[solved] Booting into LVM mirrors on LUKS

PVDLW · 2025-03-21 16:15:40

Hello

What I'm trying to achieve

I'm trying to create a system on two NVMe disks. I want the disks to be mirrored and I want to have disk encryption.

My idea is to have LVM on LUKS, where I use the LVM RAID feature to have the root partitioned mirrored onto but disks. There is a boot partition on both disk. Where the one partition is used to boot and then regularly copied to the other partition.

What do I currently have

I have partitioned the disks into an EFI and a Linux filesystem

Disk /dev/nvme0n1: 931.51 GiB, 1000204886016 bytes, 1953525168 sectors
...
Device           Start        End    Sectors   Size Type
/dev/nvme0n1p1    2048    8390655    8388608     4G EFI System
/dev/nvme0n1p2 8390656 1953523711 1945133056 927.5G Linux filesystem

Disk /dev/nvme1n1: 931.51 GiB, 1000204886016 bytes, 1953525168 sectors
...
Device           Start        End    Sectors   Size Type
/dev/nvme1n1p1    2048    8390655    8388608     4G EFI System
/dev/nvme1n1p2 8390656 1953523711 1945133056 927.5G Linux filesystem

I have then created a LUKS encrypted container on /dev/nvme0n1p2 called cryptlvm0 and on /dev/nvme1n1p2 called cryptlvm1

I have created a physical volume on each LUKS container and combined the into a volume group called RootVolGroup

In this volume group I have created two logical volumes on for swap and one for the system root. Both are created with RAID1. Here is an example of how i created the root

# lvcreate --type raid1 --mirrors 1 -l 100%FREE -n root RootVolGroup /dev/mapper/cryptlvm0 /dev/mapper/cryptlvm1

I have then installed then installed essential packages onto the logical volume called root and I'm mounting /dev/nvme0n1p1 into /boot as my EFI partition.

I can chroot into the system and everything seems to work as I would expect.

Here is my fstab

# Static information about the filesystems.
# See fstab(5) for details.

# <file system> <dir> <type> <options> <dump> <pass>
# /dev/mapper/RootVolGroup-root
UUID=e785a671-ea84-4438-b088-ccc967321c9a       /               ext4            rw,relatime     0 1

# /dev/nvme0n1p1
UUID=8B1B-8232          /boot           vfat            rw,relatime,fmask=0022,dmask=0022,codepage=437,iocharset=ascii,shortname=mixed,utf8,errors=remount-ro   0 2

# /dev/mapper/RootVolGroup-swap
UUID=c0cf5ef0-380c-4660-9bcd-0859b1051be0       none            swap            defaults        0 0

For booting I have added lvm2 and encrypt to mkinitcpio so I have the following hooks

HOOKS=(base udev autodetect microcode modconf kms keyboard keymap consolefont block encrypt lvm2 filesystems fsck)

And I have installed grub and configured the following in /etc/default/grub. I'm not entirely sure if this is the kernel understand that it should decrypt both LUKS containers before looking for the root device.

GRUB_CMDLINE_LINUX_DEFAULT="loglevel=3 quiet cryptdevice=UUID=82af406f-2b88-476c-ae6d-87edd1378bbc:cryptlvm0 cryptdevice=UUID=3a0c16c5-e006-4123-ae47-2fbf1b0f4121:cryptlvm1 root=/dev/RootVolGroup/root"

What is my problem

I'm unable to boot into the system.

When I boot the system I get the grub menu and after that it asks for the password for cryptlvm1. After entering the password the I'm dropped into a rootfs emergency shell. with the message "ERROR: device '/dev/RootVolGroup/root' not found. Skipping fsck"

I have been looking in dmesg and the found the following which I think could be relevant

Unknown kernel command line parameters "BOOT_IMAGE=/vmlinuz-linux-lts cryptdevice=UUID=3a0c16c5-e006-4123-ae47-2fbf1b0f4121:cryptlvm1", will be passed to user space.

cryptlvm1 is also mentioned in dmesg under "Run /init as init process". cryptlvm0 is never mentioned in dmesg.

It seems to me that it decrypts cryptlvm1 and then ignore cryptlvm0, which is a problem since the should both be decrypted for the volume group to be complete.

Any advice or suggestions would be much appreciated.

Last edited by PVDLW (2025-03-29 13:20:22)

frostschutz · 2025-03-21 16:28:48

"encrypt" hook opens a single device only

https://wiki.archlinux.org/title/Dm-cry … partitions

PVDLW · 2025-03-21 16:36:46

frostschutz wrote:

"encrypt" hook opens a single device only
https://wiki.archlinux.org/title/Dm-cry … partitions

Okay I wasn't aware of that limitation and the existent of sd-encrypt. I will definitely look more into that.

Thanks.

PVDLW · 2025-03-29 13:19:40

I solved this by creating a copy of the encrypt hook called encrypt2 as suggested on the wiki: https://wiki.archlinux.org/title/Dm-cry … partitions

Arch Linux

#1 2025-03-21 16:15:40