[SOLVED] Booting encrypted root using LVM over Luks

ljshap · 2020-10-02 22:10:59

I am trying to install Arch on an 8 year old netbook that does not have an UEFI enabled bios. The hard drive is formatted using GPT. I have installed both LVM and Luks on other machines but not on the root partition. I am using this machine as a test run before attempting to redo a more useful computer.

I was successful in installing a usable O/S including Openbox except that after rebooting I get the following message;

   ERROR: Device /dev/mapper/aDrive-root Not Found.

I can boot into the O/S by using the Arch install disk and arch-chroot but that is not a practical solution.

The following is an edited version of the output from lsblk:

NAME              MAJ:MIN RM   SIZE RO TYPE  MOUNTPOINT               Comments

sda                          8:0    0     298G     0 disk  
├─sda1                       8:1    0     100M     0 part 	      Unformatted BIOS Boot Partition EF02
├─sda2                       8:2    0     250M     0 part     /boot   Unenc. ext4 partition mounted at /boot
├─sda3                       8:3    0     200G     0 part             Encrypted  luks1 partition 
│ └─cryptlvm         254:0          0     200G     0 crypt            Volume Group -> aDrive			
│   ├─aDrive-swap    254:1    0             2G     0 lvm              Logical Volume for swap   
│   └─aDrive-root    254:2    0             35G    0 lvm        /     Logical Volume for root
└─sda4                       8:4    0       97G    0 part             Unformated sda storage

I have gone through the Wiki's and other relevant post to the point where I am suffering from a significant case of information overload resulting in a mental block:

Most of my efforts have been in trying to configure mkinitcpio and GRUB.

The hooks section of the mkinitcpio.conf is:

HOOKS=(base udev autodetect keyboard modconf block encrypt lvm2 filesystems  fsck)

Relevant parts of : /etc/default/grub

GRUB_CMDLINE_LINUX_DEFAULT="loglevel=3 quiet"
GRUB_CMDLINE_LINUX="cryptdevice=dev/sda3:cryptlvm"   # This is only one of many different attempts and might be the problem.

# Preload both GPT and MBR modules so that they are not missed
GRUB_PRELOAD_MODULES="part_gpt part_msdos"

# Uncomment to enable booting from LUKS encrypted devices
GRUB_ENABLE_CRYPTODISK=y

After making changes I run both:
mkinitcpio -P
grub-mkconfig -o /boot/grub/grub.cfg

At this point I'm not concerned about having to enter the encryption key twice.

Any pointers would be greatly appreciated!

Thanks

Last edited by ljshap (2020-10-03 02:31:15)

frostschutz · 2020-10-03 01:49:48

cryptdevice is wrong, device name has to start with /

it's better to use the UUID=xyz of sda3 instead as it might end up sdb3 or sdc3 instead (depending on drive detection order)

same with the root disk, better to use the rootfs UUID as it might be /dev/mapper/x-y or /dev/x/y or /dev/dm-123

device names are not half as reliable as UUIDs

your sda1 bios grub partition is too large, 1M is plenty, but no harm (other than wasted space) in giving more

At this point I'm not concerned about having to enter the encryption key twice.

???

it should be only once, considering you have a single luks container and unencrypted boot

with unencrypted boot you don't need to enable cryptodisk in grub

Last edited by frostschutz (2020-10-03 01:51:54)

ljshap · 2020-10-03 02:28:11

frostschutz wrote:

cryptdevice is wrong, device name has to start with /
it's better to use the UUID=xyz of sda3 instead as it might end up sdb3 or sdc3 instead (depending on drive detection order)

Dang: You beat me to it, I was in the process of marking this thread solved when I saw your post.

I took a long break but decided to give it another look when I noticed the typo. It worked after changing the grub file to:

GRUB_CMDLINE_LINUX="cryptdevice=/dev/sda3:cryptlvm"   # This is only one of many different attempts and might be the problem.

I called it a typo because it was such a careless mistake I usually wouldn't have made using Dos 1. In my defense I tried a lot of different things most of which did involve UUID numbers, so I was pretty punchy and frustrated. I purposely installed Openbox to make it easier to copy and post those freight train length numbers.

I think my problem was misunderstanding the following line in the Arch Wiki:

cryptdevice=UUID=device-UUID:cryptroot root=/dev/mapper/cryptroot

Now that that hurdle is passed I will try again using the UUID.

The next step is trying boot additional distro's as backup in the encrypted partition and possibly FreeBSD in the unencrypted partion.

You were right about only having to enter passphrase once.

Thanks a lot for your reply, but I wish I had beaten you.

Larry

ljshap · 2020-10-05 12:42:59

frostschutz wrote:

cryptdevice is wrong, device name has to start with /
it's better to use the UUID=xyz of sda3 instead as it might end up sdb3 or sdc3 instead (depending on drive detection order)
same with the root disk, better to use the rootfs UUID as it might be /dev/mapper/x-y or /dev/x/y or /dev/dm-123

I was able to use the UUID of /dev/sda3 with the following line:

GRUB_CMDLINE_LINUX="cryptdevice=UUID=50cd9c4b-d2c1-45cf-81b5-dc54948a86f8:cryptlvm"

The blkid command is more useful in matching UUID's with partitions and logical volumes than lsblk is, so maybe I kept using the wrong UUID.

I was only joking when I said I wanted to beat you to the solution (which I did), but I really did appreciate your help.

Thanks Again
Larry

Arch Linux

#1 2020-10-02 22:10:59

[SOLVED] Booting encrypted root using LVM over Luks

#2 2020-10-03 01:49:48

Re: [SOLVED] Booting encrypted root using LVM over Luks

#3 2020-10-03 02:28:11

Re: [SOLVED] Booting encrypted root using LVM over Luks

#4 2020-10-05 12:42:59

Re: [SOLVED] Booting encrypted root using LVM over Luks

Board footer