Arch Linux

860lacov

Member

Registered: 2020-05-02

Posts: 497

[SOLVED] Necessary steps to take during encrypted installation?

I have Windows on one partition. Installation was prepared for Arch, so I currently have
nvme0n1p1 500MB Efi
nvme0n1p2 Windows partition
nvme0n1p3 Free space for Arch

I want btrfs and systemd-boot

I read dm-crypt and I hope that I got it right.
Should entry for systemd boot look like this?

title   Arch Linux
linux   /vmlinuz-linux
initrd  /intel-ucode.img
initrd  /initramfs-linux.img
options root=/dev/nvme0n1p3 rw rootflags=subvol=@ cryptdevice=device:dmname

For example

cryptdevice=XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX:cryptroot

Can I change

root=/dev/nvme0n1p3

to

root=UUID

Am I correct that above is right for encrypt hook and for sd-encrypt hook entry should lokk like this:

title   Arch Linux
linux   /vmlinuz-linux
initrd  /intel-ucode.img
initrd  /initramfs-linux.img
options root=/dev/nvme0n1p3 rw rootflags=subvol=@ rd.luks.uuid=XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX

And rd.luks is UUID only?

Last edited by 860lacov (2021-07-26 22:08:13)

jasonwryan

Anarchist

From: .nz

Registered: 2009-05-09

Posts: 30,426

Website

Re: [SOLVED] Necessary steps to take during encrypted installation?

The only way you will learn anything is to try it and see.

---

Arch + dwm   •   Mercurial repos  •   Surfraw

Registered Linux User #482438

loqs

Member

Registered: 2014-03-06

Posts: 18,859

Re: [SOLVED] Necessary steps to take during encrypted installation?

Please consider using Persistent block device naming for the root option.  The root option also needs to be for the root file-system / the decrypted mapping of LUKS volume not the LUKS volume itself while rd.luks.uuid must be for the LUKS volume itself.

860lacov

Member

Registered: 2020-05-02

Posts: 497

Re: [SOLVED] Necessary steps to take during encrypted installation?

Ok
I decidet to try in virtualbox

My partitions are mounted like this:

mount -o ssd,noatime,space_cache,subvol=@ /dev/mapper/archcrypt /mnt
mount /dev/sda1 /mnt/efi

This didn't work because bootloader couldn't find
initrd /amd-ucode.img
and
initrd /initramfs-linux.img

So I tried with mounting EFI partition as /boot
bootctl list is showing Arch linux entry so it seems ok

My loader.conf looks like this:

title Arch Linux
linux /vmlinuz-linux
initrd /initramfs-linux.img
options root=/dev/mapper/archcrypt cryptdevice=UUID=uuid of sda2:archcrypt rootflags=subvol=@ rw

After restart I get:

:: running eraly hook [udev]
Starting version 249.1-1-arch
:: running hook [udev]
:: Triggering uevents...
:: running hook [keymap]
:: Loading keymap...done/
Loading console font...done.
:: running hook [encrypt]

A password is required to access the volume:
Command requires device and mapped name as arguments. <---and this line is being repeated all the time

In mkinitcpio.conf I tried

HOOKS=(base udev autodetect keyboard keymap consolefont modconf block encrypt filesystems fsck)

and

HOOKS=(base udev systemd autodetect keyboard sd-vconsole modconf block sd-encrypt filesystems fsck)

I stayed with encrypt because I don't understand the wiki part about rd.luks.uuid= but I assume that I should put here UUID that I get when I do blkid. There is UUID of /dev/mapper/archcrypt.
rd.luks.uuid should be in loader.conf instead of root= AND instead cryptdevice=?
Or it replaces just root or just cryptdevice?

And there is a crypttab in Arch wiki.
Is that something what I need do do or this is another paragraph and in my scenario it is not important?

Last edited by 860lacov (2021-07-23 21:49:24)

loqs

Member

Registered: 2014-03-06

Posts: 18,859

Re: [SOLVED] Necessary steps to take during encrypted installation?

As it is a test setup in a virtual machine why are you redacting the UUID?
My first thought is there is something wrong with the cryptdevice options,  but if you are changing the string it is not possible to check.
Is the rest of the output posted actual file contents or have you transcribed it?

860lacov

Member

Registered: 2020-05-02

Posts: 497

Re: [SOLVED] Necessary steps to take during encrypted installation?

As it is a test setup in a virtual machine why are you redacting the UUID?
My first thought is there is something wrong with the cryptdevice options,  but if you are changing the string it is not possible to check.
Is the rest of the output posted actual file contents or have you transcribed it?

Do you mean why I don't post the whole UUID?
Because I write everything by myself.

I didn't do ssh connection with vm so I need to transcribe everything.

This is how it looks copied from ssh session:

title Arch Linux
linux /vmlinuz-linux
initrd /initramfs-linux.img
options cryptdevice=UUID=6d93eeb4-b541-44e1-9e14-d5c38453f8a5 root=/dev/mapper/archcrypt rootflags=subvol=@ rw

Last edited by 860lacov (2021-07-23 22:02:48)

loqs

Member

Registered: 2014-03-06

Posts: 18,859

Re: [SOLVED] Necessary steps to take during encrypted installation?

See the tip box from pastebin so you can post the contents of files and the outputs of commands directly to a pastebin.
Post the contents of the loader for systemd-boot,  mkinitcpio.conf and the output of the following after mounting the systems file-system's to /mnt but before chrooting in

# parted -l
# blkid

When you changed from

HOOKS=(base udev autodetect keyboard keymap consolefont modconf block encrypt filesystems fsck)

to

HOOKS=(base udev systemd autodetect keyboard sd-vconsole modconf block sd-encrypt filesystems fsck)

Did the error change?  It should have as sd-encrypt does not support cryptdevice.
Edit:

options cryptdevice=UUID=6d93eeb4-b541-44e1-9e14-d5c38453f8a5 root=/dev/mapper/archcrypt rootflags=subvol=@ rw

Command requires device and mapped name as arguments. <---and this line is being repeated all the time

Compare the cryptdevice option with what you previously posted

options root=/dev/mapper/archcrypt cryptdevice=UUID=uuid of sda2:archcrypt rootflags=subvol=@ rw

Last edited by loqs (2021-07-23 22:13:56)

860lacov

Member

Registered: 2020-05-02

Posts: 497

Re: [SOLVED] Necessary steps to take during encrypted installation?

See the tip box from pastebin so you can post the contents of files and the outputs of commands directly to a pastebin.
Post the contents of the loader for systemd-boot,  mkinitcpio.conf and the output of the following after mounting the systems file-system's to /mnt but before chrooting in

# parted -l
# blkid

When you changed from

HOOKS=(base udev autodetect keyboard keymap consolefont modconf block encrypt filesystems fsck)

to

HOOKS=(base udev systemd autodetect keyboard sd-vconsole modconf block sd-encrypt filesystems fsck)

Did the error change?  It should have, as sd-encrypt does not support cryptdevice.

I'm sorry, but I can't answer to the question about an error. I tried many times and changed many settings. I don't remember how it looked, but for sure there was something else.

Ok.
I think that I've found the problem.
It was:

options cryptdevice=UUID=6d93eeb4-b541-44e1-9e14-d5c38453f8a5 root=/dev/mapper/archcrypt rootflags=subvol=@ rw

and should be:

options cryptdevice=UUID=6d93eeb4-b541-44e1-9e14-d5c38453f8a5:archcrypt root=/dev/mapper/archcrypt rootflags=subvol=@ rw

Thank you for your patience, but maybe you could help me with things strictly connected with this subject

1. Do I have to mount EFI partition in /boot for systemd bootloader?
2. Can I change root=/dev/mapper/archcrypt to root=UUID=uuid of archcrypt?
3. If I would like to use sd-encrypt then I should remove root= and cryptdevice= and just use:

rd.luks.uuid=XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX

4. For the point number 3 do I have to configure crypttab?

I started to use systemd bootloader recently. I wanted to use sd-encrypt not because I need this, but I thought that it is the better (more clean) way when I use systemd instead of grub

Last edited by 860lacov (2021-07-23 22:25:41)

loqs

Member

Registered: 2014-03-06

Posts: 18,859

Re: [SOLVED] Necessary steps to take during encrypted installation?

1. Do I have to mount EFI partition in /boot for systemd bootloader?

No not strictly required.  However you have to be aware of the consequences of not doing so.  Covering this is really outside the scope of the topic as it is independent of using encryption.

2. Can I change root=/dev/mapper/archcrypt to root=UUID=uuid of archcrypt?

Yes

3. If I would like to use sd-encrypt then I should remove root= and cryptdevice= and just use:

rd.luks.uuid=XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX

sd-encrypt replaces  the cryptdevice option with rd.luks.uuid.  The root option is unchanged.  Note rd.luks.uuid is the UUID of the LUKS container not the UUID of the filesystem you pass to the root option.

4. For the point number 3 do I have to configure crypttab?

Only if you want to decrypt other than the root filesystem.

860lacov

Member

Registered: 2020-05-02

Posts: 497

Re: [SOLVED] Necessary steps to take during encrypted installation?

Ok.

I tried to install Arch with encryption on real hardware.

I checked everything I could to avoid mistakes made in Virtualbox.

During boot after

:: running hook [encrypt]

I get two linies with information:
Waiting 10 seconds for device /dev/disk/by-uuid/xxxxxxx-xxxx-xxx ...
Waiting 10 seconds for device /dev/mapper/cryptroot ...

And then

ERROR: device '/dev/mapper/cryptroot' not found. Skipping fsck.
:: mounting '/dev/mapper/cryptroot' on real root
mount: /new_root: no filesystem type specified.
You are now being dropped into an emergency shell.

loqs

Member

Registered: 2014-03-06

Posts: 18,859

Re: [SOLVED] Necessary steps to take during encrypted installation?

Which hooks is this with?  Was the encrypted root unlocked?  What entries are in /dev/mapper?

860lacov

Member

Registered: 2020-05-02

Posts: 497

Re: [SOLVED] Necessary steps to take during encrypted installation?

It's with encrypt hook
Like in wiki:

HOOKS=(base udev autodetect keyboard keymap consolefont modconf block encrypt filesystems fsck)

root was unlocked
In /dev/mapper I have control and cryptroot (in vm it was archcrypt but during real install I made a change)

I tried with UUID and PARTUUID

Last edited by 860lacov (2021-07-24 21:05:37)

loqs

Member

Registered: 2014-03-06

Posts: 18,859

Re: [SOLVED] Necessary steps to take during encrypted installation?

I need the outputs I requested in #7 as they are for the actual system.  Redact the UUIDs if you insist but use a text editor to replace the exact string.  You are aware you can change them later to new values?  Also not sure what risk there is in sharing them.

860lacov

Member

Registered: 2020-05-02

Posts: 497

Re: [SOLVED] Necessary steps to take during encrypted installation?

I need the outputs I requested in #7 as they are for the actual system.  Redact the UUIDs if you insist but use a text editor to replace the exact string.  You are aware you can change them later to new values?  Also not sure what risk there is in sharing them.

I did't provide UUIDs because they are long, and I typed everything by hand.
If I would like to how can I change the UUID?

parted:

Disk /dev/nvme0n1: 1024GB
Sector size (logical/physical): 512B/512B
Partition Table: gpt
Disk Flags: 

Number  Start   End     Size   File system  Name                  Flags
 1      1049kB  525MB   524MB  fat32        EFI system partition  boot, esp
 2      525MB   702GB   702GB  ntfs         Basic data partition  msftdata
 3      702GB   1024GB  322GB               Linux filesystem

blkid:

/dev/nvme0n1p3: UUID="503d4d44-d8e2-4fb3-8f4d-e8fa00385c4a" TYPE="crypto_LUKS" PARTLABEL="Linux filesystem" PARTUUID="1692dd9b-87c0-4f40-892e-d1a56e841b65"
/dev/nvme0n1p1: UUID="FA78-3A23" BLOCK_SIZE="512" TYPE="vfat" PARTLABEL="EFI system partition" PARTUUID="a935fa0f-6fd7-4305-aead-a8b084555d9f"
/dev/nvme0n1p2: LABEL="Windows" BLOCK_SIZE="512" UUID="3A20783D2077FE67" TYPE="ntfs" PARTLABEL="Basic data partition" PARTUUID="294250bb-0c1d-472e-8f88-e1fed8c51abd"
/dev/loop0: TYPE="squashfs"
/dev/mapper/cryptroot: LABEL="arch" UUID="e10849c4-110f-4a7b-9879-db2fd6481a25" UUID_SUB="c3b67c1a-b021-4da5-96ac-a648135c67e2" BLOCK_SIZE="4096" TYPE="btrfs"
/dev/sda2: SEC_TYPE="msdos" LABEL_FATBOOT="ARCHISO_EFI" LABEL="ARCHISO_EFI" UUID="8319-ECE0" BLOCK_SIZE="512" TYPE="vfat" PARTUUID="fa745e56-02"
/dev/sda1: BLOCK_SIZE="2048" UUID="2021-07-01-13-49-18-00" LABEL="ARCH_202107" TYPE="iso9660" PARTUUID="fa745e56-01"
/dev/sdb1: LABEL="Samsung USB" BLOCK_SIZE="512" UUID="DA34402B34400D47" TYPE="ntfs" PARTUUID="1bde7e5b-01"

Last edited by 860lacov (2021-07-24 21:22:49)

loqs

Member

Registered: 2014-03-06

Posts: 18,859

Re: [SOLVED] Necessary steps to take during encrypted installation?

From the start of post #7 As well as containing the list of outputs I wanted it also contained

See the tip box from pastebin so you can post the contents of files and the outputs of commands directly to a pastebin.
Post the contents of the loader for systemd-boot,  mkinitcpio.conf and the output of the following after mounting the systems file-system's to /mnt but before chrooting in

# parted -l
# blkid

Which avoids you having to type everything out with the risk of introducing transcription errors.

See man 8 cryptsetup the luksUUID option to set the UUID for the luks container,  see man 8 btrfstune to set the UUID for a btrfs file-system,  see man 1 uuidgen to generate a UUID.
To change PARTUUIDs I would suggest gdisk -> expert menu then either c option to change the PARTUUID or f option to change all PARTUUIDS and the disk's UUID.

Last edited by loqs (2021-07-24 21:39:14)

860lacov

Member

Registered: 2020-05-02

Posts: 497

Re: [SOLVED] Necessary steps to take during encrypted installation?

From the start of post #7 As well as containing the list of outputs I wanted it also contained

See the tip box from pastebin so you can post the contents of files and the outputs of commands directly to a pastebin.
Post the contents of the loader for systemd-boot,  mkinitcpio.conf and the output of the following after mounting the systems file-system's to /mnt but before chrooting in

# parted -l
# blkid

Which avoids you having to type everything out with the risk of introducing transcription errors.

See man 8 cryptsetup the luksUUID option to set the UUID for the luks container,  see man 8 btrfstune to set the UUID for a btrfs file-system,  see man 1 uuidgen to generate a UUID.
To change PARTUUIDs I would suggest gdisk -> expert menu then either c option to change the PARTUUID or f option to change all PARTUUIDS and the disk's UUID.

If I understand correctly your post is only for changing UUID right?

Next time I'll try to learn pastebin. I checked the link the first time you posted it but I don't understand how it works.

Output from parted and blkid is correct.
I saved it to pendrive and opened in a second PC.

Are you able to help me with this.
I checked everything many times.
I tried to do everything like in VM but without mistakes of course.

My options line looks like this:

options cryptdevice=UUID=503d4d44-d8e2-4fb3-8f4d-e8fa00385c4a:cryptroot root=/dev/mapper/cryptroot rootflags=subvol=@ rw

Last edited by 860lacov (2021-07-24 22:07:41)

loqs

Member

Registered: 2014-03-06

Posts: 18,859

Re: [SOLVED] Necessary steps to take during encrypted installation?

If I understand correctly your post is only for changing UUID right?

No.  It also repeated the information request which contained four items.  You posted only two,  missing are the contents of the loader for systemd-boot,  mkinitcpio.conf.
Edit:

I did't provide UUIDs because they are long, and I typed everything by hand.

Output from parted and blkid is correct.
I saved it to pendrive and opened in a second PC.

You copied the files to a second PC then typed it out by hand?

Last edited by loqs (2021-07-24 22:32:03)

860lacov

Member

Registered: 2020-05-02

Posts: 497

Re: [SOLVED] Necessary steps to take during encrypted installation?

mkinitcpio.conf

# vim:set ft=sh
# MODULES
# The following modules are loaded before any boot hooks are
# run.  Advanced users may wish to specify all system modules
# in this array.  For instance:
#     MODULES=(piix ide_disk reiserfs)
MODULES=()

# BINARIES
# This setting includes any additional binaries a given user may
# wish into the CPIO image.  This is run last, so it may be used to
# override the actual binaries included by a given hook
# BINARIES are dependency parsed, so you may safely ignore libraries
BINARIES=()

# FILES
# This setting is similar to BINARIES above, however, files are added
# as-is and are not parsed in any way.  This is useful for config files.
FILES=()

# HOOKS
# This is the most important setting in this file.  The HOOKS control the
# modules and scripts added to the image, and what happens at boot time.
# Order is important, and it is recommended that you do not change the
# order in which HOOKS are added.  Run 'mkinitcpio -H <hook name>' for
# help on a given hook.
# 'base' is _required_ unless you know precisely what you are doing.
# 'udev' is _required_ in order to automatically load modules
# 'filesystems' is _required_ unless you specify your fs modules in MODULES
# Examples:
##   This setup specifies all modules in the MODULES setting above.
##   No raid, lvm2, or encrypted root is needed.
#    HOOKS=(base)
#
##   This setup will autodetect all modules for your system and should
##   work as a sane default
#    HOOKS=(base udev autodetect block filesystems)
#
##   This setup will generate a 'full' image which supports most systems.
##   No autodetection is done.
#    HOOKS=(base udev block filesystems)
#
##   This setup assembles a pata mdadm array with an encrypted root FS.
##   Note: See 'mkinitcpio -H mdadm' for more information on raid devices.
#    HOOKS=(base udev block mdadm encrypt filesystems)
#
##   This setup loads an lvm2 volume group on a usb device.
#    HOOKS=(base udev block lvm2 filesystems)
#
##   NOTE: If you have /usr on a separate partition, you MUST include the
#    usr, fsck and shutdown hooks.
HOOKS=(base udev autodetect keyboard keymap consolefont modconf block encrypt filesystems fsck)
#HOOKS=(base udev autodetect modconf block filesystems keyboard fsck)

# COMPRESSION
# Use this to compress the initramfs image. By default, zstd compression
# is used. Use 'cat' to create an uncompressed image.
#COMPRESSION="zstd"
#COMPRESSION="gzip"
#COMPRESSION="bzip2"
#COMPRESSION="lzma"
#COMPRESSION="xz"
#COMPRESSION="lzop"
#COMPRESSION="lz4"

# COMPRESSION_OPTIONS
# Additional options for the compressor
#COMPRESSION_OPTIONS=()

entry arch.conf

title Arch Linux
linux /vmlinuz-linux
initrd /intel-ucode.img
initrd /initramfs-linux.img
options cryptdevice=UUID=503d4d44-d8e2-4fb3-8f4d-e8fa00385c4a:cryptroot root=/dev/mapper/cryptroot rootflags=subvol=@ rw

loader.conf

default arch.conf
timeout 5
console-mode max
editor yes

blkid

/dev/nvme0n1p3: UUID="503d4d44-d8e2-4fb3-8f4d-e8fa00385c4a" TYPE="crypto_LUKS" PARTLABEL="Linux filesystem" PARTUUID="1692dd9b-87c0-4f40-892e-d1a56e841b65"
/dev/nvme0n1p1: UUID="FA78-3A23" BLOCK_SIZE="512" TYPE="vfat" PARTLABEL="EFI system partition" PARTUUID="a935fa0f-6fd7-4305-aead-a8b084555d9f"
/dev/nvme0n1p2: LABEL="Windows" BLOCK_SIZE="512" UUID="3A20783D2077FE67" TYPE="ntfs" PARTLABEL="Basic data partition" PARTUUID="294250bb-0c1d-472e-8f88-e1fed8c51abd"
/dev/loop0: TYPE="squashfs"
/dev/mapper/cryptroot: LABEL="arch" UUID="e10849c4-110f-4a7b-9879-db2fd6481a25" UUID_SUB="c3b67c1a-b021-4da5-96ac-a648135c67e2" BLOCK_SIZE="4096" TYPE="btrfs"
/dev/sda2: SEC_TYPE="msdos" LABEL_FATBOOT="ARCHISO_EFI" LABEL="ARCHISO_EFI" UUID="8319-ECE0" BLOCK_SIZE="512" TYPE="vfat" PARTUUID="fa745e56-02"
/dev/sda1: BLOCK_SIZE="2048" UUID="2021-07-01-13-49-18-00" LABEL="ARCH_202107" TYPE="iso9660" PARTUUID="fa745e56-01"
/dev/sdb1: LABEL="Samsung USB" BLOCK_SIZE="512" UUID="DA34402B34400D47" TYPE="ntfs" PARTUUID="1bde7e5b-01"

parted -l

Disk /dev/nvme0n1: 1024GB
Sector size (logical/physical): 512B/512B
Partition Table: gpt
Disk Flags: 

Number  Start   End     Size   File system  Name                  Flags
 1      1049kB  525MB   524MB  fat32        EFI system partition  boot, esp
 2      525MB   702GB   702GB  ntfs         Basic data partition  msftdata
 3      702GB   1024GB  322GB               Linux filesystem

loqs

Member

Registered: 2014-03-06

Posts: 18,859

Re: [SOLVED] Necessary steps to take during encrypted installation?

Not seeing anything wrong with the configuration.
When you are dropped to the rescue shell can you mount the root file-system with:

mount /dev/mapper/cryptroot /new_root

860lacov

Member

Registered: 2020-05-02

Posts: 497

Re: [SOLVED] Necessary steps to take during encrypted installation?

Not seeing anything wrong with the configuration.
When you are dropped to the rescue shell can you mount the root file-system with:

mount /dev/mapper/cryptroot /new_root

mount: /new_root: no filesystem type specified

and in /dev/mapper there is only control file

loqs

Member

Registered: 2014-03-06

Posts: 18,859

Re: [SOLVED] Necessary steps to take during encrypted installation?

What changed since post #12 where /dev/mapper/cryptroot was created?  Are you still being prompted to unlock the encrypted volume?

860lacov

Member

Registered: 2020-05-02

Posts: 497

Re: [SOLVED] Necessary steps to take during encrypted installation?

What changed since post #12 where /dev/mapper/cryptroot was created?  Are you still being prompted to unlock the encrypted volume?

I didn't understand your question fully.
cryptroot is there when I unlock it from live CD

During "this" fight I booted many times from usb to check config files.

loqs

Member

Registered: 2014-03-06

Posts: 18,859

Re: [SOLVED] Necessary steps to take during encrypted installation?

Does /dev/nvme0 exist from the rescue prompt?  If not is the system using an Intel CPU?

860lacov

Member

Registered: 2020-05-02

Posts: 497

Re: [SOLVED] Necessary steps to take during encrypted installation?

Does /dev/nvme0 exist from the rescue prompt?  If not is the system using an Intel CPU?

There is no nvme0 (or any other nvme)

This is 11th gen intel 1165G

loqs

Member

Registered: 2014-03-06

Posts: 18,859

Re: [SOLVED] Necessary steps to take during encrypted installation?

https://bugs.archlinux.org/task/68704?