You are not logged in.

#1 2024-03-30 16:43:12

D3vil0p3r
Member
Registered: 2022-11-05
Posts: 180

LUKS - error: Invalid Passphrase

I'm trying to set manually a LUKS partition by using GRUB BIOS/Legacy according to https://wiki.archlinux.org/title/dm-cry … _partition

Partition table is msdos and grub bootloader is not deployed on a separated partition.

In a Live environment I run:

sudo -i
parted /dev/sda -- mklabel msdos
parted /dev/sda -- mkpart primary 1MB -8GB
parted /dev/sda -- set 1 boot on
parted /dev/sda -- mkpart primary linux-swap -8GB 100%

cryptsetup luksFormat /dev/sda1
cryptsetup luksOpen /dev/sda1 crypted
mkfs.btrfs -L arch /dev/mapper/crypted

mkswap -L swap /dev/sda2
mount /dev/disk/by-label/arch /mnt
swapon /dev/sda2

(INSTALL ARCH)
pacman-key --init
pacman-key --populate
pacstrap /mnt base
genfstab -U /mnt >> /mnt/etc/fstab
arch-chroot /mnt

echo "en_US.UTF-8 UTF-8" > /etc/locale.gen
locale-gen
echo "LANG=en_US.UTF-8" > /etc/locale.conf
ln -sf /usr/share/zoneinfo/Europe/Zurich /etc/localtime
echo "archlinux" > /etc/hostname
pacman -S nano mkinitcpio linux-lts linux-lts-headers
echo "KEYMAP=us" > /etc/vconsole.conf
nano /etc/mkinitcpio.conf

Edit HOOKS as "HOOKS=(base systemd autodetect modconf kms keyboard sd-vconsole sd-encrypt block filesystems fsck)"

mkinitcpio -P
pacman -S grub
sed -i "s/#GRUB_ENABLE_CRYPTODISK=.*/GRUB_ENABLE_CRYPTODISK=y/g" /etc/default/grub
(I removed "quiet" argument from /etc/default/grub)
grub-install --target=i386-pc --recheck --boot-directory=/boot /dev/sda
grub-mkconfig -o /boot/grub/grub.cfg

passwd
exit
umount -R /mnt
reboot

when I reboot, I land on "Enter passphrase for hd0,msdos1 (xxxxx):"

when I insert my passphrase ("testtest"), I get "error: Invalid passphrase.".

I also tried with an "ext4" filesystem but I get the same result. Why am I getting invalid passphrase error?

Last edited by D3vil0p3r (2024-03-31 12:39:11)

Offline

#2 2024-03-30 17:24:26

frostschutz
Member
Registered: 2013-11-15
Posts: 1,417

Re: LUKS - error: Invalid Passphrase

Grub can't handle LUKS2 / argon2id keys. If you must do this with Grub's cryptodisk, add a pbkdf2 key (`cryptsetup luksAddKey --pbkdf pbkdf2`). Alternatively use an unencrypted /boot or /efi partition for booting and encrypt everything after kernel/initramfs

You're using the "wrong" units with parted (MB instead of MiB, etc.). Technically you're telling it to start a partition on sector 1953. Due to default alignment this is silently corrected to 2048s so no particular harm done, but this thing can eventually bite you.

Last edited by frostschutz (2024-03-30 17:30:45)

Offline

#3 2024-03-30 17:48:18

D3vil0p3r
Member
Registered: 2022-11-05
Posts: 180

Re: LUKS - error: Invalid Passphrase

Oh, ok. So in my GRUB Legacy scenario I need to create a separated boot partition to make it working without using pbkdf2 key. Do I need also to insert "rd.luks.name=device-UUID=crypted root=/dev/mapper/crypted" in kernel parameters? (not sure if I should keep "root" or replacing it by "crypted"). And, I should use "rd.luks.name" or only "luks.name"?

PS: Thank you for units, I will use 1MiB since more "optimal".

Last edited by D3vil0p3r (2024-03-30 17:51:51)

Offline

#4 2024-03-30 18:40:27

frostschutz
Member
Registered: 2013-11-15
Posts: 1,417

Re: LUKS - error: Invalid Passphrase

It's fine to use rd.* since you want this to happen in the initrd stage. It should work (provided you're using systemd sd-encrypt hooks, and device-UUID is the luks header UUID).

Offline

#5 2024-03-30 19:20:24

D3vil0p3r
Member
Registered: 2022-11-05
Posts: 180

Re: LUKS - error: Invalid Passphrase

By running "lsblk -no name,uuid" I get:

sda
|-sda1      733f5e5e-e53e-48aa-b975-3176e685c199
|-sda2      2c29bffd-a015-4485-9571-72fb1c5102f8
`-sda3      7ab2a484-95a8-4ded-b483-b0bf086c7e41
  `-crypted 506a895e-2e87-4955-ba47-8c25029b994d

as UUID for luks.name should I use the one of sda3 or crypted?

Is the "rd.luks.name=device-UUID=crypted root=/dev/mapper/crypted" mandatory to make it working?

Last edited by D3vil0p3r (2024-03-30 19:23:29)

Offline

#6 2024-03-30 19:46:56

frostschutz
Member
Registered: 2013-11-15
Posts: 1,417

Re: LUKS - error: Invalid Passphrase

sda3 (the one of your luksheader, shown by cryptsetup luksDump or cryptsetup luksUUID)

Offline

#7 2024-03-31 12:39:01

D3vil0p3r
Member
Registered: 2022-11-05
Posts: 180

Re: LUKS - error: Invalid Passphrase

A further question: lets guess I have a root partition sda3 where Arch Linux is installed, then a boot partition sda1 and, finally, a partition sda2 used only for storing data.

If I encrypt as LUKS all of them, as kernel parameter "rd.luks.name=device-UUID=crypted root=/dev/mapper/xxx" in "/etc/default/grub", I need to set ONLY the root partition or I need to set a dedicated "rd.luks.name" also for encrypted boot partition (sda1) and encrypted data partition (sda2)?

Offline

Board footer

Powered by FluxBB