You are not logged in.
Pages: 1
I'm trying to set manually a LUKS partition by using GRUB BIOS/Legacy according to https://wiki.archlinux.org/title/dm-cry … _partition
Partition table is msdos and grub bootloader is not deployed on a separated partition.
In a Live environment I run:
sudo -i
parted /dev/sda -- mklabel msdos
parted /dev/sda -- mkpart primary 1MB -8GB
parted /dev/sda -- set 1 boot on
parted /dev/sda -- mkpart primary linux-swap -8GB 100%
cryptsetup luksFormat /dev/sda1
cryptsetup luksOpen /dev/sda1 crypted
mkfs.btrfs -L arch /dev/mapper/crypted
mkswap -L swap /dev/sda2
mount /dev/disk/by-label/arch /mnt
swapon /dev/sda2
(INSTALL ARCH)
pacman-key --init
pacman-key --populate
pacstrap /mnt base
genfstab -U /mnt >> /mnt/etc/fstab
arch-chroot /mnt
echo "en_US.UTF-8 UTF-8" > /etc/locale.gen
locale-gen
echo "LANG=en_US.UTF-8" > /etc/locale.conf
ln -sf /usr/share/zoneinfo/Europe/Zurich /etc/localtime
echo "archlinux" > /etc/hostname
pacman -S nano mkinitcpio linux-lts linux-lts-headers
echo "KEYMAP=us" > /etc/vconsole.conf
nano /etc/mkinitcpio.conf
Edit HOOKS as "HOOKS=(base systemd autodetect modconf kms keyboard sd-vconsole sd-encrypt block filesystems fsck)"
mkinitcpio -P
pacman -S grub
sed -i "s/#GRUB_ENABLE_CRYPTODISK=.*/GRUB_ENABLE_CRYPTODISK=y/g" /etc/default/grub
(I removed "quiet" argument from /etc/default/grub)
grub-install --target=i386-pc --recheck --boot-directory=/boot /dev/sda
grub-mkconfig -o /boot/grub/grub.cfg
passwd
exit
umount -R /mnt
reboot
when I reboot, I land on "Enter passphrase for hd0,msdos1 (xxxxx):"
when I insert my passphrase ("testtest"), I get "error: Invalid passphrase.".
I also tried with an "ext4" filesystem but I get the same result. Why am I getting invalid passphrase error?
Last edited by D3vil0p3r (2024-03-31 12:39:11)
Offline
Grub can't handle LUKS2 / argon2id keys. If you must do this with Grub's cryptodisk, add a pbkdf2 key (`cryptsetup luksAddKey --pbkdf pbkdf2`). Alternatively use an unencrypted /boot or /efi partition for booting and encrypt everything after kernel/initramfs
You're using the "wrong" units with parted (MB instead of MiB, etc.). Technically you're telling it to start a partition on sector 1953. Due to default alignment this is silently corrected to 2048s so no particular harm done, but this thing can eventually bite you.
Last edited by frostschutz (2024-03-30 17:30:45)
Online
Oh, ok. So in my GRUB Legacy scenario I need to create a separated boot partition to make it working without using pbkdf2 key. Do I need also to insert "rd.luks.name=device-UUID=crypted root=/dev/mapper/crypted" in kernel parameters? (not sure if I should keep "root" or replacing it by "crypted"). And, I should use "rd.luks.name" or only "luks.name"?
PS: Thank you for units, I will use 1MiB since more "optimal".
Last edited by D3vil0p3r (2024-03-30 17:51:51)
Offline
It's fine to use rd.* since you want this to happen in the initrd stage. It should work (provided you're using systemd sd-encrypt hooks, and device-UUID is the luks header UUID).
Online
By running "lsblk -no name,uuid" I get:
sda
|-sda1 733f5e5e-e53e-48aa-b975-3176e685c199
|-sda2 2c29bffd-a015-4485-9571-72fb1c5102f8
`-sda3 7ab2a484-95a8-4ded-b483-b0bf086c7e41
`-crypted 506a895e-2e87-4955-ba47-8c25029b994d
as UUID for luks.name should I use the one of sda3 or crypted?
Is the "rd.luks.name=device-UUID=crypted root=/dev/mapper/crypted" mandatory to make it working?
Last edited by D3vil0p3r (2024-03-30 19:23:29)
Offline
sda3 (the one of your luksheader, shown by cryptsetup luksDump or cryptsetup luksUUID)
Online
A further question: lets guess I have a root partition sda3 where Arch Linux is installed, then a boot partition sda1 and, finally, a partition sda2 used only for storing data.
If I encrypt as LUKS all of them, as kernel parameter "rd.luks.name=device-UUID=crypted root=/dev/mapper/xxx" in "/etc/default/grub", I need to set ONLY the root partition or I need to set a dedicated "rd.luks.name" also for encrypted boot partition (sda1) and encrypted data partition (sda2)?
Offline
Pages: 1