[SOLVED] Installing Arch Linux in encrypted container without LVM

PoZiTPoH · 2021-01-03 11:50:06

Hello, I'm trying to install Arch Linux on encrypted partition. I created one with cryptsetup and opened it, then I've created 2 partitions on /dev/mapper/cryptoroot as I'm planning to use hibernation (so here goes swap) and btrfs. I have to use partprobe to populate partitions map in kernel with:

partprobe /dev/mapper/cryptoroot

After that everything worked pretty great, Arch was installed, initramfs was generated. But when I'm trying to boot encrypt hook isn't calling partprobe on unlocked container which renders my system unbootable until I've added partprobe command into hook on the very last line of run_hook() function and rebuilt initramfs. After that system booted and everything is working great:

/dev/mapper/cryptoroot2 on /.snapshots type btrfs (rw,relatime,compress=zstd:3,ssd,space_cache=v2,subvolid=260,subvol=/@snapshots)
/dev/mapper/cryptoroot2 on /data type btrfs (rw,relatime,compress=zstd:3,ssd,space_cache=v2,subvolid=261,subvol=/@data)
/dev/mapper/cryptoroot2 on /var/lib/docker type btrfs (rw,relatime,compress=zstd:3,ssd,space_cache=v2,subvolid=259,subvol=/@var_lib_docker)
/dev/mapper/cryptoroot2 on /home type btrfs (rw,relatime,compress=zstd:3,ssd,space_cache=v2,subvolid=257,subvol=/@home)
/dev/mapper/cryptoroot2 on /var/log type btrfs (rw,relatime,compress=zstd:3,ssd,space_cache=v2,subvolid=258,subvol=/@var_log)

(and cryptoroot1 is my swap).

I know that LVM should be (probably) the very proper way, but I'm using btrfs and do not actually want LVM as another layer on my disk. Also I want swap with exact size and also I do not want to play with swapfile on btrfs, I prefer use it as separate partition. How to properly handle such situation without modifying encrypt hook?

Last edited by PoZiTPoH (2021-01-03 17:27:54)

nl6720 · 2021-01-03 15:07:49

A partition table on anything other than directly on a disk is very uncommon and typically requires some effort to get it to work. There have been some discussions about GPT to plain dm-crypt: https://wiki.archlinux.org/index.php/Ta … m-crypt%22 and https://lists.archlinux.org/pipermail/a … 45968.html .

Since you want a simple solution that doesn't involve modifying the encrypt hook, I suggest:

Create two separate partitions on the disk, e.g. /dev/sda1 and /dev/sda2.
Create an encrypted container (LUKS or plain dm-crypt) on each of them and open it, e.g. /dev/mapper/cryptoroot and /dev/mapper/cryptswap.
Format /dev/mapper/cryptoroot with mkfs.btrfs and /dev/mapper/cryptswap with mkswap.
Configure mkinitcpio for a systemd-based initramfs and use the sd-encrypt (instead of encrypt) hook. sd-encrypt supports unlocking multiple devices and if any of them are encrypted with the same passphrase you will only need to input it once during boot.

progandy · 2021-01-03 15:35:50

I prefer use it as separate partition. How to properly handle such situation without modifying encrypt hook?

You should add a new hook that runs directly after the encrypt hook.

PoZiTPoH · 2021-01-03 16:18:26

nl6720 wrote:

A partition table on anything other than directly on a disk is very uncommon and typically requires some effort to get it to work.

The only effort is to run partprobe on unlocked container. That's it.

While sd-encrypt looks good I prefer much simplier solution that isn't requiring switching to systemd-based initramfs and reformatting my drive, so looks like the only solution is to make a custom hook which will call partprobe on unlocked device if there is gpt/mbr table.

PoZiTPoH · 2021-01-03 17:27:38

Here we go, custom hook if someone else need: https://aur.archlinux.org/packages/mkin … partprobe/

Thanks for suggestions!

equalizer876 · 2021-01-03 19:18:04

PoZiTPoH wrote:

also I do not want to play with swapfile on btrfs, I prefer use it as separate partition.

Nowadays it's not playing, it's a proper way. This way you don't need to plain-dm the swap-partition.

Last edited by equalizer876 (2021-01-03 19:19:28)

PoZiTPoH · 2021-01-03 20:26:31

equalizer876 wrote:

PoZiTPoH wrote:
also I do not want to play with swapfile on btrfs, I prefer use it as separate partition.
Nowadays it's not playing, it's a proper way. This way you don't need to plain-dm the swap-partition.

Why do I ever need to use plain-dm for swap if I can place it on normal LUKS partition together with other things (like I'm doing it now)? With my configuration I should enter password only once and still have swap and root encrypted. My problem wasn't about encryption at all, and I solve it with custom mkinitcpio hook which does partprobe after container unlocking.

And who told that using swapfile is a proper way to do swap? Can you show some proofs please?

equalizer876 · 2021-01-03 21:10:16

PoZiTPoH wrote:

Why do I ever need to use plain-dm for swap if I can place it on normal LUKS partition together with other things (like I'm doing it now)? With my configuration I should enter password only once and still have swap and root encrypted. My problem wasn't about encryption at all, and I solve it with custom mkinitcpio hook which does partprobe after container unlocking.

Did you create a physical volume (LVM) inside the LUKS container? Otherwise how could you put in 2 filesystems inside 1 LUKS container?

PoZiTPoH wrote:

And who told that using swapfile is a proper way to do swap? Can you show some proofs please?

https://git.kernel.org/pub/scm/linux/ke … fdb210a2a7

Last edited by equalizer876 (2021-01-03 21:14:57)

PoZiTPoH · 2021-01-03 21:16:29

equalizer876 wrote:

Did you create a physical volume (LVM) inside the LUKS container? Otherwise how could you put in 2 filesystems inside 1 partition?

Easily fdisk /dev/mapper/cryptoroot and create as many as you want (and partition table would allow). No LVM here.

equalizer876 wrote:

https://git.kernel.org/pub/scm/linux/ke … fdb210a2a7

Well, they can, I'm glad for them. But still looks like windows-ish IMO, we lived with swap on different partition for years, why switch at all? There are no profits except ability to easily change swap size, but why do anyone might need to change swap size too often?

Last edited by PoZiTPoH (2021-01-03 21:17:05)

equalizer876 · 2021-01-03 21:24:51

I don't know if it is a long term approach. Arch wiki didn't mention such an installation, did it?

PoZiTPoH · 2021-01-03 21:33:16

equalizer876 wrote:

I don't know if it is a long term approach. Arch wiki didn't mention such an installation, did it?

Using swap as partition? Well... https://wiki.archlinux.org/index.php/In … _the_disks .

Good approach is one that worked (eventually), mine works .

progandy · 2021-01-03 21:57:49

equalizer876 wrote:

I don't know if it is a long term approach.

Why not? it uses standard kernel functionality. It is just necessary to tell the kernel that a block device appeared that should be scanned for partitions.

Arch wiki didn't mention such an installation, did it?

The arch wiki is community driven and such a setup is uncommon. Here is one discussion about a similar idea (with plain dm-crypt instead of LUKS)

https://wiki.archlinux.org/index.php/Ta … m-crypt%22
and a thread on the dm-crypt mailing list: https://www.saout.de/pipermail/dm-crypt … 05654.html

Last edited by progandy (2021-01-03 22:03:13)

nl6720 · 2021-01-04 10:27:20

PoZiTPoH wrote:

https://aur.archlinux.org/packages/mkin … partprobe/

hook.dm-partprobe wrote:

DEVICES=$(ls /dev/dm-*)

You shouldn't parse the output of ls

install.dm-partprobe wrote:

    add_binary "awk"

busybox's awk works just fine.

install.dm-partprobe wrote:

    add_binary "partprobe"

You may want to check if you can make do with busybox's partprobe.

PoZiTPoH · 2021-01-04 13:54:26

nl6720 wrote:

You shouldn't parse the output of ls

Hook was done in "always success" way, so I see no problem in using ls even if it will fail. Anyway thanks for pointing out, will fix when will have time .

nl6720 wrote:

busybox's awk works just fine.

Thanks, will fix that, was unsure when was writing.

nl6720 wrote:

You may want to check if you can make do with busybox's partprobe.

It will fail:

# /usr/lib/initcpio/busybox partprobe /dev/dm-0
partprobe: /dev/dm-0: Invalid argument

Arch Linux

#1 2021-01-03 11:50:06

[SOLVED] Installing Arch Linux in encrypted container without LVM

#2 2021-01-03 15:07:49

Re: [SOLVED] Installing Arch Linux in encrypted container without LVM

#3 2021-01-03 15:35:50

Re: [SOLVED] Installing Arch Linux in encrypted container without LVM

#4 2021-01-03 16:18:26

Re: [SOLVED] Installing Arch Linux in encrypted container without LVM

#5 2021-01-03 17:27:38

Re: [SOLVED] Installing Arch Linux in encrypted container without LVM

#6 2021-01-03 19:18:04

Re: [SOLVED] Installing Arch Linux in encrypted container without LVM

#7 2021-01-03 20:26:31

Re: [SOLVED] Installing Arch Linux in encrypted container without LVM

#8 2021-01-03 21:10:16

Re: [SOLVED] Installing Arch Linux in encrypted container without LVM

#9 2021-01-03 21:16:29

Re: [SOLVED] Installing Arch Linux in encrypted container without LVM

#10 2021-01-03 21:24:51

Re: [SOLVED] Installing Arch Linux in encrypted container without LVM

#11 2021-01-03 21:33:16

Re: [SOLVED] Installing Arch Linux in encrypted container without LVM

#12 2021-01-03 21:57:49

Re: [SOLVED] Installing Arch Linux in encrypted container without LVM

#13 2021-01-04 10:27:20

Re: [SOLVED] Installing Arch Linux in encrypted container without LVM

#14 2021-01-04 13:54:26

Re: [SOLVED] Installing Arch Linux in encrypted container without LVM

Board footer