Skip to main content
Topic: LUKS2 and GRUB (Read 1996 times) previous topic - next topic
0 Members and 1 Guest are viewing this topic.

LUKS2 and GRUB

No matter how I install grub-improved-luks2-git from AUR, I cannot boot into the system because I get into the uefi interactive shell in my virtual machine. (I don't dare to put it on real hardware yet) I never saw Grub...

Has anyone managed to get a system with full disk encryption and grub with LUKS2 support? Please share how you did it?

Re: LUKS2 and GRUB

Reply #1
I think you should at least share the /etc/default/grub you have

normally it should look like this

Code: [Select]
GRUB_CMDLINE_LINUX_DEFAULT="quiet cryptdevice=UUID=xxxx root=/dev/mapper/luks resume=/dev/xxxx"

# Preload both GPT and MBR modules so that they are not missed
GRUB_PRELOAD_MODULES="part_gpt part_msdos"
...
GRUB_ENABLE_CRYPTODISK="y"

and then
The /boot/grub/grub.cfg shall have
Code: [Select]
insmod part_gpt
insmod cryptodisk
insmod luks

 

Re: LUKS2 and GRUB

Reply #2
I would like to see grub installed first and then configure it. My goal is to keep the grub file on the ESP partition and encrypt everything else. This is how I do it:

Code: [Select]
/dev/vda1	ESP	 10M
/dev/vda2 LUKS 100%


Code: [Select]
cryptsetup luksFormat /dev/vda2
cryptsetup luksOpen /dev/vda2 lvm

pvcreate /dev/mapper/lvm
vgcreate main /dev/mapper/lvm
lvcreate -L 20G main -n root
lvcreate -l 100%FREE main -n home

mkfs.vfat -F32 /dev/vda1
mkfs.ext4 /dev/mapper/main-root
mkfs.ext4 /dev/mapper/main-home

mount /dev/mapper/main-root /mnt
mkdir -p /mnt/{boot/efi,home}
mount /dev/vda1 /boot/efi
mount /dev/mapper/main-home /mnt/home

The next step is to install and configure artix.

Now I install grub-improved-luks2-git by pre-installing paru.

paru -S grub-improved-luks2-git --noconfirm

And the grub installation command

grub-install --target=x86_64-efi /dev/vda --recheck

or

grub-install --target=x86_64-efi --efi-directory=/boot/efi --bootloader-id=GRUB

or

grub-install --target=x86_64-efi --efi-directory=/boot/ --bootloader-id=GRUB

The next thing I can do is to

grub-mkconfig -o /boot/grub/grub.cfg

Now after rebooting I don't see grub that was installed before, but this

https://i.ibb.co/Z8SB5M7/grub.png

Re: LUKS2 and GRUB

Reply #3
I suppose you know you can use LUKS without LVM?

I also think you need somewhere to run "update-grub" to install it.

Regarding luks, you may need to use /etc/crypttab too (not if you use passwords).


Re: LUKS2 and GRUB

Reply #4
I picked up another virtual machine and installed artix with  this script . After installation I rebooted a few times but each time I saw the grub bootloader. But as soon as I reinstalled grub with one of these commands everything crashes into uefi shell after reboot, even though the command to install is the same.

I don't understand what's going on...


Re: LUKS2 and GRUB

Reply #5
I can't help on that without spending too much time on it.
MoreoverI am using LUKS without LVM.

Let's hope someone else knows.

Re: LUKS2 and GRUB

Reply #6
I think this is a problem due to the very small size of the ESP partition...

You can easily get artix with full disk encryption and LUKS2 by following the notes below.

Code: [Select]
/dev/vda1	ESP     100M   #Don't make it smaller
/dev/vda2 LUKS 100%

cryptsetup luksFormat /dev/vda2
cryptsetup luksOpen /dev/vda2 lvm

pvcreate /dev/mapper/lvm
vgcreate main /dev/mapper/lvm
lvcreate -L 20G main -n root
lvcreate -l 100%FREE main -n home
lvs

mkfs.ext4 /dev/mapper/main-root
mkfs.ext4 /dev/mapper/main-home

mount /dev/mapper/main-root /mnt
mkdir /mnt/home
mount /dev/mapper/main-home /mnt/home

basestrap /mnt base base-devel openrc elogind-openrc cryptsetup lvm2 micro linux-hardened git efibootmgr

fstabgen -U /mnt >> /mnt/etc/fstab

artix-chroot /mnt
echo "host" > /etc/hostname
echo "en_US.UTF-8 UTF-8" >> /etc/locale.gen
locale-gen
echo "LANG=en_US.UTF-8" > /etc/locale.conf

# Edit /etc/mkinitcpio.conf
HOOKS=(base udev autodetect modconf kms encrypt keyboard keymap consolefont block lvm2 filesystems fsck)
mkinitcpio -P

# Edit /etc/sudoers
%wheel ALL=(ALL) ALL

useradd -m -G wheel user
passwd user

sudo su - user
git clone https://aur.archlinux.org/paru-bin.git
cd paru-bin
makepkg -si
paru -S grub-improved-luks2-git --noconfirm
exit

# Edit /etc/default/grub
GRUB_CMDLINE_LINUX="cryptdevice=UUID=uuid_for_/dev/vda2:lvm root=UUID=uuid_for_/dev/mapper/main-root"
GRUB_ENABLE_CRYPTODISK=y

mkdir /boot/efi
mount /dev/vda1 /boot/efi
grub-install --target=x86_64-efi --efi-directory=/boot/efi --bootloader-id=grub /dev/vda --recheck
grub-mkconfig -o /boot/grub/grub.cfg

exit && reboot

It seems to have missed nothing.

Re: LUKS2 and GRUB

Reply #7
I think this is a problem due to the very small size of the ESP partition...

You can easily get artix with full disk encryption and LUKS2 by following the notes below.

Code: [Select]
/dev/vda1	ESP     100M   #Don't make it smaller
/dev/vda2 LUKS 100%

cryptsetup luksFormat /dev/vda2
cryptsetup luksOpen /dev/vda2 lvm

pvcreate /dev/mapper/lvm
vgcreate main /dev/mapper/lvm
lvcreate -L 20G main -n root
lvcreate -l 100%FREE main -n home
lvs

mkfs.ext4 /dev/mapper/main-root
mkfs.ext4 /dev/mapper/main-home

mount /dev/mapper/main-root /mnt
mkdir /mnt/home
mount /dev/mapper/main-home /mnt/home

basestrap /mnt base base-devel openrc elogind-openrc cryptsetup lvm2 micro linux-hardened git efibootmgr

fstabgen -U /mnt >> /mnt/etc/fstab

artix-chroot /mnt
echo "host" > /etc/hostname
echo "en_US.UTF-8 UTF-8" >> /etc/locale.gen
locale-gen
echo "LANG=en_US.UTF-8" > /etc/locale.conf

# Edit /etc/mkinitcpio.conf
HOOKS=(base udev autodetect modconf kms encrypt keyboard keymap consolefont block lvm2 filesystems fsck)
mkinitcpio -P

# Edit /etc/sudoers
%wheel ALL=(ALL) ALL

useradd -m -G wheel user
passwd user

sudo su - user
git clone https://aur.archlinux.org/paru-bin.git
cd paru-bin
makepkg -si
paru -S grub-improved-luks2-git --noconfirm
exit

# Edit /etc/default/grub
GRUB_CMDLINE_LINUX="cryptdevice=UUID=uuid_for_/dev/vda2:lvm root=UUID=uuid_for_/dev/mapper/main-root"
GRUB_ENABLE_CRYPTODISK=y

mkdir /boot/efi
mount /dev/vda1 /boot/efi
grub-install --target=x86_64-efi --efi-directory=/boot/efi --bootloader-id=grub /dev/vda --recheck
grub-mkconfig -o /boot/grub/grub.cfg

exit && reboot

It seems to have missed nothing.

Everything seems to be working, thanks! It remains to understand how to make an installation script out of this.