Arch Linux

nikinbaidarr

Member

Registered: 2021-05-06

Posts: 101

[SOLVED] problems with configuring encrypted root partition

I encrypted my root partition on a NMVe drive with instructions I found here.

nvme0n1                        259:0    0 119.2G  0 disk  
├─nvme0n1p1                    259:1    0   300M  0 part  
└─nvme0n1p2                    259:2    0 118.9G  0 part  

This is what the (entire) drive that I encrypted looks like. I encrypted ext4 on nvme0n1p2 and haven't touched nvme0n1p1 which is a vfat and gets mounted on /efi.

nvme0n1p2 got encrypted good, but I am having trouble with configuring this encrypted partition. I was using systemd-boot to boot into my system before, and I am trying to use the same now as well. So from what I read (and understood) I have to change

1. mkinitcpio hooks
2. my kernel parameters and
3. fstab + crypttab

I have these hooks in mkinitcpio.conf:

HOOKS=(base udev encrypt fsck autodetect modconf kms keyboard keymap consolefont block filesystems)

I have also tired using sd-encrypt. I want to be prompted for a password to decrypt the root partition and boot normally into my system.

My kernel parameters:

options                 cryptdevice=UUID=f9f6727f-b459-4307-9371-5588177c4a06:luks:root=ee8fa627-41d1-4cc8-80a8-8dd3110891b2 none allow-discards rw

The UUID specified for cryptdevice I got from running

blkid -s UUID -o value /dev/nvme0n1p2

And

/dev/mapper/recrypt

Is my root, which I decrypted manually using

cryptsetup open /dev/nvme0n1p2 recrypt

My fstab:

# /dev/mapper/recrypt LABEL=Root
UUID=ee8fa627-41d1-4cc8-80a8-8dd3110891b2	/         	ext4      	rw,relatime	0 1

# /dev/nvme0n1p1 LABEL=Boot
UUID=C8A0-8368      	/efi      	vfat      	rw,relatime,fmask=0022,dmask=0022,codepage=437,iocharset=ascii,shortname=mixed,utf8,errors=remount-ro	0 2

The UUID I got from using

genfstabl -U /mnt

From the live iso.

It says here cryptab is specifically "mounting encrypted swap devices or secondary file systems" which I am not doing at the moment. So I haven't changed anything in cryptsetup.

With this config, when the system boots I get

ERROR: '' device not found. Skipping fsck.

And I am logged into emergency shell.

Last edited by nikinbaidarr (2024-02-29 19:42:10)

loqs

Member

Registered: 2014-03-06

Posts: 18,872

Re: [SOLVED] problems with configuring encrypted root partition

cryptdevice=UUID=f9f6727f-b459-4307-9371-5588177c4a06:luks:root=ee8fa627-41d1-4cc8-80a8-8dd3110891b2 none allow-discards

That should be two options cryptdevice and root as show in Encrypting_an_entire_system#Configuring_the_boot_loader.

nikinbaidarr

Member

Registered: 2021-05-06

Posts: 101

Re: [SOLVED] problems with configuring encrypted root partition

I tired

options    cryptdevice=UUID=device-UUID:root root=/dev/mapper/root

But now I get this:

Waiting 10 seconds for device /dev/mapper/root ...
Waiting 10 seconds for device /dev/mapper/root ...
ERROR: device '/dev/mapper/root' not found. Skipping fsck.
...

And again back to emergency shell. I have no idea what I'm doing wrong here.

Although I woudl like to point out that I haven't enabled and systemd service specific to cryptsetup. I tried to search if there is any systemd service related to it but I couldn't.

Moreover, I am not using plymouth.

Last edited by nikinbaidarr (2024-02-29 16:34:49)

loqs

Member

Registered: 2014-03-06

Posts: 18,872

Re: [SOLVED] problems with configuring encrypted root partition

I tired

options    cryptdevice=UUID=device-UUID:root root=/dev/mapper/root

Is `device-UUID` paraphrasing or what you literally tried?

nikinbaidarr

Member

Registered: 2021-05-06

Posts: 101

Re: [SOLVED] problems with configuring encrypted root partition

No I actually used this:

cryptdevice=UUID=$(blkid -s UUID -o value /dev/nvme0n1p2):root:allow-discards root=/dev/mapper/root

frostschutz

Member

Registered: 2013-11-15

Posts: 1,644

Re: [SOLVED] problems with configuring encrypted root partition

Order of HOOKS matter, for example "encrypt ... keymap" causes keymap to not be loaded when it asks for your passphrase. It has to be "keymap ... encrypt".

Does cryptsetup work in the emergency shell? Does `cat /proc/cmdline` show the expected kernel parameters? Is there a /dev/disk/by-uuid/yourdeviceuuid? Does `cat /proc/partitions` show your drives at all?

nikinbaidarr

Member

Registered: 2021-05-06

Posts: 101

Re: [SOLVED] problems with configuring encrypted root partition

Order of HOOKS matter, for example "encrypt ... keymap" causes keymap to not be loaded when it asks for your passphrase. It has to be "keymap ... encrypt".

I tried that. In fact I put encrypt right at the end of HOOKS.

Does cryptsetup work in the emergency shell? Does `cat /proc/cmdline` show the expected kernel parameters? Is there a /dev/disk/by-uuid/yourdeviceuuid? Does `cat /proc/partitions` show your drives at all?

No it doesn't. Yes. Yes. Yes.

When I run

bootctl list

type:
title: Arch Linux (arch.conf) (default) (not reported/new)
...

I would've posted the full output but I'm typing on my phone. So I'd like to apologize for the clipped output.

Last edited by nikinbaidarr (2024-02-29 19:17:37)

Raynman

Member

Registered: 2011-10-22

Posts: 1,539

Re: [SOLVED] problems with configuring encrypted root partition

You didn't forget to regenerate the initramfs after changing HOOKS? And you've made sure these end up on /efi and not in /boot?

nikinbaidarr

Member

Registered: 2021-05-06

Posts: 101

Re: [SOLVED] problems with configuring encrypted root partition

You didn't forget to regenerate the initramfs after changing HOOKS? And you've made sure these end up on /efi and not in /boot?

Yes. And yes.

I ran

mkinitcpio -P

And after you suggested it I manually copied everything in

/boot to /efi/**/arch

But I still get the same error.

EDIT: cryptsetup is now working from the emergency shell. I'm not sure if copying the initrfams did this or changing the order of the HOOKS.

Last edited by nikinbaidarr (2024-02-29 19:21:01)

nikinbaidarr

Member

Registered: 2021-05-06

Posts: 101

Re: [SOLVED] problems with configuring encrypted root partition

And you've made sure these end up on /efi and not in /boot?

I think this and replacing

$(blkid -s UUID -o value /dev/nvmep1n2)

with the actual UUID has solved the issue.

I want to thank everyone who commented. You guys make Arch more likeable. Thank you everyone!