Could you describe or link the method you used to install the encrypted system? As you mentioned, it might be runit-related.
Thanks for your response. It's sort of complicated so I didn't want to try to type it all out if there was something simple I could look for since this is my first time doing anything requiring modifying the crypttab file, but here is the layout:
ISO Used for Install: artix-base-runit-20220123-x86_64.iso
Planned Partition Layout:.
├── /dev/sda (LUKS2 detached header+keyfile, Root Partition)
│ └── /dev/mapper/cryptroot (BTRFS)
│ ├── /swap
│ ├── /.snapshots
│ ├── /tmp
│ ├── /home
│ ├── /root
│ └── /
│ └── /boot_keyfile.bin (/dev/sdb2 boot partition)
└── /dev/sdb
├── /dev/sdb1 (BIOS BOOT, No FS, 1MiB)
├── /dev/sdb2 (LUKS1, Boot Partition)
│ └── /dev/mapper/boot (EXT4, 1GiB)
│ ├── /crypto_header (/dev/sda root partition)
│ └── /crypto_keyfile.bin (/dev/sda root partition)
└── /dev/sdb3 (Empty Partition)
/etc/crypttab: (First two commented out boot options didn't work, so I tried to get it to ask me for a password on boot, but it didn't)
# Configuration for encrypted block devices.
# See crypttab(5) for details.
# NOTE: Do not list your root (/) partition here, it must be set up
# beforehand by the initramfs (/etc/mkinitcpio.conf).
# <name> <device> <password> <options>
# home UUID=b8ad5c18-f445-495d-9095-c9ec4f9d2f37 /etc/mypassword1
# data1 /dev/sda3 /etc/mypassword2
# data2 /dev/sda5 /etc/cryptfs.key
# swap /dev/sdx4 /dev/urandom swap,cipher=aes-cbc-essiv:sha256,size=256
# vol /dev/sdb7 none
# boot UUID=bbaa2392-28a0-448f-99b3-e5ebe1d626e9 /boot/keyfile.bin
# boot /dev/sdb2 /boot/keyfile.bin
# boot UUID=bbaa2392-28a0-448f-99b3-e5ebe1d626e9
boot /dev/sdb2
/etc/fstab: (The line mounting the cryptroot @boot subvolume might have been a mistake, so I commented it. The system won't boot successfully without the line regarding /dev/mapper/boot commented though).
# Static information about the filesystems.
# See fstab(5) for details.
# <file system> <dir> <type> <options> <dump> <pass>
# /dev/mapper/cryptroot
UUID=0b89a5a2-ba83-46f0-8067-1adbad66baec / btrfs rw,noatime,compress=zstd:3,space_cache,commit=180,subvolid=257,subvol=/@ 0 0
# /dev/mapper/cryptroot
UUID=0b89a5a2-ba83-46f0-8067-1adbad66baec /root btrfs rw,noatime,compress=zstd:3,space_cache,commit=180,subvolid=259,subvol=/@root 0 0
# /dev/mapper/cryptroot
UUID=0b89a5a2-ba83-46f0-8067-1adbad66baec /home btrfs rw,noatime,compress=zstd:3,space_cache,commit=180,subvolid=258,subvol=/@home 0 0
# /dev/mapper/cryptroot
# UUID=0b89a5a2-ba83-46f0-8067-1adbad66baec /boot btrfs rw,noatime,compress=zstd:3,space_cache,commit=180,subvolid=260,subvol=/@boot 0 0
# /dev/mapper/boot
# UUID=235e26c5-be28-489f-84c7-97e170c15245 /boot ext4 rw,relatime 0 2
# /dev/mapper/cryptroot
UUID=0b89a5a2-ba83-46f0-8067-1adbad66baec /tmp btrfs rw,noatime,compress=zstd:3,space_cache,commit=180,subvolid=261,subvol=/@tmp 0 0
# /dev/mapper/cryptroot
UUID=0b89a5a2-ba83-46f0-8067-1adbad66baec /.snapshots btrfs rw,noatime,compress=zstd:3,space_cache,commit=180,subvolid=263,subvol=/@.snapshots 0 0
# /dev/mapper/cryptroot
UUID=0b89a5a2-ba83-46f0-8067-1adbad66baec /swap btrfs rw,relatime,compress=zstd:3,space_cache,commit=180,subvolid=262,subvol=/@swap 0 0
blkid:/dev/sdb2: UUID="bbaa2932-28a0-448f-99b3-e5ebe1d626e9" TYPE="crypto_LUKS" PARTUUID="219f0484-a570-d44a-9e2e-3c34e45fbe22"
/dev/sdb3: PARTUUID="6d881aa5-0b71-c548-8507-deac519cd42e"
/dev/sdb1: PARTUUID="c9d0881a-8b0f-3f46-8c55-0573409a15dd"
/dev/mapper/cryptroot: UUID="0b89a5a2-ba83-46f0-8067-1adbad66baec" UUID_SUB="6d27c4a1-efbb-4753-90ce-053d5c32411a" BLOCK_SIZE="4096" TYPE="btrfs"
lsblk: (Generated on fresh boot. /dev/sdb2 isn't opened)
NAME SIZE TYPE MOUNTPOINTS UUID
sda 465.8G disk
`-cryptroot 465.8G crypt /swap 0b89a5a2-ba83-46f0-8067-1adbad66baec
/.snapshots
/tmp
/home
/root
/
sdb 14.6G disk
|-sdb1 1M part
|-sdb2 1G part bbaa2932-28a0-448f-99b3-e5ebe1d626e9
`-sdb3 13.6G part
sdc 0B disk
sr0 1024M rom
Here's a short summary of what I did, I can go into more detail on any part of it if necessary:
- Formatted a USB Drive with a new GPT, 512MiB EFI System Partition (type to ESP), and 1GiB Boot partition
- Formatted the ESP as FAT32 and encrypted the boot partition as LUKS1
- Unlocked and mounted the boot partition to /mnt/boot
- Encrypted the hard drive (/dev/sda) with a detached header named "crypto_header" in the boot partition
- Unlocked the hard drive using its header and mounted it to /mnt/root
- Mounted the Boot partition at /mnt/root/boot
- Generated the fstab file
- Installed base system to /mnt/root with the packages "linux base neovim man-db"
- Chrooted into the base system
- Installed grub, efibootmgr, cryptroot, cryptsetup git base-devl
- Made a non-root user in the "wheel" group and with a home directory
- Used `EDITOR=nvim visudo" to allow users in the wheel group to run commands with sudo
- Switched to the non-root user with su
- Used git to download this AUR package (https://aur.archlinux.org/packages/mkinitcpio-encrypt-detached-header) and installed it
- Exited the non-root user's shell
- Created a keyfile named "crypto_keyfile.bin" in the boot partition and added it as a key for /dev/sda
- Added the absolute paths of the keyfile and header in /boot to the FILES variable in /etc/mkinitcpio.conf
- Added the encrypt-dh hook between the block and filesystem hooks in the HOOKS variable in /etc/mkinitcpio.conf
- Regenerated the initramfs
- Added "cryptdevice:/dev/sda:cryptroot root=/dev/mapper/cryptroot cryptkey=rootfs:/boot/crypto_keyfile.bin cryptheader=rootfs:/boot/crypto_header (You can't use UUIDs here because /dev/sda doesn't have a UUID) and uncommented "GRUB_ENABLE_CRYPTODISK=y" to the "GRUB_CMDLINE_LINUX variable in /etc/default/grub
- Generated another keyfile for the boot partition this time in root and added as a key for the boot partition
- Added the boot partition with its keyfile to crypttab
- Rebooted, input password for the boot partition, waited for login prompt
There isn't a specific reason I'm doing it this way other than that I thought it would be fun to learn how. Also I noticed there weren't really many tutorials readily available for installing Artix with encryption, so I figured I'd make one covering an install with basic encryption (encrypted root only, unencrypted boot) and one with true full disk encryption. Because there aren't many tutorials (unless there's a hidden treasure trove I'm unaware of), I wasn't able to follow any specific guides to do this and primarily pulled the information needed to set this up from a large number of Arch Wiki pages and Internet blogs. I'm kind of stuck between a frustration that easy to follow guides for this kind of thing (and a number of other things) are hard to find and a fear that I'm unqualified to make them, but I'll continue on with writing them for now I guess.
Please tell me if there is anything else I should provide.
Thanks in advance,
Nick
Aha! There's a `cryptsetup-runit` and `device-mapper-runit` package in the repositories as indicated near the end of this section (https://wiki.artixlinux.org/Main/InstallationWithFullDiskEncryption#GRUB_-_Configuration) and the beginning of this section (https://wiki.artixlinux.org/Main/InstallationWithFullDiskEncryption#Other_Packages) where it talks about 'optional dependencies' and 'other packages.' Installing those and enabling the `dmeventd` service worked to mount everything in crypttab on boot nicely.
Thanks!