You are not logged in.

#1 2024-06-09 21:21:18

6i5
Member
Registered: 2024-06-09
Posts: 14

Cannot install GRUB on encrypted disk

I am trying to install Arch Linux from scratch. I want to use two nvme ssds as essentially one with full disk encryption including boot. Therefore I opted to create one VG covering the entire space, than create multiple LVMs for each directory, than LUKS2 encrypt each. I would like all LUKS2 containers to share the same password so that I don't have to type it multiple times. Attached is my planned partitioning layout. Layout

Below is everything I did up to this point. I am pretty sure

grub-install

followed by a

grub-mkconfig

should seal the deal, but the former fails. What did I do wrong here? Also open to criticism about the entire installation workflow as well as better partitioning schemes and potential missed steps.


1. Create Installation Medium
a) Download ISO

> curl https://geo.mirror.pkgbuild.com/iso/2024.06.01/archlinux-2024.06.01-x86_64.iso -o archlinux-2024.06.01-x86_64.iso
> curl https://geo.mirror.pkgbuild.com/iso/2024.06.01/archlinux-2024.06.01-x86_64.iso.sig -o archlinux-2024.06.01-x86_64.iso.sig

b) Verify Authenticity

> gpg --keyserver-options auto-key-retrieve --verify archlinux-2024.06.01-x86_64.iso.sig archlinux-2024.06.01-x86_64.iso
gpg: Signature made Sat 01 Jun 2024 09:09:43 AM GMT
gpg: using EDDSA key 3E80CA1A8B89F69CBA57D98A76A5EF9054449A5C
gpg: issuer "pierre@archlinux.org"
gpg: Good signature from "Pierre Schmitz <pierre@archlinux.org>" [unknown]
gpg: aka "Pierre Schmitz <pierre@archlinux.de>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: 3E80 CA1A 8B89 F69C BA57  D98A 76A5 EF90 5444 9A5C

c) Copy ISO to USB

> sudo dd bs=4M if=archlinux-2024.06.01-x86_64.iso of=/dev/sda status=progress oflag=sync
1168146432 bytes (1.2 GB, 1.1 GiB) copied, ... s, ...MB/s 
278+1 records in
278+1 records out
1168146432 bytes (1.2 GB, 1.1 GiB) copied, ... s, ...MB/s

2. Boot
a) Disable Secure Boot on UEFI Settings
OK

b) Edit Boot Priority
OK

c) Plug In USB and Boot

:: running early hook [udev]
...
:: Copying rootfs image to RAM...
...
Arch Linux 6.9.3-arch1-1 (tty1)
...
root@archiso ~ #

3. Prepare Installation
a) Set Keyboard Layout

> localectl list-keymaps
31
ANSI-dvorak
...
windowkeys
> loadkeys us

b) Confirm x64

> cat /sys/firmware/efi/fw_platform_size
64

c) Internet (Using Ethernet)

> ip link
...
enp... state UP
...
> ping 1.1.1.1
PING 1.1.1.1 (1.1.1.1) 56(84) bytes of data.
64 bytes from 1.1.1.1: icmp_seq=1 ttl=... time=...ms

d) Confirm Clock Sync

> timedatectl
...
System clock synchronized: yes
NTP service: active
...

4. Partition
a) Wipe SSDs

> cryptsetup open --type plain -d /dev/urandom --sector-size 4096 /dev/nvme0n1 to_be_wiped
> dd if=/dev/zero of=/dev/mapper/to_be_wiped status=progress bs=1M
> cryptsetup close to_be_wiped
> cryptsetup open --type plain -d /dev/urandom --sector-size 4096 /dev/nvme1n1 to_be_wiped
> dd if=/dev/zero of=/dev/mapper/to_be_wiped status=progress bs=1M
> cryptsetup close to_be_wiped

b) Create Partitions

> lsblk
NAME	MAJ:MIN	RM	SIZE	RO	TYPE	MOUNTPOINTS
loop0	  7:0	0	...		1	loop	/run/archiso/airootfs
nvme1n1	259:0	0	3.6T	0	disk
nvme0n1	259:1	0	3.6T	0	disk
> fdisk /dev/nvme0n1
Welcome to fdisk (util-linux 2.40.1).
...
Command (m for help):
> g
Created a new GPT disklabel (GUID: ...).
> n
Partition number (1-128, default 1):
> 1
First Sector (...):
> 2048
Last Sector (...):
> (Max value)
Creatred a new partition 1 of type 'Linux file system' and of size 1.9 TiB.
> w
The partition table has been altered.
Calling iotcl() to re-read partition table.
Syncing disks.
> fdisk /dev/nvme1n1
...
> lsblk
NAME		MAJ:MIN	RM	SIZE	RO	TYPE	MOUNTPOINTS
loop0		7:0		0	...		1	loop	/run/archiso/airootfs
nvme1n1		259:0	0	3.6T	0	disk
└─nvme1n1	259:4	0	3.6T	0	part
nvme0n1		259:1	0	3.6T	0	disk
└─nvme0n1	259:2	0	3.6T	0	part

c) Create Physical Volume

> pvs

> pvcreate /dev/nvme0n1p1
Physical volume "dev/nvme0n1p1" successfully created.
> pvcreate /dev/nvme1n1p1
Physical volume "dev/nvme1n1p1" successfully created.
> pvs
PV				VG	Fmt		Attr	PSize	PFree
/dev/nvme0n1p1		lvm2	---		<3.64t	<3.64t
/dev/nvme1n1p1		lvm2	---		<3.64t	<3.64t

d) Create Volume Group

> vgcreate vg001 /dev/nvme0n1p1
Volume group "vg001" successfully created
> vgextend vg001 /dev/nvme1n1p1
Volume group "vg001" successfully extended
> pvs
PV				VG		Fmt		Attr	PSize	PFree
/dev/nvme0n1p1	vg001	lvm2	a--		<3.64t	<3.64t
/dev/nvme1n1p1	vg001	lvm2	a--		<3.64t	<3.64t

e) Create Logical Volume

> lvcreate -L 1G -n cryptboot vg001
Logical volume "cryptboot" created.
> lvcreate -L 64G -n crypttmp vg001
Logical volume "crypttmp" created.
> lvcreate -L 64G -n cryptvar vg001
Logical volume "cryptvar" created.
> lvcreate -L 128G -n cryptroot vg001
Logical volume "cryptroot" created.
> lvcreate -l 100%FREE -n crypthome vg001
Logical volume "crypthome" created.
> lvs
LV			VG		Attr		LSize	Pool	Origin	Data%	Meta%	Move	Log	Cpy%Sync	Convert
cryptboot	vg001	-wi-a-----	1.00g
crypthome	vg001	-wi-a-----	7.02t
cryptroot	vg001	-wi-a-----	128.00g
crypttmp	vg001	-wi-a-----	64.00g
cryptvar	vg001	-wi-a-----	64.00g

f) Encrypt Root Partition

> cryptsetup luksFormat --type luks2 --cipher aes-xts-plain64 --hash sha512 --iter-time 5000 --key-size 512 --pbkdf argon2id --use-urandom --verify-passphrase /dev/vg001/cryptroot

WARNING!
========
This will overwrite data on /dev/vg001/cryptroot irrevocably.

Are you sure? (Type 'yes' in capital letters):
> YES
Enter passphrase for /dev/vg001/cryptroot:
>
Verify passphrase:
>
cryptsetup luksFormat --type luks2 --cipher aes-xts-plain64 --hash sha512 ...s user ...s system ...% cpu ... total
> cryptsetup open /dev/vg001/cryptroot root
Enter passphrase for /dev/vg001/cryptroot:
>
cryptsetup open /dev/vg001/cryptroot root ...s user ...s system ...% cpu ... total
> mkfs.ext4 /dev/mapper/root
mke2fs 1.47.1 (20-May-2024)
Creating filesystem with ... 4k blocks and ... inodes
Filesystem UUID: ...
...
Writing superblocks and filesystem accounting information: done
> mount /dev/mapper/root /mnt

g) Encrypt Remaining Partitions

> cryptsetup luksFormat --type luks2 --cipher aes-xts-plain64 --hash sha512 --iter-time 5000 --key-size 512 --pbkdf argon2id --use-urandom --verify-passphrase /dev/vg001/cryptboot
> cryptsetup open /dev/vg001/cryptboot boot
> mkfs.ext4 /dev/mapper/boot
> mount --mkdir /dev/mapper/boot /mnt/boot

> cryptsetup luksFormat --type luks2 --cipher aes-xts-plain64 --hash sha512 --iter-time 5000 --key-size 512 --pbkdf argon2id --use-urandom --verify-passphrase /dev/vg001/crypttmp
> cryptsetup open /dev/vg001/crypttmp tmp
> mkfs.ext4 /dev/mapper/tmp
> mount --mkdir /dev/mapper/tmp /mnt/tmp

> cryptsetup luksFormat --type luks2 --cipher aes-xts-plain64 --hash sha512 --iter-time 5000 --key-size 512 --pbkdf argon2id --use-urandom --verify-passphrase /dev/vg001/cryptvar
> cryptsetup open /dev/vg001/cryptvar var
> mkfs.ext4 /dev/mapper/var
> mount --mkdir /dev/mapper/var /mnt/var

> cryptsetup luksFormat --type luks2 --cipher aes-xts-plain64 --hash sha512 --iter-time 5000 --key-size 512 --pbkdf argon2id --use-urandom --verify-passphrase /dev/vg001/crypthome
> cryptsetup open /dev/vg001/crypthome home
> mkfs.ext4 /dev/mapper/home
> mount --mkdir /dev/mapper/home /mnt/home

> lsblk -f
NAME				FSTYPE		FSVER	LABEL	UUID	FSAVAIL	FSUSE%	MOUNTPOINTS
loop0				squashfs	4.0							0	100%	/run/archiso/airootfs
nvme1n1
└─nvme1n1p1			LVM2_member	LVM2 001		...
  └─vg001-crypthome	crypto_LUKS	2				...
    └─home			ext4		1.0				...		6.5T	0%		/mnt/home
nvme0n1
└─nvme0n1p1			LVM2_member	LVM2 001		...
  ├─vg001-cryptboot	crypto_LUKS	2				...
  │ └─boot			ext4		1.0				...		907M	0%		/mnt/boot
  ├─vg001-crypttmp	crypto_LUKS	2				...
  │ └─tmp			ext4		1.0				...		59.5G	0%		/mnt/tmp
  ├─vg001-cryptvar	crypto_LUKS	2				...
  │ └─var			ext4		1.0				...		59.5G	0%		/mnt/var
  ├─vg001-cryptroot	crypto_LUKS	2				...
  │ └─root			ext4		1.0				...		119G	0%		/mnt
  └─vg001-crypthome	crypto_LUKS	2				...
    └─home			ext4		1.0				...		6.5T	0%		/mnt/home

h) Edit /etc/mkinitcpio.conf

> nano /etc/mkinitcpio.conf
> cat /etc/mkinitcpio.conf
...
HOOKS=(base udev autodetect microcode modconf kms keyboard keymap consolefont block lvm2 encrypt filesystems fsck)
...

i) Configure GRUB

> nano /etc/default/grub
> cat /etc/default/grub
...
GRUB_CMDLINE_LINUX="... cryptdevice=UUID=(Insert UUID of vg001-cryptboot):cryptlvm ..."
...
GRUB_ENABLE_CRYPTODISK=y
...

5. Install System
a) Install Basic Tools

> pacstrap -K /mnt base linux linux-firmware amd-ucode grub efibootmgr
...
:: Retrieving packages...
...
==> Initcpio image generation successful
(13/13) Reloading system bus configuration...
Skipped: Running in chroot.
pacstrap -K /mnt base linux linux-firmware intel-ucode grub efibootmgr ...s user ...s system ...% cpu ... total

b) Generate fstab

> genfstab -U /mnt >> /mnt/etc/fstab
> cat /mnt/etc/fstab
...
# <file system> 	<dir> 	<type> 	<options> 	<dump> <pass>
# /dev/mapper/root
UUID=...			/		ext4	rw,realtime	0		1
# /dev/mapper/boot
UUID=...			/boot	ext4	rw,realtime	0		2
# /dev/mapper/tmp
UUID=...			/tmp	ext4	rw,realtime	0		2
# /dev/mapper/var
UUID=...			/var	ext4	rw,realtime	0		2
# /dev/mapper/home
UUID=...			/home	ext4	rw,realtime	0		2

c) Change Root

root@archiso ~ # arch-chroot /mnt
[root@archiso /] # 

d) Set Time

> ln -sf /usr/share/zoneinfo/UTC /etc/localtime
> hwclock --systohc

e) Set Locales

> pacman -Syu --needed nano
> nano /etc/locale.gen
> cat /etc/locale.gen
...
en_US.UTF-8 UTF-8
...

> locale-gen
Generating locales...
en_US.UTF-8... done
Generation complete.

> nano /etc/locale.conf
> cat /etc/locale.conf
LANG=en_US.UTF-8

> nano /etc/vconsole.conf
> cat /etc/vconsole.conf
KEYMAP=us

f) Network

> nano /etc/hostname
> cat /etc/hostname
davidsarchlinux
> pacman -Syu --needed networkmanager fail2ban iptables wireless-regdb
> nano /etc/conf.d/wireless-regdom
> cat /etc/conf.d/wireless-regdom
...
WIRELESS_REGDOM="US"
...
iw reg set US
> systemctl enable NetworkManager

g) More Packages

> pacman -Syu --needed sudo base-devel gnome gnome-extra lightdm ...

h) Set User

> passwd
> useradd -m david
> passwd david
> visudo
sudo ALL=(ALL:ALL) ALL
> groupadd sudo
> usermod -aG sudo david

i) Install Grub

> grub-install --target=x86_64-efi --efi-directory=/boot --bootloader-id=GRUB --recheck
grub-install: error: /boot doesn't look like an EFI partition.

Last edited by 6i5 (2024-06-09 21:23:44)

Offline

#2 2024-06-09 22:02:55

kermit63
Member
Registered: 2018-07-04
Posts: 188

Re: Cannot install GRUB on encrypted disk

I see at least 3 mistakes just from a cursory look:

1. GRUB does not support luks2 argon2 encryption.
2. EFI partition cannot be inside LVM.
3. EFI partition cannot be ext4. The EFI partition and /boot are 2 separate entities, although there are use cases where they can be in the same partition.

There could be more errors, but I didn't really look very hard and the post is quite lengthy.

Offline

Board footer

Powered by FluxBB