Skip to main content
Topic: Full Disk Encryption for a new install: force GRUB to ask a passphrase for LUKS? (Read 28312 times) previous topic - next topic
0 Members and 3 Guests are viewing this topic.

Re: Full Disk Encryption for a new install: force GRUB to ask a passphrase for LUKS?

Reply #15
Dear strajder , thank you a lot for such a detailed reply with pictures!

In the future, please don't necro 2 year old threads. Create a separate thread.

This is a sticky thread for support/feedback for this Wiki manual and I still support it - although I'm a bit late this time, so thank you a lot for your kind help ;)

I managed to follow your guide up until one point, where the Calamares installer will install the bootloader, then it crashes with bootloader installation error.

Seems I found the problem! At the Calamares newer version (Github: calamares/src/modules/bootloader/main.py) , they surrounded the previously-standalone "prepare_bootloader(fw_type)" line in this way:

Code: [Select]
    try:
        prepare_bootloader(fw_type)
    except subprocess.CalledProcessError as e:
        libcalamares.utils.warning(str(e))
        libcalamares.utils.debug("stdout:" + str(e.stdout))
        libcalamares.utils.debug("stderr:" + str(e.stderr))
        return (_("Bootloader installation error"),
                _("The bootloader could not be installed. The installation command <pre>{!s}</pre> returned error code {!s}.")
                .format(e.cmd, e.returncode))

    return None

There should be at least one not-commented-out line between try and except, otherwise the code will break - so a previous solution doesn't work anymore. Now, need to either comment-out the whole try/except block, or simply replace the same
Code: [Select]
    prepare_bootloader(fw_type)
with
Code: [Select]
    return None
After doing this, the installation completed successfully with artix-xfce-openrc-20220123-x86_64.iso  ;D . I already updated the Wiki with this fix, and will re-check the rest of a guide as soon as possible

Re: Full Disk Encryption for a new install: force GRUB to ask a passphrase for LUKS?

Reply #16
Seems I found the problem! At the Calamares newer version (Github: calamares/src/modules/bootloader/main.py) , they surrounded the previously-standalone "prepare_bootloader(fw_type)" line in this way:
As I stated in my previous post in this thread, simply commenting out the appropriate line (as was indicated in the then-current version of the wiki article) in the then-fresh artix-lxqt-openrc-20220213-x86_64.iso works.

Re: Full Disk Encryption for a new install: force GRUB to ask a passphrase for LUKS?

Reply #17
As I stated in my previous post in this thread, simply commenting out the appropriate line (as was indicated in the then-current version of the wiki article) in the then-fresh artix-lxqt-openrc-20220213-x86_64.iso works.

Strange, on artix-xfce-openrc-20220123-x86_64.iso I tried simply commenting out this line, but got the following error:
Code: [Select]
Installation Failed

Boost.Python error in job "bootloader".

Details:

<div><strong>&lt;class 'IndentationError'&gt;</strong></div><div>(&quot;expected an indented block
after 'try' statement on line 616&quot;, ('/usr/lib/calamares/modules/bootloader/main.py', 618, 5, '
    except subprocess.CalledProcessError as e:\n', 618, 11))</div>

But, if I replace it by return None or something else - i.e. libcalamares.utils.debug("Do nothing") - then the installation completes successfully

Re: Full Disk Encryption for a new install: force GRUB to ask a passphrase for LUKS?

Reply #18
Strange, on artix-xfce-openrc-20220123-x86_64.iso I tried simply commenting out this line, but got the following error:
Code: [Select]
Installation Failed
That is strange. I just tried that again with the indicated ISO and indeed, now it fails. The only explanation that comes to mind is that I must have used an older ISO anyway somehow. The other possibility is that I commented the entire try block, but then I would mention that. I did test the installation in QEMU by following that guide at the time.

In any case, Calamares now supports encryption from the UI directly, without the need for hacks like this one, as demonstrated in the screenshots.

Re: Full Disk Encryption for a new install: force GRUB to ask a passphrase for LUKS?

Reply #19
In any case, Calamares now supports encryption from the UI directly, without the need for hacks like this one, as demonstrated in the screenshots.

Indeed; I'm only using this manual approach because I would like a stronger (although slower) encryption than Calamares default. Hopefully they'd implement the custom encryption option (i.e. Github: calamares/issues/1452) one day...

Re: Full Disk Encryption for a new install: force GRUB to ask a passphrase for LUKS?

Reply #20
After going through 1 , 2 , 3 , 4 , 5 threads, I just did a huge update to the InstallationWithFullDiskEncryption manual !  8) Everyone is welcome to try it and share your feedback ;)

Re: Full Disk Encryption for a new install: force GRUB to ask a passphrase for LUKS?

Reply #21
@qmastery thanks a lot !
i created/mounted my partitions, the luks container, the lvm volumes inside, then launched the installer.
but i couldn't get artix installed, not being aware of the little bugs in calamares :D
i followed your manual, went around the bugs, and finally it works :)

 

Re: Full Disk Encryption for a new install: force GRUB to ask a passphrase for LUKS?

Reply #22
Consider changing the
Code: [Select]
cryptsetup luksFormat
command to use a hashing algorithm other than whirlpool as whirlpool was moved to openssl's legacy provider.

Re: Full Disk Encryption for a new install: force GRUB to ask a passphrase for LUKS?

Reply #23
The info on cryptsetup is dangerously outdated. I'd suggest just using default values (for hashes and the like) and maybe consider using LUKS2.

As of yesterday encrypting ones system with the suggested values will result in a borked boot because of the missing support of the whirlpool hashing algorithm.

I haven't found any info on usage of openssl-1.0 and openssl-1.1 for encrypted boot. Does anyone know why it isn't using 3.x?

Re: Full Disk Encryption for a new install: force GRUB to ask a passphrase for LUKS?

Reply #24
Consider changing the "cryptsetup luksFormat" command to use a hashing algorithm other than whirlpool as whirlpool was moved to openssl's legacy provider.
Huge thanks to @Dudemanguy ! He has replaced whirlpool with sha512 and by that he has fixed this manual for almost 2 months until I had the time to fix it further... Now, after some extra tweaks, it is working for whirlpool too, but I decided to continue using sha512 there until the further investigation on what gives the stronger encryption. The strongest encryption is my ultimate goal, and I believe that the settings used in this manual should be as secure as possible (and lets leave it up to a user to decide how much security to sacrifice for how much extra performance) - so I have also restored the key-size back to 512
The info on cryptsetup is dangerously outdated. I'd suggest just using default values (for hashes and the like).
The default cryptsetup values may give more performance, but that comes with a significant security sacrifice. Also, a great part of this manual - is a workaround for using the custom encryption values because the Calamares doesn't allow their customization, and that is a major issue for many. But if you are fine with these default values - maybe you may simply use the Calamares default encryption and install Artix much faster this way LUKS2 is still relatively new and security holes like this are happening to it from time to time, so using LUKS1 may be better for security and also compatibility reasons
As of yesterday encrypting ones system with the suggested values will result in a borked boot because of the missing support of the whirlpool hashing algorithm.
Actually it was bad for sha512 hashing algorithm too, it's just maybe it broke less and still allowed to boot. During the today's tests (in a VM by the fresh installs), I got
Code: [Select]
==> ERROR: binary dependency `libcrypto.so.3' not found for `cryptsetup'
==> ERROR: file not found: `/usr/lib/ossl-modules/legacy.so'
while installing the cryptsetup - regardless of whether whirlpool or sha512 have been used for that root partition! - and some extra tweaks were required to fix it for everyone
I haven't found any info on usage of openssl-1.0 and openssl-1.1 for encrypted boot. Does anyone know why it isn't using 3.x?
At the time of writing this manual and until very recently, Artix used openssl-1.1 - you could verify it by looking at any "...-20220713-x86_64.iso" - so the manual also used 1.1. After the today's fixes, it uses both 1.1 and 3.x to allow the maximum customization of the encryption and i.e. make it possible to use whirlpool, although the instruction uses sha512 now

Re: Full Disk Encryption for a new install: force GRUB to ask a passphrase for LUKS?

Reply #25
Quote
using LUKS1 may be better for security and also compatibility reasons

Definitely the case. Not specifying luks1 during luksFormat means that grub always rejected my password during decryption of the master key. Grub and luks2 are just not playing nice currently.

I also wanted to bring up a potential change / edit, where by parted always gave me issues later in the installation. When partitioning with parted, I would always encounter errors during grub-install. Either "unknown filesystem" or "cannot find EFI directory".

I followed the guide precisely 3 times. I then repeated the guide but using fdisk instead, and everything worked fine.

This is an edge case I would say, but maybe worth adding as a note in the partitioning step, that for some users parted can lead to issues with grub-install, and to use fdisk or alternative instead?

Re: Full Disk Encryption for a new install: force GRUB to ask a passphrase for LUKS?

Reply #26
maybe worth adding as a note in the partitioning step, that for some users parted can lead to issues with grub-install, and to use fdisk or alternative instead?
@tjex  Thank you for your kind words and feedback. Please tell, are you using this guide on BIOS or UEFI system - and, if UEFI, is it in CSM mode or not?

Re: Full Disk Encryption for a new install: force GRUB to ask a passphrase for LUKS?

Reply #27
I also wanted to bring up a potential change / edit, where by parted always gave me issues later in the installation. When partitioning with parted, I would always encounter errors during grub-install. Either "unknown filesystem" or "cannot find EFI directory". I followed the guide precisely 3 times. I then repeated the guide but using fdisk instead, and everything worked fine.
Dear @tjex , thank you so much for reporting this error and suggesting a workaround. It turned out there is some regression in newer parted versions (3.4-2 is fine, while 3.5-1 and 3.6-1 are not), causing it to create the partitions that are disliked by GRUB (even "--skip-fs-probe" does not help! this doesn't seem a GRUB fault, because downgrading GRUB does not help). As a temporary fix, I have updated the instructions with

ERRATA: to avoid the grub-install: error: unknown filesystem - please downgrade the parted utility from 3.6-1 to 3.4-2 before making the partitions
Code: [Select]
pacman -U "https://archive.artixlinux.org/packages/p/parted/parted-3.4-2-x86_64.pkg.tar.zst"
Luckily, everything else is working fine  :) A bit later I will investigate this issue further: either there is some new command line option that has to be added to new parted to force a desired behavior, or maybe there is a parted but that has to be reported upstream. As for now, everyone has to either use the parted 3.4-2 or the alternative disk partitioning utilities like fdisk  ???

Re: Full Disk Encryption for a new install: force GRUB to ask a passphrase for LUKS?

Reply #28
@qmastery , I've tried going through the installation with disk encryption [case A], using gdisk and fdisk several times (I'm using GPT) and it never seems to work at the GRUB install stage. It keeps giving me the "grub-install: error: unknown filesystem". I'm not sure how to modify parted if I'm using GPT either. I even tried following the Void Linux documentation for FDE (with some modification) with no luck. FDE works fine when I'm installing Void Linux, just not on Artix for some reason. I really want it to work on my Artix install.

Just really confused. I feel like it should work fine regardless of what distro you're using. I feel like there's some sort of weird bug in the GRUB package that's causing it to not recognize my filesystems.

Re: Full Disk Encryption for a new install: force GRUB to ask a passphrase for LUKS?

Reply #29
>error: no such cryptodisk found, perhaps a needed disk or cryptodisk module is not loaded
>error: 'lvmid/<UUID>/<UUID>/<UUID>' not found.
>Entering rescue mode...

the error message I get after entering my password on boot. It then prompts to a grub rescue shell.
Anyone got any idea what this module could refer to and/or why grub can't seem to read/load the disk?

EDIT: I forgot to specify --type luks1 so I will give that a shot tomorrow


EDIT: --type luks1 didn't solve it. However, I wonder if the calamares installer is absolutely necessary. And I am confused about the rc-update command. Does this mean that this installation guide only works for systems employing OpenRC? This whole time I was installing for dinit... maybe at the start of the guide it should warn the user that it would only work if you use OpenRC?