- Member
- Registered: 2017-12-21
- Posts: 4
Re: [SOLVED] Full disk encryption keyfile position
Ok. Thanks everybody for the help.
Last edited by deepInTheKernel (2017-12-21 11:57:07)
Offline
#8 2017-12-21 12:04:31
- lo1
- Member
- Registered: 2017-09-25
- Posts: 584
Re: [SOLVED] Full disk encryption keyfile position
You're welcome.
Also, please mark this thread as [SOLVED].
Offline