You are not logged in.

#1 2022-10-24 03:17:52

ltsdw
Member
Registered: 2020-04-20
Posts: 76

[Solved] Unable to boot on a setup: LVM+SSD+HDD full disks encryption

I would love to post the output of the lsblk, but I can't even boot the system right now so bear with me.

Basically I have this setup:

- hdd with only one partition (sda1)
- this partition is encrypted with luks2 and with 3 logical volumes

- nvme with 3 partition (nvme0n1p1 (for efi), nvme0n1p2 (for boot) and nvme0n1p3 (with 3 logical volumes for swap, root, home and 3 cache pool for sda1 and its 3 logical volumes))
- nvme0n1p2 encrypted with luks1 and nvme0n1p3 encrypted with luks2.

- one physical volume of both nvme0n1p3 (cryptroot) and sda1 (cryptstorage): pvcreate /dev/mapper/cryptroot /dev/mapper/cryptostorage
- one volume group of both nvme0n1p3 (cryptroot) and sda1 (cryptstorage): vgcreate /dev/mapper/cryptroot /dev/mapper/cryptstorage

- at sda1 there's 3 logical volumes.
- at nvme0n1p3 there's 3 logical volumes (swap, root, home), and 3 cache pool for the 3 logical volumes of sda1.

- I'm using the same password for the 3 encrypted partitions.

Then the basics:

- formatted everything
- genfstab (the fstab doesn't mount the logical volumes from sda1 (cryptstorage) yet, just want to setup stuff first and re-generate fstab) - pacstrap
- install grub
- configured grub to decrypt boot
- configured mkinitcpio.conf and all hooks necessary
- kernel command line rd.luks.name=<uuid of the nvme0n1p3 here>=cryptroot root=/dev/vg/root, yes I'm using sd-encrypt
- etc, etc, etc normal arch install stuff.

Grub asks for password for decrypting the boot partition, as expected.
Then the password for decrypting nvme0n1p3 partition is asked (also as expected), I enter the password and it timeout saying something like:

[ TIME ] Timeout waiting for device
[DEPEND] Dependency failed for Initrd Root Device
[DEPEND] Dependency failed for Root Partition
[DEPEND] Dependency failed for Initrd Root File System
[DEPEND] Dependency failed for File System Check on /dev/vg/root

My guess is that it needs to unlock both (sda1 and nvme0n1p3), because, if I manually do something like:

cryptsetup open /dev/nvme0n1p3 cryptroot

It unlocks the partition, but it won't show any logical volume of nvme0n1p3 when doing lsblk.

Only when I unlock sda1 and nvme0n1p3 (or the inverse, nvme0n1p3 and sda1) that all the logical volumes appears and I can mount them.

I tried creating a file at /etc/crypttab with this in it:

cryptstorage /dev/sda1 none

But it still timing out.

So what am I doing wrong or what should I try? Do I need unlock both at boot?

EDIT:

Solution

At the wiki: dm-crypt/System configuration Using systemd-cryptsetup-generator

It says that you can use multiple rd.luks.name parameter to unlock multiple disks.

So simple:

rd.luks.name=<uuid of the partition>=somename rd.luks.name=<another uuid for the root partition>=someanothername root=path/to/lv/root

Or something like that will do the trick.

For my setup the password is asked one for the unlock of boot, and another for the root partition, as sd-encrypt hook will try to use the password to unlock others partition that have the same password it will not ask the password for the cryptstorage.

It just not ask for the password only once because the first time is GRUB that is handling the password for decrypting the boot partition, not the sd-encrypt hook.

But I'm ok having to type it two times.

There's only one problem right now that ntfs partitions are failing to mount, so I'll have to figure this one out.

Thank you all peps. smile

Last edited by ltsdw (2022-10-24 15:32:39)

Offline

#2 2022-10-24 03:35:41

cfr
Member
From: Cymru
Registered: 2011-11-27
Posts: 7,178

Re: [Solved] Unable to boot on a setup: LVM+SSD+HDD full disks encryption

ltsdw wrote:

I would love to post the output of the lsblk, but I can't even boot the system right now so bare with me.

Boot the live medium, mount appropriately and arch-chroot. Then you can post the output of lsblk, fdisk -l, the journal etc.


CLI Paste | How To Ask Questions

Arch Linux | x86_64 | GPT | EFI boot | refind | stub loader | systemd | LVM2 on LUKS
Lenovo x270 | Intel(R) Core(TM) i5-7200U CPU @ 2.50GHz | Intel Wireless 8265/8275 | US keyboard w/ Euro | 512G NVMe INTEL SSDPEKKF512G7L

Offline

#3 2022-10-24 03:44:17

ltsdw
Member
Registered: 2020-04-20
Posts: 76

Re: [Solved] Unable to boot on a setup: LVM+SSD+HDD full disks encryption

cfr wrote:

Boot the live medium, mount appropriately and arch-chroot. Then you can post the output of lsblk, fdisk -l, the journal etc.

Right, I guess in that case I'll have to setup the DISPLAY envar and use startx to launch firefox or some other browser to post the output here, I'll do that tomorrow.

Last edited by ltsdw (2022-10-24 03:44:48)

Offline

#4 2022-10-24 03:52:54

cfr
Member
From: Cymru
Registered: 2011-11-27
Posts: 7,178

Re: [Solved] Unable to boot on a setup: LVM+SSD+HDD full disks encryption

ltsdw wrote:
cfr wrote:

Boot the live medium, mount appropriately and arch-chroot. Then you can post the output of lsblk, fdisk -l, the journal etc.

Right, I guess in that case I'll have to setup the DISPLAY envar and use startx to launch firefox or some other browser to post the output here, I'll do that tomorrow.

No need. See https://wiki.archlinux.org/title/List_o … n_services.


CLI Paste | How To Ask Questions

Arch Linux | x86_64 | GPT | EFI boot | refind | stub loader | systemd | LVM2 on LUKS
Lenovo x270 | Intel(R) Core(TM) i5-7200U CPU @ 2.50GHz | Intel Wireless 8265/8275 | US keyboard w/ Euro | 512G NVMe INTEL SSDPEKKF512G7L

Offline

#5 2022-10-24 05:19:48

lfitzgerald
Member
Registered: 2021-07-16
Posts: 175

Re: [Solved] Unable to boot on a setup: LVM+SSD+HDD full disks encryption

Do you have a single lvm pv spanning two separate drives? If this is a new install, maybe you can just make a separate pv on each drive and avoid this issue?

I have a very similar setup, except my root is on a single drive, and everything except that looks correct to me. You say:

ltsdw wrote:

My guess is that it needs to unlock both (sda1 and nvme0n1p3), because, if I manually do something like:

cryptsetup open /dev/nvme0n1p3 cryptroot

It unlocks the partition, but it won't show any logical volume of nvme0n1p3 when doing lsblk.

Only when I unlock sda1 and nvme0n1p3 (or the inverse, nvme0n1p3 and sda1) that all the logical volumes appears and I can mount them.

It sounds like both of 2 drives must be unlocked before your system is usable and able to process crypttab. Does sd-encrypt accept the rd.luks.name= parameter twice, once for your nvme0n1p3 and once for your sda1? If not, I would simply redo the partitioning so that nvme0n1p3 can boot into Arch by itself, even with sda1 disconnected. Then put sda1 in crypttab, and put the lvms of sda1 in fstab, so that they get unlocked and mounted by Arch after boot, not by grub during boot.

I'm assuming btw if you put rd.luks.name=<UUID of sda1> that won't work either, right?

Btw there's a way to make it so that you can write data to the USB drive you use for Arch liveiso. That way when you're booted into the live env, you can save outputs to the USB, and you can also put your own scripts on there for doing various things when in the live env (like a script to decrypt/mount all the drives you need).

Offline

#6 2022-10-24 15:10:07

ltsdw
Member
Registered: 2020-04-20
Posts: 76

Re: [Solved] Unable to boot on a setup: LVM+SSD+HDD full disks encryption

Ok, I'll use that in future, didn't know you could "pipe" the output of commands using curl (also didn't know ix.io, 0x0.st, etc).

Offline

#7 2022-10-24 15:15:36

ltsdw
Member
Registered: 2020-04-20
Posts: 76

Re: [Solved] Unable to boot on a setup: LVM+SSD+HDD full disks encryption

lfitzgerald wrote:

Do you have a single lvm pv spanning two separate drives? If this is a new install, maybe you can just make a separate pv on each drive and avoid this issue?

I have a very similar setup, except my root is on a single drive, and everything except that looks correct to me. You say:

ltsdw wrote:

My guess is that it needs to unlock both (sda1 and nvme0n1p3), because, if I manually do something like:

cryptsetup open /dev/nvme0n1p3 cryptroot

It unlocks the partition, but it won't show any logical volume of nvme0n1p3 when doing lsblk.

Only when I unlock sda1 and nvme0n1p3 (or the inverse, nvme0n1p3 and sda1) that all the logical volumes appears and I can mount them.

It sounds like both of 2 drives must be unlocked before your system is usable and able to process crypttab. Does sd-encrypt accept the rd.luks.name= parameter twice, once for your nvme0n1p3 and once for your sda1? If not, I would simply redo the partitioning so that nvme0n1p3 can boot into Arch by itself, even with sda1 disconnected. Then put sda1 in crypttab, and put the lvms of sda1 in fstab, so that they get unlocked and mounted by Arch after boot, not by grub during boot.

I'm assuming btw if you put rd.luks.name=<UUID of sda1> that won't work either, right?

Btw there's a way to make it so that you can write data to the USB drive you use for Arch liveiso. That way when you're booted into the live env, you can save outputs to the USB, and you can also put your own scripts on there for doing various things when in the live env (like a script to decrypt/mount all the drives you need).

Actually yes, it accepts more than one rd.luks.name parameter, that's why I chose sd-encrypt, because I read it was able to do that.

But I don't know where I saw that information, but then reading this section of the wiki dm-crypt/System_configuration Using systemd-cryptsetup-generator I saw the syntax, and confirmed that in fact you can have multiples rd.luks.name parameter.

Last edited by ltsdw (2022-10-24 15:16:07)

Offline

Board footer

Powered by FluxBB