Skip to main content
Topic solved
This topic has been marked as solved and requires no further attention.
Topic: [SOLVED] Devices in /etc/crypttab Not Opening On Boot (Read 2526 times) previous topic - next topic
0 Members and 1 Guest are viewing this topic.

[SOLVED] Devices in /etc/crypttab Not Opening On Boot

Hello Artix Forums,

I was getting an error on boot when the boot partition listed in fstab wasn't able to be mounted which put me in a read only shell, so I commented out that entry from fstab and now the system boots fine, but the boot partition isn't opened when I log in (/dev/mapper/boot doesn't exist). There is an entry in /etc/crypttab for boot, but it doesn't seem to do anything no matter how I configure it. Trying the same setup on Arch Linux worked fine, so I was thinking maybe for some reason runit was responsible for doing things with crypttab, but I couldn't find any services that seemed to be related to it.

Does anybody have any ideas on why this might be failing?

Please tell me if there is any more information I should provide.

Thanks,
Nick

Re: Devices in /etc/crypttab Not Opening On Boot

Reply #2
Thanks for your response. It's sort of complicated so I didn't want to try to type it all out if there was something simple I could look for since this is my first time doing anything requiring modifying the crypttab file, but here is the layout:

ISO Used for Install:    artix-base-runit-20220123-x86_64.iso



Planned Partition Layout:

Code: [Select]
.
├── /dev/sda (LUKS2 detached header+keyfile, Root Partition)
│   └── /dev/mapper/cryptroot (BTRFS)
│       ├── /swap
│       ├── /.snapshots
│       ├── /tmp
│       ├── /home
│       ├── /root
│       └── /
│           └── /boot_keyfile.bin (/dev/sdb2 boot partition)
└── /dev/sdb
    ├── /dev/sdb1 (BIOS BOOT, No FS, 1MiB)
    ├── /dev/sdb2 (LUKS1, Boot Partition)
    │   └── /dev/mapper/boot (EXT4, 1GiB)
    │       ├── /crypto_header (/dev/sda root partition)
    │       └── /crypto_keyfile.bin (/dev/sda root partition)
    └── /dev/sdb3 (Empty Partition)



/etc/crypttab: (First two commented out boot options didn't work, so I tried to get it to ask me for a password on boot, but it didn't)

Code: [Select]
# Configuration for encrypted block devices.
# See crypttab(5) for details.

# NOTE: Do not list your root (/) partition here, it must be set up
#       beforehand by the initramfs (/etc/mkinitcpio.conf).

# <name>       <device>                                     <password>              <options>
# home         UUID=b8ad5c18-f445-495d-9095-c9ec4f9d2f37    /etc/mypassword1
# data1        /dev/sda3                                    /etc/mypassword2
# data2        /dev/sda5                                    /etc/cryptfs.key
# swap         /dev/sdx4                                    /dev/urandom            swap,cipher=aes-cbc-essiv:sha256,size=256
# vol          /dev/sdb7                                    none

# boot        UUID=bbaa2392-28a0-448f-99b3-e5ebe1d626e9        /boot/keyfile.bin
# boot        /dev/sdb2        /boot/keyfile.bin
# boot        UUID=bbaa2392-28a0-448f-99b3-e5ebe1d626e9
boot        /dev/sdb2       




/etc/fstab: (The line mounting the cryptroot @boot subvolume might have been a mistake, so I commented it. The system won't boot successfully without the line regarding /dev/mapper/boot commented though).

Code: [Select]
# Static information about the filesystems.
# See fstab(5) for details.

# <file system> <dir> <type> <options> <dump> <pass>

# /dev/mapper/cryptroot
UUID=0b89a5a2-ba83-46f0-8067-1adbad66baec	/         	btrfs     	rw,noatime,compress=zstd:3,space_cache,commit=180,subvolid=257,subvol=/@	0 0

# /dev/mapper/cryptroot
UUID=0b89a5a2-ba83-46f0-8067-1adbad66baec	/root     	btrfs     	rw,noatime,compress=zstd:3,space_cache,commit=180,subvolid=259,subvol=/@root	0 0

# /dev/mapper/cryptroot
UUID=0b89a5a2-ba83-46f0-8067-1adbad66baec	/home     	btrfs     	rw,noatime,compress=zstd:3,space_cache,commit=180,subvolid=258,subvol=/@home	0 0

# /dev/mapper/cryptroot
# UUID=0b89a5a2-ba83-46f0-8067-1adbad66baec	/boot     	btrfs     	rw,noatime,compress=zstd:3,space_cache,commit=180,subvolid=260,subvol=/@boot	0 0

# /dev/mapper/boot
# UUID=235e26c5-be28-489f-84c7-97e170c15245	/boot     	ext4      	rw,relatime	0 2

# /dev/mapper/cryptroot
UUID=0b89a5a2-ba83-46f0-8067-1adbad66baec	/tmp      	btrfs     	rw,noatime,compress=zstd:3,space_cache,commit=180,subvolid=261,subvol=/@tmp	0 0

# /dev/mapper/cryptroot
UUID=0b89a5a2-ba83-46f0-8067-1adbad66baec	/.snapshots	btrfs     	rw,noatime,compress=zstd:3,space_cache,commit=180,subvolid=263,subvol=/@.snapshots	0 0

# /dev/mapper/cryptroot
UUID=0b89a5a2-ba83-46f0-8067-1adbad66baec	/swap     	btrfs     	rw,relatime,compress=zstd:3,space_cache,commit=180,subvolid=262,subvol=/@swap	0 0




blkid:

Code: [Select]
/dev/sdb2: UUID="bbaa2932-28a0-448f-99b3-e5ebe1d626e9" TYPE="crypto_LUKS" PARTUUID="219f0484-a570-d44a-9e2e-3c34e45fbe22"
/dev/sdb3: PARTUUID="6d881aa5-0b71-c548-8507-deac519cd42e"
/dev/sdb1: PARTUUID="c9d0881a-8b0f-3f46-8c55-0573409a15dd"
/dev/mapper/cryptroot: UUID="0b89a5a2-ba83-46f0-8067-1adbad66baec" UUID_SUB="6d27c4a1-efbb-4753-90ce-053d5c32411a" BLOCK_SIZE="4096" TYPE="btrfs"




lsblk: (Generated on fresh boot. /dev/sdb2 isn't opened)

Code: [Select]
NAME          SIZE TYPE  MOUNTPOINTS UUID
sda         465.8G disk              
`-cryptroot 465.8G crypt /swap       0b89a5a2-ba83-46f0-8067-1adbad66baec
                         /.snapshots 
                         /tmp        
                         /home       
                         /root       
                         /           
sdb          14.6G disk              
|-sdb1          1M part              
|-sdb2          1G part              bbaa2932-28a0-448f-99b3-e5ebe1d626e9
`-sdb3       13.6G part              
sdc             0B disk              
sr0          1024M rom               
                                              



Here's a short summary of what I did, I can go into more detail on any part of it if necessary:
  • Formatted a USB Drive with a new GPT, 512MiB EFI System Partition (type to ESP), and 1GiB Boot partition
  • Formatted the ESP as FAT32 and encrypted the boot partition as LUKS1
  • Unlocked and mounted the boot partition to /mnt/boot
  • Encrypted the hard drive (/dev/sda) with a detached header named "crypto_header" in the boot partition
  • Unlocked the hard drive using its header and mounted it to /mnt/root
  • Mounted the Boot partition at /mnt/root/boot
  • Generated the fstab file
  • Installed base system to /mnt/root with the packages "linux base neovim man-db"
  • Chrooted into the base system
  • Installed grub, efibootmgr, cryptroot, cryptsetup git base-devl
  • Made a non-root user in the "wheel" group and with a home directory
  • Used `EDITOR=nvim visudo" to allow users in the wheel group to run commands with sudo
  • Switched to the non-root user with su
  • Used git to download this AUR package and installed it
  • Exited the non-root user's shell
  • Created a keyfile named "crypto_keyfile.bin" in the boot partition and added it as a key for /dev/sda
  • Added the absolute paths of the keyfile and header in /boot to the FILES variable in /etc/mkinitcpio.conf
  • Added the encrypt-dh hook between the block and filesystem hooks in the HOOKS variable in /etc/mkinitcpio.conf
  • Regenerated the initramfs
  • Added "cryptdevice:/dev/sda:cryptroot root=/dev/mapper/cryptroot cryptkey=rootfs:/boot/crypto_keyfile.bin cryptheader=rootfs:/boot/crypto_header (You can't use UUIDs here because /dev/sda doesn't have a UUID) and uncommented "GRUB_ENABLE_CRYPTODISK=y" to the "GRUB_CMDLINE_LINUX variable in /etc/default/grub
  • Generated another keyfile for the boot partition this time in root and added as a key for the boot partition
  • Added the boot partition with its keyfile to crypttab
  • Rebooted, input password for the boot partition, waited for login prompt



There isn't a specific reason I'm doing it this way other than that I thought it would be fun to learn how. Also I noticed there weren't really many tutorials readily available for installing Artix with encryption, so I figured I'd make one covering an install with basic encryption (encrypted root only, unencrypted boot) and one with true full disk encryption. Because there aren't many tutorials (unless there's a hidden treasure trove I'm unaware of), I wasn't able to follow any specific guides to do this and primarily pulled the information needed to set this up from a large number of Arch Wiki pages and Internet blogs. I'm kind of stuck between a frustration that easy to follow guides for this kind of thing (and a number of other things) are hard to find and a fear that I'm unqualified to make them, but I'll continue on with writing them for now I guess.


Please tell me if there is anything else I should provide.

Thanks in advance,
Nick

Re: Devices in /etc/crypttab Not Opening On Boot

Reply #4
Aha! There's a `cryptsetup-runit` and `device-mapper-runit` package in the repositories as indicated near the end of this section and the beginning of this section where it talks about 'optional dependencies' and 'other packages.' Installing those and enabling the `dmeventd` service worked to mount everything in crypttab on boot nicely.

Thanks!