You are not logged in.
I'm trying to setup an encrypted drive on a USB with the /boot partition, grub, and the detached luks header on another usb (/dev/sdb1 and /dev/sdc1 respectively in my example). Everything is being installed on MBTs
following the instructions from the dm-crypt/Specialties page on the wiki, my install process right now is:
set up /dev/sdb1 and /dev/sdc1 partitions as type Linux (83)
wipe both disks with urandom
create header image:
# dd if=/dev/zero of=header.img bs=16M count=1
cryptsetup:
# cryptsetup -y -v --use-random --hash sha512 --key-size 512 --cipher aes-xts-plain64 --type luks2 --header header.img luksFormat /dev/sdb1
setup password for encrypted drive
# cryptsetup open --header=header.img /dev/sdb1 croot
enter password to open /dev/mapper/croot
format and mount:
# mkfs.ext4 /dev/mapper/croot
# mkfs.ext4 /dev/sdc1
# mount /dev/mapper/croot /mnt
# mkdir /mnt/boot
# mount /dev/sdc1 /mnt/boot
# cp header.img /mnt/boot
# rm header.img
install arch:
# pacstrap /mnt base grub
# genfstab -U /mnt >> /mnt/etc/fstab
# arch-chroot /mnt
identify encrypted disk by-id:
# ls /dev/disk/by-id
set crypttab:
# nano /etc/crypttab.initramfs
---
croot /dev/disk/by-id/[(/dev/sdb1 id) none header=/boot/header.img
setup mkinitcpio:
# nano /etc/mkinitcpio.conf
---
FILES=(/boot/header.img)
...
HOOKS=(base systemd block keyboard autodetect modconf sd-encrypt filesystems fsck)
# mkinitcpio -p linux
install grub:
# grub-install --target=i386-pc /dev/sdc
# grub-mkconfig -o /boot/grub/grub.cfg
Then I exit chroot, unmount everything, close /dev/mapper/croot, and reboot into the /dev/sdc USB. It drops me into GRUB, I press enter to boot "Arch linux," it displays a start job for /dev/mapper/croot, then changes to show that it's starting a job for /dev/disk/by-uuid/(the uuid for /dev/mapper/croot), then times out after 1.5 minutes and drops me into the emergency shell, where my keyboard doesn't even work to call systemctl reboot, so I do a hard reboot. I'm not sure what point I'm messing up with it, and the arch wiki page is ambiguous about the disk setup. It says at one point that the setup follows dm-crypt plain, then at another says "Continue LUKS on LVM setup", but that link points to the full disk encryption/dm-crypt plain section.
I also tried adding the crypttab entry to crypttab directly instead of creating the crypttab.initramfs file, then regenerating the initramfs and grub.cfg, but the same thing happened.
Any help would be greatly appreciated.
Edit: SOLVED
---
used /dev/sdc1 instead of /dev/disk/by-id/(/dev/sdc1 id) in crypttab
Last edited by nashtonash (2019-02-12 23:57:29)
Offline
does it work if you give the static name /dev/sdb1 instead of /dev/disk/by...? does it drop you to a shell, what does /proc/partitions and /dev/disk/... look like then?
the by-paths can be a bit flimsy, perhaps try by-partuuid instead (or directly PARTUUID= even though the manpage states only paths or UUID= allowed, it could work, haven't tried it)
regarding keyboard not working, try adding keyboard modules to your mkinitcpio... which ones, depends on your hardware, check lsmod what's loaded
Last edited by frostschutz (2019-02-12 23:38:51)
Offline
frostschutz, I could try that, since my plan after I work out the kinks is to install it on a permanent drive anyway. Would I need to genfstab with -L instead of -U in that case?
Offline
I was referring to your crypttab.
In fstab you only want UUID. That would be great for your encrypted drive also, except you chose to go with external header and entire device encryption, so it has no UUID.
You could cheat and give it UUID anyway ( https://wiki.archlinux.org/index.php/Dm … _and_LABEL ) but if you went with full device encryption for esoteric/deniability reasons then it probably won't be an option for you.
It would also require you to re-encrypt or restart from scratch.
Last edited by frostschutz (2019-02-12 23:56:12)
Offline
got it working perfectly, thank you for the help! Do you know if there's a reason that the /by-id numbers don't work with it?
Last edited by nashtonash (2019-02-12 23:58:31)
Offline