You are not logged in.

Pages: 1

#1 2022-08-01 06:26:55

leomeinel
Member
Registered: 2022-08-01
Posts: 33

[SOLVED] Encrypted RAID1 btrfs install booting to EFI Shell

Hello everyone,

Today I tried installing Arch on an encrypted btrfs RAID1. I installed Arch lots of times before and am currently running Artix on my home pc. I will switch to a laptop soon and tried the install on a qemu/virt-manager vm first (Of course with 2 VirtIO disks and EFI).
-> The EDIT TO MATCH in the following code means edit the line concerned to match what is written down. The other input is just tty of the installer.
This was my setup process that results in the system booting to EFI Shell:

loadkeys de-latin1
ls /sys/firmware/efi/efivars
timedatectl set-ntp true
lsblk
gdisk /dev/vda
-> n, ENTER, ENTER, +1G, ef00,
   n, ENTER, ENTER, ENTER, ENTER, w
gdisk /dev/vdb
-> n, ENTER, ENTER, +1G, ef00,
   n, ENTER, ENTER, ENTER, ENTER, w
mkfs.fat -F32 /dev/vda1
mkfs.fat -F32 /dev/vdb1
cryptsetup -y -v -c aes-xts-plain64 -h sha512 -s 512 --type luks2 luksFormat /dev/vda2
cryptsetup -y -v -c aes-xts-plain64 -h sha512 -s 512 --type luks2 luksFormat /dev/vdb2
cryptsetup luksOpen /dev/vda2 vda2_crypt
cryptsetup luksOpen /dev/vdb2 vdb2_crypt
mkfs.btrfs -m raid1 -d single /dev/mapper/vda2_crypt /dev/mapper/vdb2_crypt
mount /dev/mapper/vda2_crypt /mnt
cd /mnt
btrfs subvolume create @
btrfs subvolume create @tmp
btrfs subvolume create @.snapshots
btrfs subvolume create @var
btrfs subvolume create @home
cd
btrfs subvolume list /mnt
umount /mnt
mount -o noatime,space_cache=v2,compress=zstd,ssd,discard=async,subvolid=256 /dev/mapper/vda2_crypt /mnt
mkdir -p /mnt/boot
mkdir -p /mnt/tmp
mkdir -p /mnt/.snapshots
mkdir -p /mnt/var
mkdir -p /mnt/home
mount -o noatime,space_cache=v2,compress=zstd,ssd,discard=async,subvolid=257 /dev/mapper/vda2_crypt /mnt/tmp
mount -o noatime,space_cache=v2,compress=zstd,ssd,discard=async,subvolid=258 /dev/mapper/vda2_crypt /mnt/.snapshots
mount -o noatime,space_cache=v2,compress=zstd,ssd,discard=async,subvolid=259 /dev/mapper/vda2_crypt /mnt/var
mount -o noatime,space_cache=v2,compress=zstd,ssd,discard=async,subvolid=260 /dev/mapper/vda2_crypt /mnt/home
mount /dev/vda1 /mnt/boot
pacman -Sy archlinux-keyring
pacstrap /mnt base base-devel linux linux-firmware vim btrfs-progs intel-ucode nvidia
genfstab -U /mnt >> /mnt/etc/fstab
arch-chroot /mnt
pacman -Syu
pacman -S plasma-desktop plasma-wayland-session egl-wayland kgpg dolphin gwenview kalendar kmail kmix kompare ksystemlog okular print-manager spectacle sweeper sddm sddm-kcm plasma-nm neofetch htop mpv libreoffice-still rxvt-unicode chromium zram-generator virt-manager qemu-desktop libvirt edk2-ovmf dnsmasq iptables-nft pipewire pipewire-alsa pipewire-pulse pipewire-jack wireplumber git rustup grub grub-btrfs efibootmgr linux-headers mtools inetutils bluez bluez-utils cups hplip alsa-utils openssh rsync reflector acpi acpi_call tlp qemu-arch-extra bridge-utils openbsd-netcat sof-firmware nss-mdns acpid ntfs-3g nvidia-utils nvidia-settings
groupadd sudo
visudo
-> EDIT TO MATCH:
   %sudo ALL=(ALL:ALL) ALL
useradd -m -G sudo systux
useradd -m -G libvirt virt
useradd -m leo
passwd root
passwd systux
passwd virt
passwd leo
cd /home/systux
mkdir ./git
su systux
cd git
git clone https://aur.archlinux.org/paru.git
cd paru
rustup default stable
makepkg -si
paru -S waterfox-g4-bin
exit
ln -sf /usr/share/zoneinfo/Europe/Paris /etc/localtime
hwclock --systohc
locale-gen
vim /etc/locale.gen
-> EDIT TO MATCH:
   en_US.UTF-8 UTF-8
   de_DE.UTF-8 UTF-8
   fr_FR.UTF-8 UTF-8
vim /etc/locale.conf
-> EDIT TO MATCH:
   LANG=en_US.UTF-8
vim /etc/vconsole.conf
-> EDIT TO MATCH:
   KEYMAP=de-latin1
vim /etc/hostname
-> EDIT TO MATCH:
   tux-stellaris-15
vim /etc/hosts
-> EDIT TO MATCH:
   127.0.0.1  localhost
   127.0.1.1  tux-stellaris-15.meinel.dev	tux-stellaris-15
   ::1  localhost ip6-localhost ip6-loopback
   ff02::1         ip6-allnodes
   ff02::2         ip6-allrouters
vim /etc/systemd/zram-generator.conf
-> EDIT TO MATCH:
   [zram0]
   zram-size = ram / 2
   compression-algorithm = zstd
   fs-type = swap
systemctl enable NetworkManager
systemctl enable bluetooth
systemctl enable cups
systemctl enable avahi-daemon
systemctl enable tlp
systemctl enable reflector.timer
systemctl enable fstrim.timer
systemctl enable libvirtd
systemctl enable acpid
systemctl enable nftables
systemctl enable sddm
vim /etc/mkinitcpio.conf
-> EDIT TO MATCH:
   MODULES=(btrfs)
   HOOKS=(base udev autodetect modconf block btrfs encrypt filesystems keyboard fsck)
mkinitcpio -p linux
vim /etc/default/grub
-> EDIT TO MATCH:
   GRUB_CMDLINE_LINUX_DEFAULT="loglevel=3 quiet cryptdevice=UUID=...:vda2_crypt root=/dev/mapper/vda2_crypt cryptdevice=UUID=...:vdb2_crypt root=/dev/mapper/vdb2_crypt video=2560x1440"
=>echo "UUID of both system partitions(not encrypted)" >> /etc/default/grub
grub-install --target=x86_64-efi --efi-directory=/boot --bootloader-id=GRUB
grub-mkconfig -o /boot/grub/grub.cfg
exit
=>TAKE OUT USB
reboot

If I edit grub.cfg like this it results in the same (Only one cryptdevice) (The UUID after UUID= is the UUID of /dev/vda2 - https://bbs.archlinux.org/viewtopic.php?id=188182):

vim /etc/default/grub
-> EDIT TO MATCH:
   GRUB_CMDLINE_LINUX_DEFAULT="loglevel=3 quiet cryptdevice=UUID=...:vda2_crypt root=/dev/mapper/vda2_crypt"
grub-mkconfig -o /boot/grub/grub.cfg

I would be very happy if someone could give me some input on this. Because I tried more or less the same on Debian11 for a long time and hoped it'd work better on arch because the installer isn't that weird. Thanks in advance for any feedback! smile

Last edited by leomeinel (2022-08-02 03:32:59)

Offline

#2 2022-08-02 03:31:47

leomeinel
Member
Registered: 2022-08-01
Posts: 33

Re: [SOLVED] Encrypted RAID1 btrfs install booting to EFI Shell

Hello,
I am still kind of interested why this wouldn't work with a native btrfs raid but I found a good solution to my problem using mdadm.
New install procedure:

loadkeys de-latin1
ls /sys/firmware/efi/efivars
timedatectl set-ntp true
lsblk
gdisk /dev/vda
-> n, ENTER, ENTER, +1G, ef00,
   n, ENTER, ENTER, ENTER, fd00, w
gdisk /dev/vdb
-> n, ENTER, ENTER, +1G, ef00,
   n, ENTER, ENTER, ENTER, fd00, w
mkfs.fat -n BOOT -F32 /dev/vda1
mkfs.fat -n BOOT -F32 /dev/vdb1
mdadm --create --verbose --level=1 --metadata=1.2 --raid-devices=2 /dev/md/md0 /dev/vda2 /dev/vdb2
cat /proc/mdstat
cryptsetup open --type plain -d /dev/urandom /dev/md/md0 to_be_wiped
cryptsetup close to_be_wiped
cryptsetup -y -v -h sha512 -s 512 luksFormat /dev/md/md0
cryptsetup luksOpen /dev/md/md0 md0_crypt
mkfs.btrfs -L MDCRYPT /dev/mapper/md0_crypt
mount /dev/mapper/md0_crypt /mnt
cd /mnt
btrfs subvolume create @
btrfs subvolume create @tmp
btrfs subvolume create @.snapshots
btrfs subvolume create @var
btrfs subvolume create @home
cd
btrfs subvolume list /mnt
umount /mnt
mount -o noatime,space_cache=v2,compress=zstd,ssd,discard=async,subvolid=256 /dev/mapper/md0_crypt /mnt
mkdir -p /mnt/boot
mkdir -p /mnt/tmp
mkdir -p /mnt/.snapshots
mkdir -p /mnt/var
mkdir -p /mnt/home
mount -o noatime,space_cache=v2,compress=zstd,ssd,discard=async,subvolid=257 /dev/mapper/md0_crypt /mnt/tmp
mount -o noatime,space_cache=v2,compress=zstd,ssd,discard=async,subvolid=258 /dev/mapper/md0_crypt /mnt/.snapshots
mount -o noatime,space_cache=v2,compress=zstd,ssd,discard=async,subvolid=259 /dev/mapper/md0_crypt /mnt/var
mount -o noatime,space_cache=v2,compress=zstd,ssd,discard=async,subvolid=260 /dev/mapper/md0_crypt /mnt/home
mount /dev/vda1 /mnt/boot
pacman -Sy archlinux-keyring
pacstrap /mnt base base-devel linux linux-firmware linux-headers vim btrfs-progs intel-ucode nvidia
genfstab -U /mnt >> /mnt/etc/fstab
arch-chroot /mnt
pacman -Syu
pacman -S plasma-desktop plasma-wayland-session kgpg dolphin gwenview kalendar kmail kmix kompare ksystemlog okular print-manager spectacle sweeper sddm sddm-kcm plasma-nm neofetch htop mpv libreoffice-still rxvt-unicode chromium zram-generator virt-manager qemu-desktop libvirt edk2-ovmf dnsmasq iptables-nft pipewire pipewire-alsa pipewire-pulse pipewire-jack wireplumber git rustup grub grub-btrfs efibootmgr mtools inetutils bluez bluez-utils cups hplip alsa-utils openssh rsync reflector acpi acpi_call tlp qemu-arch-extra bridge-utils openbsd-netcat sof-firmware nss-mdns acpid ntfs-3g nvidia-settings
groupadd sudo
visudo
-> EDIT TO MATCH:
   %sudo ALL=(ALL:ALL) ALL
useradd -m -G sudo systux
useradd -m -G libvirt virt
useradd -m leo
passwd root
passwd systux
passwd virt
passwd leo
su systux
cd /home/systux
mkdir ./git
cd git
git clone https://aur.archlinux.org/paru.git
cd paru
rustup default stable
makepkg -si
paru -S waterfox-g4-bin
exit
ln -sf /usr/share/zoneinfo/Europe/Paris /etc/localtime
timedatectl set-ntp true
hwclock --systohc
vim /etc/locale.gen
-> EDIT TO MATCH:
   en_US.UTF-8 UTF-8
   de_DE.UTF-8 UTF-8
   fr_FR.UTF-8 UTF-8
vim /etc/locale.conf
-> EDIT TO MATCH:
   LANG=en_US.UTF-8
locale-gen
vim /etc/xdg/reflector/reflector.conf
-> EDIT TO MATCH:
   --save /etc/pacman.d/mirrorlist
   --country France,Germany
   --protocol https
   --latest 5
   --sort age
vim /etc/vconsole.conf
-> EDIT TO MATCH:
   KEYMAP=de-latin1
vim /etc/hostname
-> EDIT TO MATCH:
   tux-stellaris-15
vim /etc/hosts
-> EDIT TO MATCH:
   127.0.0.1  localhost
   127.0.1.1  tux-stellaris-15.meinel.dev	tux-stellaris-15
   ::1  ip6-localhost ip6-loopback
   ff02::1  ip6-allnodes
   ff02::2  ip6-allrouters
vim /etc/systemd/zram-generator.conf
-> EDIT TO MATCH:
   [zram0]
   zram-size = ram / 2
   compression-algorithm = zstd
systemctl enable NetworkManager
systemctl enable bluetooth
systemctl enable cups
systemctl enable avahi-daemon
systemctl enable tlp
systemctl enable reflector
systemctl enable reflector.timer
systemctl enable fstrim.timer
systemctl enable libvirtd
systemctl enable acpid
systemctl enable nftables
systemctl enable sddm
vim /etc/mkinitcpio.conf
-> EDIT TO MATCH:
   MODULES=(btrfs)
   HOOKS=(base udev autodetect keyboard keymap consolefont modconf block mdadm_udev encrypt filesystems fsck)
mkinitcpio -p linux
blkid >> /etc/default/grub
vim /etc/default/grub
-> EDIT TO MATCH:
   GRUB_CMDLINE_LINUX_DEFAULT="loglevel=3 quiet cryptdevice=UUID=...:md0_crypt root=/dev/mapper/md0_crypt video=2560x1440"
grub-install --target=x86_64-efi --efi-directory=/boot --bootloader-id=GRUB
grub-mkconfig -o /boot/grub/grub.cfg
cp -r /boot /boot.bak
umount /boot
mount /dev/vdb1 /boot
cp -r /boot.bak/* /boot/
umount /boot
mount /dev/vda1 /boot
mdadm --detail --scan >> /etc/mdadm.conf
mdadm --assemble --scan
exit
reboot

For anyone interested in trying this themselves, here is a repo with shellscripts. WARNING: This is neither safe nor well tested!

Last edited by leomeinel (2022-08-02 11:47:41)

Offline

Pages: 1

Board footer

Powered by FluxBB