install full encrypted disk with detached headers on usb

yogatester · 2023-04-19 07:35:32

Hi 2 all ! I newbie in arch linux and i want to install encrypted os to ssd with detached headers on another usb device.
I found great manual https://gmpreussner.com/reference/fully … n-yoga-920
But it not works for me. For first i get errors with grub and errors about wrong passphrase. I think it related to topic, that in new grub versions, uuid of cryptdevice must be without dashes(https://forum.manjaro.org/t/luks-error-after-latest-major-update-manjaro-kde/138705). I resolve it with installation old version of grub.

But now i get error from grub: "No such device: ee7..[other_part_of_Uid]
Unknown filesystem"

I think, that i some misunderstanding with scheme in manual, that i wrote above.
Looks like a grub try to load partition, that still not decrypted.
I need help, guys.i try to solve this issue 5 days yet

here all my configs.

sda is installer usb
sdc is flash with luks headers and etc

lsblk:

NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINTS
loop0 7:0 0 687.9M 1 loop /run/archiso/airootfs
sda 8:0 1 57.8G 0 disk
├─sda1 8:1 1 794M 0 part
└─sda2 8:2 1 15M 0 part
sdc 8:16 1 29.3G 0 disk
├─sdc1 8:17 1 100M 0 part /mnt/boot/efi
├─sdc2 8:18 1 512M 0 part
│ └─cryptboot 254:0 0 496M 0 crypt /mnt/boot
│ /mnt
└─sdc3 8:19 1 28.7G 0 part
nvme0n1 259:0 0 476.9G 0 disk
└─cryptroot 254:1 0 476.9G 0 crypt
├─System-swap 254:2 0 8G 0 lvm [SWAP]
└─System-root 254:3 0 468.9G 0 lvm /mnt/.snapshots
/mnt/home
/mnt

blkid:

/dev/mapper/cryptroot: UUID="WqE..." TYPE="LVM2_member"
/dev/mapper/System-swap: UUID="a8f..." TYPE="swap"
/dev/loop0: TYPE="squashfs"
/dev/mapper/cryptboot: UUID="ee7..." BLOCK_SIZE="1024" TYPE="ext2"
/dev/sdc2: UUID="fb2..." TYPE="crypto_LUKS" PARTLABEL="Boot" PARTUUID="f9f..."
/dev/sdc3: UUID="A6B..." BLOCK_SIZE="512" TYPE="vfat" PARTLABEL="Storage" PARTUUID="131..."
/dev/sdc1: UUID="610..." BLOCK_SIZE="512" TYPE="vfat" PARTLABEL="ESP" PARTUUID="d4c..."
/dev/sda2: SEC_TYPE="msdos" LABEL_FATBOOT="ARCHISO_EFI" LABEL="ARCHISO_EFI" UUID="A61..." BLOCK_SIZE="512" TYPE="vfat" PARTUUID="a6d..."
/dev/sda1: BLOCK_SIZE="2048" UUID="2023-04-01-06-07-22-00" LABEL="ARCH_202304" TYPE="iso9660" PARTUUID="a6d.."
/dev/mapper/System-root: UUID="74f..." UUID_SUB="9f6..." BLOCK_SIZE="4096" TYPE="btrfs"

/etc/crypttab:

cryptboot UUID=fb2... none noauto,luks

/etc/fstab:

# /dev/mapper/cryptboot
UUID=ee7.. /    ext2 rw,relatime 0 1
# /dev/mapper/System-root
UUID=74f.. /    btrfs    rw,noatime,nodiratime,compress=lzo,ssd,discard,space_cache=v2,subvolid=256,subvol=/@ 0 0
# /dev/mapper/cryptboot
UUID=ee7.. /boot    ext2 rw,relatime 0 2
# /dev/sda1
UUID=610... /boot/efi vfat rw,relatime,fmask=0022,dmask=0022,codepage=437,iocharset=ascii,shortname=mixed,utf8,errors=remount-ro 0 2
# /dev/mapper/System-root
UUID=74f.. /home    btrfs    rw,noatime,nodiratime,compress=lzo,ssd,discard,space_cache=v2,subvolid=257,subvol=/@home 0 0
# /dev/mapper/System-root
UUID=74f.. /.snapshots btrfs    rw,noatime,nodiratime,compress=lzo,ssd,discard,space_cache=v2,subvolid=258,subvol=/@snapshots 0 0
# /dev/mapper/System-swap
UUID=a8f.. none swap defaults 0 0

/etc/default/grub:

# GRUB boot loader configuration
GRUB_DEFAULT=0
GRUB_TIMEOUT=5
GRUB_DISTRIBUTOR="Arch"
GRUB_CMDLINE_LINUX_DEFAULT="loglevel=3 quiet"
GRUB_CMDLINE_LINUX="cryptdevice=/dev/disk/by-id/nvme-HFM512:cryptroot:allow-discards,header"
# Preload both GPT and MBR modules so that they are not missed
GRUB_PRELOAD_MODULES="part_gpt part_msdos lvm lvm2"
# Uncomment to enable booting from LUKS encrypted devices
GRUB_ENABLE_CRYPTODISK=y
# Set to 'countdown' or 'hidden' to change timeout behavior,
# press ESC key to display menu.
GRUB_TIMEOUT_STYLE=menu
# Uncomment to use basic console
GRUB_TERMINAL_INPUT=console
# Uncomment to disable graphical terminal
#GRUB_TERMINAL_OUTPUT=console
# The resolution used on graphical terminal
# note that you can use only modes which your graphic card supports via VBE
# you can see them in real GRUB with the command `vbeinfo'
GRUB_GFXMODE=1024x768x32
# Uncomment to allow the kernel use the same resolution used by grub
GRUB_GFXPAYLOAD_LINUX=keep
# Uncomment if you want GRUB to pass to the Linux kernel the old parameter
# format "root=/dev/xxx" instead of "root=/dev/disk/by-uuid/xxx"
#GRUB_DISABLE_LINUX_UUID=true
# Uncomment to disable generation of recovery mode menu entries
GRUB_DISABLE_RECOVERY=true
# Uncomment and set to the desired menu colors. Used by normal and wallpaper
# modes only. Entries specified as foreground/background.
#GRUB_COLOR_NORMAL="light-blue/black"
#GRUB_COLOR_HIGHLIGHT="light-cyan/blue"
# Uncomment one of them for the gfx desired, a image background or a gfxtheme
#GRUB_BACKGROUND="/path/to/wallpaper"
#GRUB_THEME="/path/to/gfxtheme"
# Uncomment to get a beep at GRUB start
#GRUB_INIT_TUNE="480 440 1"
# Uncomment to make GRUB remember the last selection. This requires
# setting 'GRUB_DEFAULT=saved' above.
#GRUB_SAVEDEFAULT=true
# Uncomment to disable submenus in boot menu
#GRUB_DISABLE_SUBMENU=y
# Probing for other operating systems is disabled for security reasons. Read
# documentation on GRUB_DISABLE_OS_PROBER, if still want to enable this
# functionality install os-prober and uncomment to detect and include other
# operating systems.
#GRUB_DISABLE_OS_PROBER=false

/boot/grub/grub.cfg:

#
# DO NOT EDIT THIS FILE
#
# It is automatically generated by grub-mkconfig using templates
# from /etc/grub.d and settings from /etc/default/grub
#
### BEGIN /etc/grub.d/00_header ###
insmod part_gpt
insmod part_msdos
insmod lvm
insmod lvm2
if [ -s $prefix/grubenv ]; then
load_env
fi
if [ "${next_entry}" ] ; then
set default="${next_entry}"
set next_entry=
save_env next_entry
set boot_once=true
else
set default="0"
fi
if [ x"${feature_menuentry_id}" = xy ]; then
menuentry_id_option="--id"
else
menuentry_id_option=""
fi
export menuentry_id_option
if [ "${prev_saved_entry}" ]; then
set saved_entry="${prev_saved_entry}"
save_env saved_entry
set prev_saved_entry=
save_env prev_saved_entry
set boot_once=true
fi
function savedefault {
if [ -z "${boot_once}" ]; then
saved_entry="${chosen}"
save_env saved_entry
fi
}
function load_video {
if [ x$feature_all_video_module = xy ]; then
insmod all_video
else
insmod efi_gop
insmod efi_uga
insmod ieee1275_fb
insmod vbe
insmod vga
insmod video_bochs
insmod video_cirrus
fi
}
if [ x$feature_default_font_path = xy ] ; then
font=unicode
else
insmod lvm
insmod btrfs
set root='lvmid/EtZrcs.../Dbm29L...'
if [ x$feature_platform_search_hint = xy ]; then
search --no-floppy --fs-uuid --set=root --hint='lvmid/EtZrcs.../Dbm29L...' 74f...
else
search --no-floppy --fs-uuid --set=root 74f...
fi
font="/@/usr/share/grub/unicode.pf2"
fi
if loadfont $font ; then
set gfxmode=1024x768x32
load_video
insmod gfxterm
set locale_dir=$prefix/locale
set lang=C
insmod gettext
fi
terminal_input console
terminal_output gfxterm
if [ x$feature_timeout_style = xy ] ; then
set timeout_style=menu
set timeout=5
# Fallback normal timeout code in case the timeout_style feature is
# unavailable.
else
set timeout=5
fi
### END /etc/grub.d/00_header ###
### BEGIN /etc/grub.d/10_linux ###
menuentry 'Arch Linux' --class arch --class gnu-linux --class gnu --class os $menuentry_id_option 'gnulinux-simple-74f...' {
load_video
set gfxpayload=keep
insmod gzio
insmod ext2
search --no-floppy --fs-uuid --set=root ee7...
echo 'Loading Linux linux ...'
linux /vmlinuz-linux root=/dev/mapper/System-root rw rootflags=subvol=@ cryptdevice=/dev/disk/by-id/nvme-HFM512:cryptroot:allow-discards,header loglevel=3 quiet
echo 'Loading initial ramdisk ...'
initrd /intel-ucode.img /initramfs-linux.img
}
submenu 'Advanced options for Arch Linux' $menuentry_id_option 'gnulinux-advanced-74f...' {
menuentry 'Arch Linux, with Linux linux' --class arch --class gnu-linux --class gnu --class os $menuentry_id_option 'gnulinux-linux-advanced-74f...' {
load_video
set gfxpayload=keep
insmod gzio
insmod ext2
search --no-floppy --fs-uuid --set=root ee7...
echo 'Loading Linux linux ...'
linux /vmlinuz-linux root=/dev/mapper/System-root rw rootflags=subvol=@ cryptdevice=/dev/disk/by-id/nvme-HFM512:cryptroot:allow-discards,header loglevel=3 quiet
echo 'Loading initial ramdisk ...'
initrd /intel-ucode.img /initramfs-linux.img
}
menuentry 'Arch Linux, with Linux linux (fallback initramfs)' --class arch --class gnu-linux --class gnu --class os $menuentry_id_option 'gnulinux-linux-fallback-74f...' {
load_video
set gfxpayload=keep
insmod gzio
insmod ext2
search --no-floppy --fs-uuid --set=root ee7...
echo 'Loading Linux linux ...'
linux /vmlinuz-linux root=/dev/mapper/System-root rw rootflags=subvol=@ cryptdevice=/dev/disk/by-id/nvme-HFM512:cryptroot:allow-discards,header loglevel=3 quiet
echo 'Loading initial ramdisk ...'
initrd /intel-ucode.img /initramfs-linux-fallback.img
}
}
### END /etc/grub.d/10_linux ###
### BEGIN /etc/grub.d/20_linux_xen ###
### END /etc/grub.d/20_linux_xen ###
### BEGIN /etc/grub.d/30_os-prober ###
### END /etc/grub.d/30_os-prober ###
### BEGIN /etc/grub.d/30_uefi-firmware ###
menuentry 'UEFI Firmware Settings' $menuentry_id_option 'uefi-firmware' {
fwsetup
}
### END /etc/grub.d/30_uefi-firmware ###
### BEGIN /etc/grub.d/40_custom ###
# This file provides an easy way to add custom menu entries. Simply type the
# menu entries you want to add after this comment. Be careful not to change
# the 'exec tail' line above.
### END /etc/grub.d/40_custom ###
### BEGIN /etc/grub.d/41_custom ###
if [ -f ${config_directory}/custom.cfg ]; then
source ${config_directory}/custom.cfg
elif [ -z "${config_directory}" -a -f $prefix/custom.cfg ]; then
source $prefix/custom.cfg
fi
### END /etc/grub.d/41_custom ###
### BEGIN /etc/grub.d/60_memtest86+ ###
if [ "${grub_platform}" == "pc" ]; then
menuentry "Memory Tester (memtest86+)" --class memtest86 --class gnu --class tool {
search --fs-uuid --no-floppy --set=root ee7...
linux16 /memtest86+/memtest.bin
}
fi
### END /etc/grub.d/60_memtest86+ ###

Last edited by yogatester (2023-04-19 09:16:32)

yogatester · 2023-04-19 10:54:53

i found a solution
it was because cryptsetup by default encrypt partition with luks2, but old grub works only with luks1

i convert boot partition to luks1
sudo cryptsetup luksConvertKey --pbkdf pbkdf2 /dev/sdc1
sudo cryptsetup convert --type luks1 /dev/sdc1

but now another problem, after i enter password for usb and ssd i get error

[TIME] Timed out for device /dev/disk/by-uuid/ee7...
[DEPEND] Dependency failed for /boot
[DEPEND] Dependency failed for Local File Systems
[DEPEND] Dependency failed for /boot/efi
[DEPEND] Dependency failed for File System Check on /dev/disk/by-uuid/ee7...

if u can advised to me, i will glad

Last edited by yogatester (2023-04-20 01:42:12)

jonno2002 · 2023-04-19 22:34:22

you have 2 devices mounted to '/' in your fstab, and cryptboot mounted twice:

# /dev/mapper/cryptboot
UUID=ee7..    /             ext2          rw,relatime    0 1

# /dev/mapper/System-root
UUID=74f..    /             btrfs         rw,noatime,nodiratime,compress=lzo,ssd,discard,space_cache=v2,subvolid=256,subvol=/@    0 0

# /dev/mapper/cryptboot
UUID=ee7..    /boot         ext2          rw,relatime    0 2

Arch Linux

#1 2023-04-19 07:35:32

install full encrypted disk with detached headers on usb

#2 2023-04-19 10:54:53

Re: install full encrypted disk with detached headers on usb

#3 2023-04-19 22:34:22

Re: install full encrypted disk with detached headers on usb

Board footer