Arch Linux

nashtonash

Member

Registered: 2018-08-07

Posts: 3

[SOLVED] dm-crypt with luks2 and detached header on USB times out

I'm trying to setup an encrypted drive on a USB with the /boot partition, grub, and the detached luks header on another usb (/dev/sdb1 and /dev/sdc1 respectively in my example). Everything is being installed on MBTs

following the instructions from the dm-crypt/Specialties page on the wiki, my install process right now is:

set up /dev/sdb1 and /dev/sdc1 partitions as type Linux (83)
wipe both disks with urandom

create header image:

# dd if=/dev/zero of=header.img bs=16M count=1

cryptsetup:

# cryptsetup -y -v --use-random --hash sha512 --key-size 512 --cipher aes-xts-plain64 --type luks2 --header header.img luksFormat /dev/sdb1

setup password for encrypted drive

# cryptsetup open --header=header.img /dev/sdb1 croot

enter password to open /dev/mapper/croot

format and mount:

# mkfs.ext4 /dev/mapper/croot
# mkfs.ext4 /dev/sdc1
# mount /dev/mapper/croot /mnt
# mkdir /mnt/boot
# mount /dev/sdc1 /mnt/boot
# cp header.img /mnt/boot
# rm header.img

install arch:

# pacstrap /mnt base grub
# genfstab -U /mnt >> /mnt/etc/fstab
# arch-chroot /mnt

identify encrypted disk by-id:

# ls /dev/disk/by-id

set crypttab:

# nano /etc/crypttab.initramfs
---
croot /dev/disk/by-id/[(/dev/sdb1 id) none header=/boot/header.img

setup mkinitcpio:

# nano /etc/mkinitcpio.conf
---
FILES=(/boot/header.img)
...
HOOKS=(base systemd block keyboard autodetect modconf sd-encrypt filesystems fsck)

# mkinitcpio -p linux

install grub:

# grub-install --target=i386-pc /dev/sdc
# grub-mkconfig -o /boot/grub/grub.cfg

Then I exit chroot, unmount everything, close /dev/mapper/croot, and reboot into the /dev/sdc USB. It drops me into GRUB, I press enter to boot "Arch linux," it displays a start job for /dev/mapper/croot, then changes to show that it's starting a job for /dev/disk/by-uuid/(the uuid for /dev/mapper/croot), then times out after 1.5 minutes and drops me into the emergency shell, where my keyboard doesn't even work to call systemctl reboot, so I do a hard reboot. I'm not sure what point I'm messing up with it, and the arch wiki page is ambiguous about the disk setup. It says at one point that the setup follows dm-crypt plain, then at another says "Continue LUKS on LVM setup", but that link points to the full disk encryption/dm-crypt plain section.

I also tried adding the crypttab entry to crypttab directly instead of creating the crypttab.initramfs file, then regenerating the initramfs and grub.cfg, but the same thing happened.

Any help would be greatly appreciated.

Edit: SOLVED
---
used /dev/sdc1 instead of /dev/disk/by-id/(/dev/sdc1 id) in crypttab

Last edited by nashtonash (2019-02-12 23:57:29)

frostschutz

Member

Registered: 2013-11-15

Posts: 1,418

Re: [SOLVED] dm-crypt with luks2 and detached header on USB times out

does it work if you give the static name /dev/sdb1 instead of /dev/disk/by...? does it drop you to a shell, what does /proc/partitions and /dev/disk/... look like then?

the by-paths can be a bit flimsy, perhaps try by-partuuid instead (or directly PARTUUID= even though the manpage states only paths or UUID= allowed, it could work, haven't tried it)

regarding keyboard not working, try adding keyboard modules to your mkinitcpio... which ones, depends on your hardware, check lsmod what's loaded

Last edited by frostschutz (2019-02-12 23:38:51)

nashtonash

Member

Registered: 2018-08-07

Posts: 3

Re: [SOLVED] dm-crypt with luks2 and detached header on USB times out

frostschutz, I could try that, since my plan after I work out the kinks is to install it on a permanent drive anyway. Would I need to genfstab with -L instead of -U in that case?

frostschutz

Member

Registered: 2013-11-15

Posts: 1,418

Re: [SOLVED] dm-crypt with luks2 and detached header on USB times out

I was referring to your crypttab.

In fstab you only want UUID. That would be great for your encrypted drive also, except you chose to go with external header and entire device encryption, so it has no UUID.

You could cheat and give it UUID anyway ( https://wiki.archlinux.org/index.php/Dm … _and_LABEL ) but if you went with full device encryption for esoteric/deniability reasons then it probably won't be an option for you.

It would also require you to re-encrypt or restart from scratch.

Last edited by frostschutz (2019-02-12 23:56:12)

nashtonash

Member

Registered: 2018-08-07

Posts: 3

Re: [SOLVED] dm-crypt with luks2 and detached header on USB times out

got it working perfectly, thank you for the help! Do you know if there's a reason that the /by-id numbers don't work with it?

Last edited by nashtonash (2019-02-12 23:58:31)