You are not logged in.

Pages: 1

#1 2024-06-09 21:21:18

6i5
Member
Registered: 2024-06-09
Posts: 14

Cannot install GRUB on encrypted disk

I am trying to install Arch Linux from scratch. I want to use two nvme ssds as essentially one with full disk encryption including boot. Therefore I opted to create one VG covering the entire space, than create multiple LVMs for each directory, than LUKS2 encrypt each. I would like all LUKS2 containers to share the same password so that I don't have to type it multiple times. Attached is my planned partitioning layout. Layout

Below is everything I did up to this point. I am pretty sure 

grub-install

followed by a 

grub-mkconfig

should seal the deal, but the former fails. What did I do wrong here? Also open to criticism about the entire installation workflow as well as better partitioning schemes and potential missed steps.


1. Create Installation Medium
a) Download ISO

> curl https://geo.mirror.pkgbuild.com/iso/2024.06.01/archlinux-2024.06.01-x86_64.iso -o archlinux-2024.06.01-x86_64.iso
> curl https://geo.mirror.pkgbuild.com/iso/2024.06.01/archlinux-2024.06.01-x86_64.iso.sig -o archlinux-2024.06.01-x86_64.iso.sig

b) Verify Authenticity

> gpg --keyserver-options auto-key-retrieve --verify archlinux-2024.06.01-x86_64.iso.sig archlinux-2024.06.01-x86_64.iso
gpg: Signature made Sat 01 Jun 2024 09:09:43 AM GMT
gpg: using EDDSA key 3E80CA1A8B89F69CBA57D98A76A5EF9054449A5C
gpg: issuer "pierre@archlinux.org"
gpg: Good signature from "Pierre Schmitz <pierre@archlinux.org>" [unknown]
gpg: aka "Pierre Schmitz <pierre@archlinux.de>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: 3E80 CA1A 8B89 F69C BA57  D98A 76A5 EF90 5444 9A5C

c) Copy ISO to USB

> sudo dd bs=4M if=archlinux-2024.06.01-x86_64.iso of=/dev/sda status=progress oflag=sync
1168146432 bytes (1.2 GB, 1.1 GiB) copied, ... s, ...MB/s 
278+1 records in
278+1 records out
1168146432 bytes (1.2 GB, 1.1 GiB) copied, ... s, ...MB/s

2. Boot
a) Disable Secure Boot on UEFI Settings
OK

b) Edit Boot Priority
OK

c) Plug In USB and Boot

:: running early hook [udev]
...
:: Copying rootfs image to RAM...
...
Arch Linux 6.9.3-arch1-1 (tty1)
...
root@archiso ~ #

3. Prepare Installation
a) Set Keyboard Layout

> localectl list-keymaps
31
ANSI-dvorak
...
windowkeys
> loadkeys us

b) Confirm x64

> cat /sys/firmware/efi/fw_platform_size
64

c) Internet (Using Ethernet)

> ip link
...
enp... state UP
...
> ping 1.1.1.1
PING 1.1.1.1 (1.1.1.1) 56(84) bytes of data.
64 bytes from 1.1.1.1: icmp_seq=1 ttl=... time=...ms

d) Confirm Clock Sync

> timedatectl
...
System clock synchronized: yes
NTP service: active
...

4. Partition
a) Wipe SSDs

> cryptsetup open --type plain -d /dev/urandom --sector-size 4096 /dev/nvme0n1 to_be_wiped
> dd if=/dev/zero of=/dev/mapper/to_be_wiped status=progress bs=1M
> cryptsetup close to_be_wiped
> cryptsetup open --type plain -d /dev/urandom --sector-size 4096 /dev/nvme1n1 to_be_wiped
> dd if=/dev/zero of=/dev/mapper/to_be_wiped status=progress bs=1M
> cryptsetup close to_be_wiped

b) Create Partitions

> lsblk
NAME	MAJ:MIN	RM	SIZE	RO	TYPE	MOUNTPOINTS
loop0	  7:0	0	...		1	loop	/run/archiso/airootfs
nvme1n1	259:0	0	3.6T	0	disk
nvme0n1	259:1	0	3.6T	0	disk
> fdisk /dev/nvme0n1
Welcome to fdisk (util-linux 2.40.1).
...
Command (m for help):
> g
Created a new GPT disklabel (GUID: ...).
> n
Partition number (1-128, default 1):
> 1
First Sector (...):
> 2048
Last Sector (...):
> (Max value)
Creatred a new partition 1 of type 'Linux file system' and of size 1.9 TiB.
> w
The partition table has been altered.
Calling iotcl() to re-read partition table.
Syncing disks.
> fdisk /dev/nvme1n1
...
> lsblk
NAME		MAJ:MIN	RM	SIZE	RO	TYPE	MOUNTPOINTS
loop0		7:0		0	...		1	loop	/run/archiso/airootfs
nvme1n1		259:0	0	3.6T	0	disk
└─nvme1n1	259:4	0	3.6T	0	part
nvme0n1		259:1	0	3.6T	0	disk
└─nvme0n1	259:2	0	3.6T	0	part

c) Create Physical Volume

> pvs

> pvcreate /dev/nvme0n1p1
Physical volume "dev/nvme0n1p1" successfully created.
> pvcreate /dev/nvme1n1p1
Physical volume "dev/nvme1n1p1" successfully created.
> pvs
PV				VG	Fmt		Attr	PSize	PFree
/dev/nvme0n1p1		lvm2	---		<3.64t	<3.64t
/dev/nvme1n1p1		lvm2	---		<3.64t	<3.64t

d) Create Volume Group

> vgcreate vg001 /dev/nvme0n1p1
Volume group "vg001" successfully created
> vgextend vg001 /dev/nvme1n1p1
Volume group "vg001" successfully extended
> pvs
PV				VG		Fmt		Attr	PSize	PFree
/dev/nvme0n1p1	vg001	lvm2	a--		<3.64t	<3.64t
/dev/nvme1n1p1	vg001	lvm2	a--		<3.64t	<3.64t

e) Create Logical Volume

> lvcreate -L 1G -n cryptboot vg001
Logical volume "cryptboot" created.
> lvcreate -L 64G -n crypttmp vg001
Logical volume "crypttmp" created.
> lvcreate -L 64G -n cryptvar vg001
Logical volume "cryptvar" created.
> lvcreate -L 128G -n cryptroot vg001
Logical volume "cryptroot" created.
> lvcreate -l 100%FREE -n crypthome vg001
Logical volume "crypthome" created.
> lvs
LV			VG		Attr		LSize	Pool	Origin	Data%	Meta%	Move	Log	Cpy%Sync	Convert
cryptboot	vg001	-wi-a-----	1.00g
crypthome	vg001	-wi-a-----	7.02t
cryptroot	vg001	-wi-a-----	128.00g
crypttmp	vg001	-wi-a-----	64.00g
cryptvar	vg001	-wi-a-----	64.00g

f) Encrypt Root Partition

> cryptsetup luksFormat --type luks2 --cipher aes-xts-plain64 --hash sha512 --iter-time 5000 --key-size 512 --pbkdf argon2id --use-urandom --verify-passphrase /dev/vg001/cryptroot

WARNING!
========
This will overwrite data on /dev/vg001/cryptroot irrevocably.

Are you sure? (Type 'yes' in capital letters):
> YES
Enter passphrase for /dev/vg001/cryptroot:
>
Verify passphrase:
>
cryptsetup luksFormat --type luks2 --cipher aes-xts-plain64 --hash sha512 ...s user ...s system ...% cpu ... total
> cryptsetup open /dev/vg001/cryptroot root
Enter passphrase for /dev/vg001/cryptroot:
>
cryptsetup open /dev/vg001/cryptroot root ...s user ...s system ...% cpu ... total
> mkfs.ext4 /dev/mapper/root
mke2fs 1.47.1 (20-May-2024)
Creating filesystem with ... 4k blocks and ... inodes
Filesystem UUID: ...
...
Writing superblocks and filesystem accounting information: done
> mount /dev/mapper/root /mnt

g) Encrypt Remaining Partitions

> cryptsetup luksFormat --type luks2 --cipher aes-xts-plain64 --hash sha512 --iter-time 5000 --key-size 512 --pbkdf argon2id --use-urandom --verify-passphrase /dev/vg001/cryptboot
> cryptsetup open /dev/vg001/cryptboot boot
> mkfs.ext4 /dev/mapper/boot
> mount --mkdir /dev/mapper/boot /mnt/boot

> cryptsetup luksFormat --type luks2 --cipher aes-xts-plain64 --hash sha512 --iter-time 5000 --key-size 512 --pbkdf argon2id --use-urandom --verify-passphrase /dev/vg001/crypttmp
> cryptsetup open /dev/vg001/crypttmp tmp
> mkfs.ext4 /dev/mapper/tmp
> mount --mkdir /dev/mapper/tmp /mnt/tmp

> cryptsetup luksFormat --type luks2 --cipher aes-xts-plain64 --hash sha512 --iter-time 5000 --key-size 512 --pbkdf argon2id --use-urandom --verify-passphrase /dev/vg001/cryptvar
> cryptsetup open /dev/vg001/cryptvar var
> mkfs.ext4 /dev/mapper/var
> mount --mkdir /dev/mapper/var /mnt/var

> cryptsetup luksFormat --type luks2 --cipher aes-xts-plain64 --hash sha512 --iter-time 5000 --key-size 512 --pbkdf argon2id --use-urandom --verify-passphrase /dev/vg001/crypthome
> cryptsetup open /dev/vg001/crypthome home
> mkfs.ext4 /dev/mapper/home
> mount --mkdir /dev/mapper/home /mnt/home

> lsblk -f
NAME				FSTYPE		FSVER	LABEL	UUID	FSAVAIL	FSUSE%	MOUNTPOINTS
loop0				squashfs	4.0							0	100%	/run/archiso/airootfs
nvme1n1
└─nvme1n1p1			LVM2_member	LVM2 001		...
  └─vg001-crypthome	crypto_LUKS	2				...
    └─home			ext4		1.0				...		6.5T	0%		/mnt/home
nvme0n1
└─nvme0n1p1			LVM2_member	LVM2 001		...
  ├─vg001-cryptboot	crypto_LUKS	2				...
  │ └─boot			ext4		1.0				...		907M	0%		/mnt/boot
  ├─vg001-crypttmp	crypto_LUKS	2				...
  │ └─tmp			ext4		1.0				...		59.5G	0%		/mnt/tmp
  ├─vg001-cryptvar	crypto_LUKS	2				...
  │ └─var			ext4		1.0				...		59.5G	0%		/mnt/var
  ├─vg001-cryptroot	crypto_LUKS	2				...
  │ └─root			ext4		1.0				...		119G	0%		/mnt
  └─vg001-crypthome	crypto_LUKS	2				...
    └─home			ext4		1.0				...		6.5T	0%		/mnt/home

h) Edit /etc/mkinitcpio.conf

> nano /etc/mkinitcpio.conf
> cat /etc/mkinitcpio.conf
...
HOOKS=(base udev autodetect microcode modconf kms keyboard keymap consolefont block lvm2 encrypt filesystems fsck)
...

i) Configure GRUB

> nano /etc/default/grub
> cat /etc/default/grub
...
GRUB_CMDLINE_LINUX="... cryptdevice=UUID=(Insert UUID of vg001-cryptboot):cryptlvm ..."
...
GRUB_ENABLE_CRYPTODISK=y
...

5. Install System
a) Install Basic Tools

> pacstrap -K /mnt base linux linux-firmware amd-ucode grub efibootmgr
...
:: Retrieving packages...
...
==> Initcpio image generation successful
(13/13) Reloading system bus configuration...
Skipped: Running in chroot.
pacstrap -K /mnt base linux linux-firmware intel-ucode grub efibootmgr ...s user ...s system ...% cpu ... total

b) Generate fstab

> genfstab -U /mnt >> /mnt/etc/fstab
> cat /mnt/etc/fstab
...
# <file system> 	<dir> 	<type> 	<options> 	<dump> <pass>
# /dev/mapper/root
UUID=...			/		ext4	rw,realtime	0		1
# /dev/mapper/boot
UUID=...			/boot	ext4	rw,realtime	0		2
# /dev/mapper/tmp
UUID=...			/tmp	ext4	rw,realtime	0		2
# /dev/mapper/var
UUID=...			/var	ext4	rw,realtime	0		2
# /dev/mapper/home
UUID=...			/home	ext4	rw,realtime	0		2

c) Change Root

root@archiso ~ # arch-chroot /mnt
[root@archiso /] #

d) Set Time

> ln -sf /usr/share/zoneinfo/UTC /etc/localtime
> hwclock --systohc

e) Set Locales

> pacman -Syu --needed nano
> nano /etc/locale.gen
> cat /etc/locale.gen
...
en_US.UTF-8 UTF-8
...

> locale-gen
Generating locales...
en_US.UTF-8... done
Generation complete.

> nano /etc/locale.conf
> cat /etc/locale.conf
LANG=en_US.UTF-8

> nano /etc/vconsole.conf
> cat /etc/vconsole.conf
KEYMAP=us

f) Network

> nano /etc/hostname
> cat /etc/hostname
davidsarchlinux
> pacman -Syu --needed networkmanager fail2ban iptables wireless-regdb
> nano /etc/conf.d/wireless-regdom
> cat /etc/conf.d/wireless-regdom
...
WIRELESS_REGDOM="US"
...
iw reg set US
> systemctl enable NetworkManager

g) More Packages

> pacman -Syu --needed sudo base-devel gnome gnome-extra lightdm ...

h) Set User

> passwd
> useradd -m david
> passwd david
> visudo
sudo ALL=(ALL:ALL) ALL
> groupadd sudo
> usermod -aG sudo david

i) Install Grub

> grub-install --target=x86_64-efi --efi-directory=/boot --bootloader-id=GRUB --recheck
grub-install: error: /boot doesn't look like an EFI partition.

Last edited by 6i5 (2024-06-09 21:23:44)

Offline

#2 2024-06-09 22:02:55

kermit63
Member
Registered: 2018-07-04
Posts: 312

Re: Cannot install GRUB on encrypted disk

I see at least 3 mistakes just from a cursory look:

1. GRUB does not support luks2 argon2 encryption.
2. EFI partition cannot be inside LVM.
3. EFI partition cannot be ext4. The EFI partition and /boot are 2 separate entities, although there are use cases where they can be in the same partition.

There could be more errors, but I didn't really look very hard and the post is quite lengthy.

Never argue with an idiot, they will drag you down to their level and then beat you with experience.
It is better to light a candle than curse the darkness.
A journey of a thousand miles begins with a single step.

Online

Pages: 1

Board footer

Powered by FluxBB