Skip to main content
Topic: Decrypt multiple encrypted drives at boot w/ OpenRC (Read 981 times) previous topic - next topic
0 Members and 1 Guest are viewing this topic.

Decrypt multiple encrypted drives at boot w/ OpenRC

Hi everyone,

I would like to install Artix OpenRC over two different drives, something like this:


/dev/foo1 -----> unencrypted /boot partition
/dev/foo2 -----> LUKS-encrypted logical volume group (swap, /root and /home)
/dev/bar1 -----> LUKS-encrypted volume, mounted on /home/data


I would like to be prompted for the decryption passphrase of both drives at boot, something like:


loading initial ramdisk...
enter passphrase for /dev/foo2:
enter passphrase for /dev/bar1:


Any hint on where I should specify the instruction/uuid/mountpoint of /dev/bar1 in order for it to be properly mounted at boot? I am already capable of installing Artix w/ disk encryption on a single drive, I just don't know how to manage multiple ones.

Thanks in advance :)

Re: Decrypt multiple encrypted drives at boot w/ OpenRC

Reply #1
Quote from: shako – on
Hi everyone,

I would like to install Artix OpenRC over two different drives, something like this:


/dev/foo1 -----> unencrypted /boot partition
/dev/foo2 -----> LUKS-encrypted logical volume group (swap, /root and /home)
/dev/bar1 -----> LUKS-encrypted volume, mounted on /home/data


I would like to be prompted for the decryption passphrase of both drives at boot, something like:


loading initial ramdisk...
enter passphrase for /dev/foo2:
enter passphrase for /dev/bar1:


Any hint on where I should specify the instruction/uuid/mountpoint of /dev/bar1 in order for it to be properly mounted at boot? I am already capable of installing Artix w/ disk encryption on a single drive, I just don't know how to manage multiple ones.

Thanks in advance :)

You would have to write mkinitcpio hooks for this to work, so read: https://wiki.archlinux.org/title/Mkinitcpio#HOOKS

So write your Build and Runtime hooks, and place your hook in the HOOKS array in /etc/mkinitcpio.conf, and remember, order is important.

In the HOOKS array, my guess would be to put your hook after
the filesystems hook, like this:
Code: [Select]
HOOKS=(base udev autodetect modconf block filesystems unlock-luks keyboard fsck)

Re: Decrypt multiple encrypted drives at boot w/ OpenRC

Reply #2
Quote from: Lancia – on
So write your Build and Runtime hooks, and place your hook in the HOOKS array in /etc/mkinitcpio.conf, and remember, order is important.

Thank you for your answer @Lancia. I've inspected a few build and runtime hooks (in /usr/lib/initcpio/install and /usr/lib/initcpio/hooks respectively), and found out they can be quite complicated, and moreover each build hook is different from its runtime counterpart. I assume, in my case, that at the bare minimum my hook should include instructions to unlock and mount the encrypted drive. In principle, something like this:

Code: [Select]
#!/bin/bash
cryptsetup luksOpen /dev/bar1 && mount /dev/bar1 /home/data


But I'm not sure I got that right, and I am not sure what should be the difference between the build and runtime hook. May you give me some hints?

Re: Decrypt multiple encrypted drives at boot w/ OpenRC

Reply #3
I'm gonna give you a correct example:

For your build hook in /etc/initcpio/install/unlock-luks:

Code: [Select]
#!/bin/bash

build() { 

        add_binary cryptsetup

        add_runscript

}

help() {

        echo "Unlock LUKS drives at boot"

}

For your runtime hook in /etc/initcpio/hooks/unlock-luks:
Code: [Select]
#!/usr/bin/ash

run_hook(){

        cryptsetup luksOpen /dev/bar1

}

To get an idea consult the mkinitcpio man-page, but this should suffice.

>>But I'm not sure I got that right, and I am not sure what should be the difference between the build and runtime hook.

The build describes the hook itself, that is what binaries should be added, specifying a if a runtime hook should be added, etc

The runtime hook is a program/script built from the description given by the build hook.

EDIT: Try to just unlock the LUKS encrypted drive and let the rest of the boot process mount your /home/data that you specified in /etc/fstab

Re: Decrypt multiple encrypted drives at boot w/ OpenRC

Reply #4
Hi @shako,
if I understand correctly, what you would like to do is add a custom encrypted partition to a "standard" encrypted install (plain boot + encrypted root and home).
Am I right?

If so, then for the first part ("standard" cryptsetup system) you can just follow the existing instructions.
And then, for the second part (add a "custom" encrypted partition) I think I can help you.

What I have on my system is an encrypted /home partition with everything else being plain, so I need to decrypt and  mount the /home with an openrc entry.

First I configured the encrypted partition using cryptsetup (please tell me if you need help for that too).
Then I installed cryptsetup-openrc.
You then add the service with rc-update add dmcrypt boot,
and you add some lines like this in your /etc/conf.d/dmcrypt :

Code: [Select]
target=home-data
source=UUID="THE-UUID-OF-YOUR-ENCRYPTED-HOME-DATA-PARTITION"

And add the entry in your /etc/fstab (I have some options useful for SDDs, but your own needs may be different):

Code: [Select]
/dev/mapper/home-data	  /home/data		ext4		rw,noatime,discard	0 2

The last tricky thing I also needed is to tweak /etc/init.d/dmcryt by adding localmount in its before list:

Code: [Select]
..
depend() {
	use modules
	before checkfs fsck localmount
...

Without that, it fails at boot because localmount wants to mount it before it is mapped by dmcrypt.

I did not use any mkinitcpi hook, as everything is to be done by openrc way after the root system is booted and running.
 

Re: Decrypt multiple encrypted drives at boot w/ OpenRC

Reply #5
Thank you both @Lancia and @Ale for your excellent answers! I will try to implement them both ASAP and let you know :)