Hi everyone,
I would like to install Artix OpenRC over two different drives, something like this:
/dev/foo1 -----> unencrypted /boot partition
/dev/foo2 -----> LUKS-encrypted logical volume group (swap, /root and /home)
/dev/bar1 -----> LUKS-encrypted volume, mounted on /home/data
I would like to be prompted for the decryption passphrase of both drives at boot, something like:
loading initial ramdisk...
enter passphrase for /dev/foo2:
enter passphrase for /dev/bar1:
Any hint on where I should specify the instruction/uuid/mountpoint of /dev/bar1 in order for it to be properly mounted at boot? I am already capable of installing Artix w/ disk encryption on a single drive, I just don't know how to manage multiple ones.
Thanks in advance :)
You would have to write mkinitcpio hooks for this to work, so read: https://wiki.archlinux.org/title/Mkinitcpio#HOOKS
So write your Build and Runtime hooks, and place your hook in the
HOOKS array in
/etc/mkinitcpio.conf, and remember,
order is important.
In the
HOOKS array, my guess would be to put your hook after
the
filesystems hook, like this:
HOOKS=(base udev autodetect modconf block filesystems unlock-luks keyboard fsck)
Thank you for your answer
@Lancia. I've inspected a few build and runtime hooks (in
/usr/lib/initcpio/install and
/usr/lib/initcpio/hooks respectively), and found out they can be quite complicated, and moreover each build hook is different from its runtime counterpart. I assume, in my case, that at the bare minimum my hook should include instructions to unlock and mount the encrypted drive. In principle, something like this:
#!/bin/bash
cryptsetup luksOpen /dev/bar1 && mount /dev/bar1 /home/data
But I'm not sure I got that right, and I am not sure what should be the difference between the build and runtime hook. May you give me some hints?
I'm gonna give you a correct example:
For your build hook in /etc/initcpio/install/unlock-luks:
#!/bin/bash
build() {
add_binary cryptsetup
add_runscript
}
help() {
echo "Unlock LUKS drives at boot"
}
For your runtime hook in /etc/initcpio/hooks/unlock-luks:
#!/usr/bin/ash
run_hook(){
cryptsetup luksOpen /dev/bar1
}
To get an idea consult the
mkinitcpio man-page, but this should suffice.
>>But I'm not sure I got that right, and I am not sure what should be the difference between the build and runtime hook.
The build describes the hook itself, that is what binaries should be added, specifying a if a runtime hook should be added, etc
The runtime hook is a program/script built from the description given by the build hook.
EDIT: Try to just unlock the LUKS encrypted drive and let the rest of the boot process mount your /home/data that you specified in /etc/fstab
Hi
@shako,
if I understand correctly, what you would like to do is add a custom encrypted partition to a "standard" encrypted install (plain boot + encrypted root and home).
Am I right?
If so, then for the first part ("standard"
cryptsetup system) you can just follow the existing instructions.
And then, for the second part (add a "custom" encrypted partition) I think I can help you.
What I have on my system is an encrypted
/home partition with everything else being plain, so I need to decrypt and mount the
/home with an
openrc entry.
First I configured the encrypted partition using
cryptsetup (please tell me if you need help for that too).
Then I installed
cryptsetup-openrc.
You then add the service with
rc-update add dmcrypt boot,
and you add some lines like this in your
/etc/conf.d/dmcrypt :
target=home-data
source=UUID="THE-UUID-OF-YOUR-ENCRYPTED-HOME-DATA-PARTITION"
And add the entry in your
/etc/fstab (I have some options useful for SDDs, but your own needs may be different):
/dev/mapper/home-data /home/data ext4 rw,noatime,discard 0 2
The last tricky thing I also needed is to tweak
/etc/init.d/dmcryt by adding
localmount in its
before list:
..
depend() {
use modules
before checkfs fsck localmount
...
Without that, it fails at boot because
localmount wants to mount it before it is mapped by
dmcrypt.
I did not use any mkinitcpi hook, as everything is to be done by openrc way after the root system is booted and running.
Thank you both
@Lancia and
@Ale for your excellent answers! I will try to implement them both ASAP and let you know :)