Arch Linux

nick_0189

Member

Registered: 2020-12-21

Posts: 45

[SOLVED] GRUB Boot LUKS Partition Using Detached Header

Hello Arch Forums,

Is there a way to configure grub to use a detached header file when booting from a LUKS encrypted partition? I know they are required to correctly open the partition, but I can't figure out how I would go about specifying to grub that I want it to use the file when opening the partition.

My goal is sort of to have a hard drive whose contents from start to end are statistically indistinguishable from random data and to have a bootloader separate from it installed to a USB drive capable of booting an operating system hidden in said random data. I'm trying this because I thought it would be fun and neat to know how to do.

Here, I found a person who used the following configuration in /etc/default/grub to supposedly do something similar to what I am attempting, but I can't find any documentation that verifies where he got his parameters from:

GRUB_ENABLE_CRYPTODISK=y
GRUB_CMDLINE_LINUX=”enc_drives=/dev/sda enc_type=key enc_options=--header=/etc/header”

His sources aren't specific enough to point me to the place where he found those options. Is there a place I can look to find documentation about those options?

Is this only supposed to be done by just using plain dm-crypt and not LUKS because it doesn't use header files as described here?

Or has anyone had any experience with this program (AUR) or something similar? It appears to be some kind of grub fork with patches adding functionality for keyfiles and detached headers but hasn't seen an update in a while from what I can see.

Thanks in advance,
Nick

Last edited by nick_0189 (2022-02-05 03:16:31)

frostschutz

Member

Registered: 2013-11-15

Posts: 1,417

Re: [SOLVED] GRUB Boot LUKS Partition Using Detached Header

I don't think grub can do it by itself. (I'm not familiar with the patched grub.)

The solution in your link puts the /boot partition on the usb stick too, so the external header is not used by grub but by the initramfs, so it's a matter of using this within encrypt (or sd-encrypt) hooks or writing your own initcpio hook

Last edited by frostschutz (2022-01-24 00:34:17)

Strike0

Member

From: Germany

Registered: 2011-09-05

Posts: 1,429

Re: [SOLVED] GRUB Boot LUKS Partition Using Detached Header

His sources aren't specific enough to point me to the place where he found those options. Is there a place I can look to find documentation about those options?

The boot options are for a bliss-initramfs from Gentoo.

nick_0189

Member

Registered: 2020-12-21

Posts: 45

Re: [SOLVED] GRUB Boot LUKS Partition Using Detached Header

Strike0, I noticed that. I'm assuming that means the kernel parameters in GRUB_CMDLINE_LINUX are specific to the type of initramfs one uses, and the initramfs generator that Arch comes with (mkinitcpio) doesn't have great support for detached headers by default, meaning that if I use detached headers I would need to use another type of initramfs generator such as Dracut or Booster? Thanks for pointing that out. I thought the parameters used in GRUB_CMDLINE_LINUX were specific to grub. It never occurred to me they were related to mkinitcpio specifically.

frostschutz I didn't know you could edit the hooks for mkinitcpio and make new ones. Thank you for enlightening me. They're written in bash in /lib/mkinitcpio/hooks, so they look quite simple to modify. At first glance, it looks like it would be possible to edit the encrypt hook to add syntax for a header file on a separate partition. That is what it looks like this person tried to do and a similar procedure is mentioned on the Arch Wiki and in this AUR package. All I have to do is figure out is how their scripts work (and the associated syntax required) and either use theirs or make my own.

Otherwise, it looks like I can just use `--type plain` with cryptsetup to not use the header altogether since the default encrypt hook with mkinitcpio appears to be able to decrypt plain dm-crypt devices with the same syntax as LUKS devices.

I'm going to try to write a custom encrypt hook then report back here with the results.

Strike0

Member

From: Germany

Registered: 2011-09-05

Posts: 1,429

Re: [SOLVED] GRUB Boot LUKS Partition Using Detached Header

The GRUB_CMDLINE_LINUX is indeed not relevant for Grub in any way. You would pass the same commands to any other supported boot loader. If you look at the generated grub.cfg file, you will see references to its config (e.g. Grub modules to load) before.

nick_0189

Member

Registered: 2020-12-21

Posts: 45

Re: [SOLVED] GRUB Boot LUKS Partition Using Detached Header

Success!

I was able to boot into the system from only the USB successfully. I ended up using the encrypt hook from the AUR because I would have been uselessly reinventing the wheel otherwise.

Here's a short summary of what I did in case anyone else is trying to do the same thing:

• Formatted a USB Drive with a new GPT, 512MiB EFI System Partition (type to ESP), and 1GiB Boot partition

• Formatted the ESP as FAT32 and encrypted the boot partition as LUKS1

• Unlocked and mounted the boot partition to /mnt/boot

• Encrypted the hard drive (/dev/sda) with a detached header named "crypto_header" in the boot partition

• Unlocked the hard drive using its header and mounted it to /mnt/root

• Mounted the Boot partition at /mnt/root/boot

• Generated the fstab file

• Installed base system to /mnt/root with the packages "linux base neovim man-db"

• Chrooted into the base system

• Installed grub, efibootmgr, cryptroot, cryptsetup git base-devl

• Made a non-root user in the "wheel" group and with a home directory

• Used `EDITOR=nvim visudo" to allow users in the wheel group to run commands with sudo

• Switched to the non-root user with su

• Used git to download this AUR package and installed it

• Exited the non-root user's shell

• Created a keyfile named "crypto_keyfile.bin" in the boot partition and added it as a key for /dev/sda

• Added the absolute paths of the keyfile and header in /boot to the FILES variable in /etc/mkinitcpio.conf

• Added the encrypt-dh hook between the block and filesystem hooks in the HOOKS variable in /etc/mkinitcpio.conf

• Regenerated the initramfs

• Added "cryptdevice:/dev/sda:cryptroot root=/dev/mapper/cryptroot cryptkey=rootfs:/boot/crypto_keyfile.bin cryptheader=rootfs:/boot/crypto_header (You can't use UUIDs here because /dev/sda doesn't have a UUID) and uncommented "GRUB_ENABLE_CRYPTODISK=y" to the "GRUB_CMDLINE_LINUX variable in /etc/default/grub

• Generated another keyfile for the boot partition this time in root and added as a key for the boot partition

• Added the boot partition with its keyfile to crypttab

• Rebooted, input password for the boot partition, waited for login prompt

Of course, I skipped a few important things like setting permissions on the keyfiles and doing basic configuration to the base system such as configuring the locales and setting a root password, but that gets it to boot to a login prompt. I hope I didn't forget anything.

Thanks! Marking as solved...

grayower

Member

Registered: 2022-06-06

Posts: 1

Re: [SOLVED] GRUB Boot LUKS Partition Using Detached Header

nick_0189, Tell me please more about how you did it.
I repeated your steps above and I have no boot
What do you have on your 512Mb partition?
Could you please show me your device list and configuration files?