You are not logged in.

#1 2021-10-03 19:18:42

Gaen
Member
Registered: 2020-12-16
Posts: 28

[SOLVED] Pendrive | GRUB | LVM on LUKS | ERROR: device not found

Hi!

I want to create a bootable encrypted pendrive using LVM on LUKS for both BIOS and UEFI systems.
Currently testing the whole installation process inside VirtualBox with snapshots.

Summarized installation:

==============================================
ARCH ISO - PREPARATION
==============================================

	loadkeys ...
	setfont ...
	ip link
	ping -c 5 archlinux.org
	reflector ...

==============================================
PARTITIONING
==============================================

	lsblk
	// name of the usb device is "sda"
	
	sgdisk -o -n 1:0:+10M -t 1:EF02 -n 2:0:+550M -t 2:EF00 -n 3:0:0 -t 3:8309 /dev/sda
	// 10M BIOS partition, a 550M EFI partition, 100%FREE Linux LUKS partition
	
	lsblk /dev/sda
		
		NAME   			MAJ:MIN	RM  SIZE 	RO	TYPE MOUNTPOINT
		sda      		x:xxx  	x  	[xx]G 	0 	disk
			├─sda1   	x:xxx  	x   	10M  	0 	part			BIOS/MBR	| EF02
			├─sda2   	x:xxx  	x  	550M 	0 	part			EFI		| EF00
			└─sda3   	x:xxx  	x 	[xx]G 	0 	part			Linux LUKS	| 8309

	mkfs.fat -F32 /dev/sda2
	
	cryptsetup luksFormat --type luks1 --use-random -S 1 -s 512 -h sha512 -i 5000 /dev/sda3
	cryptsetup open /dev/sda3 cryptLVM
	
	pvcreate /dev/mapper/cryptLVM
	
	vgcreate vg /dev/mapper/cryptLVM
	
	lvcreate -l 50%FREE vg -n root
	lvcreate -l 100%FREE vg -n home
	
	mkfs.ext4 /dev/vg/root
	mkfs.ext4 /dev/vg/home
	
	mount /dev/vg/root /mnt
	
	mkdir /mnt/home
	mount /dev/vg/home /mnt/home

	mkdir -p /mnt/boot/efi
	mount /dev/sda2 /mnt/boot/efi
	
==============================================
INSTALL BASE PACKAGE SET
==============================================

	pacstrap /mnt base base-devel linux linux-firmware linux-headers lvm2 intel-ucode amd-ucode vim git grub efibootmgr iwd acpi terminus-font bdf-unifont
	
==============================================
GENERATE FILE SYSTEM TABLE
==============================================

	genfstab -U /mnt > /mnt/etc/fstab
	
==============================================
MOUNT OPTIONS
==============================================

	vim /mnt/etc/fstab
		> Change "relatime" option to "noatime"

==============================================
CHANGE ROOT & CHECK PARTITIONS
==============================================

	arch-chroot /mnt
	
	lsblk /dev/sda
		
		NAME   						MAJ:MIN	RM  SIZE 	RO	TYPE 	MOUNTPOINT
		sda      					x:xxx  	x  	[xx]G 	0 	disk
			├─sda1   				x:xxx  	x   	10M  	0 	part
			├─sda2   				x:xxx  	x  	550M 	0 	part	/mnt/boot/efi
			└─sda3   				x:xxx  	x 	[xx]G 	0 	part
				└─cryptLVM			x:xxx	x	[xx]G	0	crypt
					├─vg-root		x:xxx	x	[xx]G	0	lvm	/mnt
					└─vg-home		x:xxx	x	[xx]G	0	lvm	/mnt/home

==============================================
SET LOCALE & FONT
==============================================

	ln -sf ...
	hwclock --systohc
	
	vim /etc/locale.gen
	
	locale-gen
	
	vim /etc/locale.conf
	
	vim /etc/vconsole.conf
	
==============================================
HOSTNAME
==============================================

	echo "..." > /etc/hostname
	vim /etc/hosts

==============================================
NETWORK
==============================================

	ln -s /dev/null /etc/udev/rules.d/80-net-setup-link.rules
	vim /etc/systemd/network/20-ethernet.network
	
	systemctl enable systemd-networkd.service
	systemctl enable systemd-resolved.service
	systemctl enable iwd.service
	
	cp /etc/systemd/network/20-ethernet.network /etc/systemd/network/20-wlan.network
	vim /etc/systemd/network/20-wlan.network
	
	systemctl enable systemd-timesyncd.service
	
==============================================
USER
==============================================

	passwd
	useradd -mG wheel ...
	passwd ...
	
	EDITOR=vim visudo
		%wheel ALL=(ALL) ALL

==============================================
JOURNAL CONFIGURATION
==============================================

	mkdir -p /etc/systemd/journald.conf.d
	vim /etc/systemd/journald.conf.d/10-volatile.conf
		[Journal]
		Storage=volatile
		SystemMaxUse=16M
		RuntimeMaxUse=32M

==============================================
INITRAMFS
==============================================

	vim /etc/mkinitcpio.conf
		HOOKS=(base udev autodetect keyboard keymap consolefont modconf block encrypt lvm2 filesystems fsck)
		
	mkinitcpio -p linux
	
==============================================
BOOTLOADER
==============================================
	
	blkid | sed -n '/sda3/s/.*\sUUID=\"\([^\"]*\)\".*/\1/p' > uuid
	
	vim uuid
		yy
		:tabe /etc/default/grub
		p
			GRUB_CMDLINE_LINUX="cryptdevice=UUID=xxxxxxxx-xxxx-xxxxxx-xxxxxx-xxxxx-xxxxxx:cryptLVM root=/dev/vg/root"
			GRUB_ENABLE_CRYPTODISK=y
		
	rm uuid
	
	grub-install --target=i386-pc --boot-directory=/boot /dev/sda
	grub-install --target=x86_64-efi --efi-directory=/boot/efi --boot-directory=/boot --removable --recheck
	grub-mkconfig -o /boot/grub/grub.cfg
	
==============================================
EMBED A KEYFILE IN INITRAMFS
==============================================

	mkdir /root/secrets
	chmod 700 /root/secrets
	head -c 64 /dev/urandom > /root/secrets/crypto_keyfile.bin
	chmod 600 /root/secrets/crypto_keyfile.bin
	cryptsetup -v luksAddKey -i 1 /dev/sda3 /root/secrets/crypto_keyfile.bin
	
	vim /etc/mkinitcpio.conf
		FILES=(/root/secrets/crypto_keyfile.bin)
		
	mkinitcpio -p linux
	
	vim /etc/default/grub
		GRUB_CMDLINE_LINUX="cryptdevice=UUID=xxxxxxxx-xxxx-xxxxxx-xxxxxx-xxxxx-xxxxxx:cryptLVM root=/dev/vg/root cryptkey=rootfs:/root/secrets/crypto_keyfile.bin"
		
	grub-mkconfig -o /boot/grub/grub.cfg
	
	chmod 700 /boot
	chmod 600 /boot/initramfs-linux*
	

Edit:
I screwed up the whole thing by using the wrong UUID and the boot partition was not right either..

blkid | sed -n '/cryptLVM/s/.*UUID=\"\([^\"]*\)\".*/\1/p' > uuid		<< Wrong UUID = "device not found"
	
blkid | sed -n '/sda3/s/.*\sUUID=\"\([^\"]*\)\".*/\1/p' > uuid			<< Correct one!

"Tip: /boot is not required to be kept in a separate partition; it may also stay under the system's root / directory tree." 
- Arch Wiki

After fixing all of this, the pendrive works as intended; asks for the passphrase on both BIOS and UEFI systems.

Last edited by Gaen (2021-10-12 13:00:49)

Offline

Board footer

Powered by FluxBB