You are not logged in.
I am using LVM on LUKS on a fully encrypted SSD and everything works fine. Since my SSD ran out of free space, I'd like to repeat the whole setup with my new drive but I run into problems I didn't have before: Grub complains
grub error: disk 'lvmid/<UUID>' not found. Entering rescue mode...
AFAIK the only difference in the setup is /boot/grub/grub.cfg, which misses some modules compared to my running system.
Here's my setup (Dell Latitude E5550 with legacy BIOS):
parted -s /dev/sda mklabel msdos
parted -s /dev/sda mkpart primary 2048s 100%
cryptsetup luksFormat --cipher twofish-xts-plain64 --key-size 512 --hash sha512 --iter-time 2000 /dev/sda1
cryptsetup luksOpen /dev/sda1 lvm
pvcreate /dev/mapper/lvm
vgcreate vg /dev/mapper/lvm
lvcreate -L 6G vg -n swap
lvcreate -L 20G vg -n root
lvcreate -l +100%FREE vg -n home
mkswap -L swap /dev/mapper/vg-swap
mkfs.ext4 /dev/mapper/vg-root
mkfs.ext4 /dev/mapper/vg-home
mount /dev/mapper/vg-root /mnt
mkdir /mnt/home
mount /dev/mapper/vg-home /mnt/home
pacstrap -i /mnt base base-devel
genfstab -U /mnt > /mnt/etc/fstab
arch-chroot /mnt /bin/bash
I added hooks to mkinitcpio.conf:
HOOKS=(base udev autodetect modconf block keyboard keymap encrypt lvm2 filesystems fsck)
and ran
mkinitcpio -p linux
I installed grub (pacman -S grub) and added this to /etc/default/grub:
GRUB_ENABLE_CRYPTODISK=y
GRUB_CMDLINE_LINUX="cryptdevice=/dev/sda1:lvm"
GRUB_PRELOAD_MODULES="part_gpt part_msdos cryptodisk luks"
and ran
grub-mkconfig -o /boot/grub/grub.cfg
grub-install /dev/sda
I need to set the boot flag for the drive to avoid "Invalid partition table!" at boot
parted /dev/sda set 1 boot on
Now for the keyfile:
dd bs=512 count=4 if=/dev/urandom of=/crypto_keyfile.bin
cryptsetup luksAddKey /dev/sda1 /crypto_keyfile.bin
then adding "FILES=(/crypto_keyfile.bin)" to /etc/mkinitcpio.conf and then
mkinitcpio -p linux
chmod 000 /crypto_keyfile.bin
chmod -R g-rxw,o-rwx /boot
Rebooting leads to grub in rescue mode with the above message. Since this setup works smoothly on my old drive on the same machine, I cannot figure out why it fails now.
Then I noticed that some modules are not loaded in grub.cfg. These insmod lines
if [ x$feature_default_font_path = xy ] ; then
font=unicode
else
insmod part_msdos
insmod cryptodisk
insmod luks
insmod gcry_twofish
insmod gcry_twofish
insmod gcry_sha512
insmod lvm
insmod ext2
are present in my working setup, but aren't added automatically in my new one. The same lines are missing in the menuentry sections in grub.cfg. Why didn't the new system add these to grub.cfg? I certainly didn't add anything manually in my working setup and don't have any special files or configs in /etc/grub.d/.
All UUIDs seem to be at the right places in grub.cfg, but why aren't all needed modules appearing automatically in grub.cfg (same as they apparently did in my working setup)? What am I missing here?
I searched the forum and the web but came up empty. Trying to pass the UUID directly at GRUB_CMDLINE_LINUX="cryptdevice=/dev/sda1:lvm" didn't work (also this line works in my running setup as is so I expect this to work).
Any help is appreciated. Thanks!
[Edit: Removed some typos.]
[Edit: Marked as SOLVED.]
Last edited by fromminttoarch (2019-05-25 19:14:46)
Offline
if grub.cfg resides on encrypted lvm, I think you have to add lvm to your preload modules too https://wiki.archlinux.org/index.php/GRUB#LVM then re-run grub install step
there might be other things missing... anyway these modules have to go into the core.img of grub (early grub, preload) or grub can't even reach its own boot partition
Last edited by frostschutz (2019-05-24 18:14:18)
Offline
Thanks frostschutz for your quick reply. I tried adding lvm to the preload modules but the problem persisted.
Pointing me to the wiki brought me on the right track, though. It turns out that since my last successfull install a couple of years back the default for cryptsetup LUKS format action changed to LUKS2 since Cryptsetup 2.1.0. This causes grub to behave differently from what I expected. Starting from scratch and adding "--type luks1" to the cryptsetup encryption command solves the issues: grub.cfg automatically contains all needed kernel modules and grub boots as expected asking for the passphrase.
Offline
I should've thought of that, sorry. :-)
Yes, grub and luks2 are not compatible, so at least for the /boot partition, if it must be encrypted at all, you have to stick to luks1. you can then use luks2 for everything else (anything that grub does not need and will be handled from the already loaded kernel + initrd).
Offline