How to properly change encrypt hook to sd-encrypt?

860lacov · 2023-04-27 19:50:20

My current mkinitcpio.conf looks like this:

HOOKS=(base udev autodetect keyboard keymap consolefont modconf block encrypt filesystems fsck)

According to:
mkinitcpio examples
If I'm correct, I should change it to:
HOOKS=(base systemd autodetect keyboard sd-vconsole block sd-encrypt filesystems fsck)
Keymap and console font is replaced by sd-vconsole if I'm correct.

Since I use Btrfs, fsck is probably not needed, but it can stay if it doesn't cause any issues.

Even though I have read the dm-crypt/System configuration I'm not sure if this is enough.
I think I should also change my loader entry, but I don't fully understand the:
Using systemd-cryptsetup-generator section of the wiki.
When I try to understand it, I get confused. I don't know if it is completely different from my current configuration or if it is similar.

My current configuration is:

title Arch Linux
linux /vmlinuz-linux
initrd /intel-ucode.img
initrd /initramfs-linux.img
options cryptdevice=UUID=63e06313-9d2d-4ecf-88a8-c63fd9c36f94:cryptroot:allow-discards root=/dev/mapper/cryptroot rootflags=subvol=@ rw

860lacov · 2023-04-29 20:26:25

Well, I was curious and decided to try.
I've changed

HOOKS=(base udev autodetect keyboard keymap consolefont modconf block encrypt filesystems fsck)

to

HOOKS=(base systemd autodetect keyboard sd-vconsole modconf block sd-encrypt filesystems fsck)

After running mkinitcpio -P and rebooting my system, it hung on the message:

A start job is running for /dev/mapper/cryptroot

It appears that editing the mkinitcpio.conf file alone is not sufficient."

Could you help me with this?

Last edited by 860lacov (2023-04-29 21:09:42)

progandy · 2023-04-29 20:47:20

Hello, I think you switched your old and new hook lines in your post.
Your cryptdevice translates to the parameters rd.luks.name and rd.luks.options

rd.luks.name=63e06313-9d2d-4ecf-88a8-c63fd9c36f94=cryptroot rd.luks.options=discard

Another alternative is to create the /etc/crypttab.initrams file and configure your luks partition there.

Last edited by progandy (2023-04-29 20:53:48)

860lacov · 2023-04-29 21:13:12

progandy wrote:

Hello, I think you switched your old and new hook lines in your post.
Your cryptdevice translates to the parameters rd.luks.name and rd.luks.options
rd.luks.name=63e06313-9d2d-4ecf-88a8-c63fd9c36f94=cryptroot rd.luks.options=discard
Another alternative is to create the /etc/crypttab.initrams file and configure your luks partition there.

You are right about my mistake. (I didn't make it in my system)

So at the end my boot loader entry should look like this:

title Arch Linux
linux /vmlinuz-linux
initrd /intel-ucode.img
initrd /initramfs-linux.img
options rd.luks.name=63e06313-9d2d-4ecf-88a8-c63fd9c36f94=cryptroot rd.luks.options=discard root=/dev/mapper/cryptroot rootflags=subvol=@ rw

I'm asking before testing because every mistake ends up with booting live cd and manual mounting of my subvolumes.

860lacov · 2023-04-29 23:44:33

progandy wrote:

Hello, I think you switched your old and new hook lines in your post.
Your cryptdevice translates to the parameters rd.luks.name and rd.luks.options
rd.luks.name=63e06313-9d2d-4ecf-88a8-c63fd9c36f94=cryptroot rd.luks.options=discard
Another alternative is to create the /etc/crypttab.initrams file and configure your luks partition there.

Ok I can confirm that

options rd.luks.name=63e06313-9d2d-4ecf-88a8-c63fd9c36f94=cryptroot rd.luks.options=discard root=/dev/mapper/cryptroot rootflags=subvol=@ rw

is working so thank you very much for the help.

p.s.1.
In Wiki there is an example:

rd.luks.options=timeout=10s,discard,password-echo=no,tries=1

What will happen If I don't add timeout and tries? Default is infinite?

p.s.2.
As for the /etc/crypttab.initrams
Not sure if I get it right.
I could add an entry:

cryptroot UUID=63e06313-9d2d-4ecf-88a8-c63fd9c36f94 none luks,discard

[I'm Not sure if in crypttab.initrams options I should use luks or luks2 (my dirve is encrypted with luks2)]

And change /boot/loader/entries/arch.conf to:

options root=/dev/mapper/cryptroot rootflags=subvol=@ rw

And it should work the same way?

Last edited by 860lacov (2023-04-29 23:47:42)

progandy · 2023-04-30 07:31:47

In the crypttab you do not have to mention luks at all. The filename is wrong, though, I missed the f in initramfs.

Yes, it should then work the same with those shorter boot loader options, you'll have to regenerate the initramfs, though (mkinitcpio). You can use lsinitcpio to check that the crypttab is part of the initramfs.

860lacov · 2023-04-30 09:17:54

progandy wrote:

In the crypttab you do not have to mention luks at all. The filename is wrong, though, I missed the f in initramfs.
Yes, it should then work the same with those shorter boot loader options, you'll have to regenerate the initramfs, though (mkinitcpio). You can use lsinitcpio to check that the crypttab is part of the initramfs.

In previous post you mentioned crypttab.initram
Now just crypttab.

Could you please clarify?

progandy · 2023-04-30 09:24:06

https://wiki.archlinux.org/title/Dm-cry … -generator

If the file /etc/crypttab.initramfs exists, it will be added to the initramfs as /etc/crypttab, there you can specify devices that need to be unlocked at the initramfs phase. See #crypttab for the syntax. If /etc/crypttab.initramfs does not exist, there will be no /etc/crypttab in the initramfs and the unlockable devices will need to be specified via kernel parameters listed below.

Arch Linux

#1 2023-04-27 19:50:20

How to properly change encrypt hook to sd-encrypt?

#2 2023-04-29 20:26:25

Re: How to properly change encrypt hook to sd-encrypt?

#3 2023-04-29 20:47:20

Re: How to properly change encrypt hook to sd-encrypt?

#4 2023-04-29 21:13:12

Re: How to properly change encrypt hook to sd-encrypt?

#5 2023-04-29 23:44:33

Re: How to properly change encrypt hook to sd-encrypt?

#6 2023-04-30 07:31:47

Re: How to properly change encrypt hook to sd-encrypt?

#7 2023-04-30 09:17:54

Re: How to properly change encrypt hook to sd-encrypt?

#8 2023-04-30 09:24:06

Re: How to properly change encrypt hook to sd-encrypt?

Board footer