No matter how I install grub-improved-luks2-git from AUR, I cannot boot into the system because I get into the uefi interactive shell in my virtual machine. (I don't dare to put it on real hardware yet) I never saw Grub...
Has anyone managed to get a system with full disk encryption and grub with LUKS2 support? Please share how you did it?
I think you should at least share the /etc/default/grub you have
normally it should look like this
GRUB_CMDLINE_LINUX_DEFAULT="quiet cryptdevice=UUID=xxxx root=/dev/mapper/luks resume=/dev/xxxx"
# Preload both GPT and MBR modules so that they are not missed
GRUB_PRELOAD_MODULES="part_gpt part_msdos"
...
GRUB_ENABLE_CRYPTODISK="y"
and then
The /boot/grub/grub.cfg shall have
insmod part_gpt
insmod cryptodisk
insmod luks
I would like to see grub installed first and then configure it. My goal is to keep the grub file on the ESP partition and encrypt everything else. This is how I do it:
/dev/vda1 ESP 10M
/dev/vda2 LUKS 100%
cryptsetup luksFormat /dev/vda2
cryptsetup luksOpen /dev/vda2 lvm
pvcreate /dev/mapper/lvm
vgcreate main /dev/mapper/lvm
lvcreate -L 20G main -n root
lvcreate -l 100%FREE main -n home
mkfs.vfat -F32 /dev/vda1
mkfs.ext4 /dev/mapper/main-root
mkfs.ext4 /dev/mapper/main-home
mount /dev/mapper/main-root /mnt
mkdir -p /mnt/{boot/efi,home}
mount /dev/vda1 /boot/efi
mount /dev/mapper/main-home /mnt/home
The next step is to install and configure artix.
Now I install grub-improved-luks2-git by pre-installing paru.
paru -S grub-improved-luks2-git --noconfirm
And the grub installation command
grub-install --target=x86_64-efi /dev/vda --recheck
or
grub-install --target=x86_64-efi --efi-directory=/boot/efi --bootloader-id=GRUB
or
grub-install --target=x86_64-efi --efi-directory=/boot/ --bootloader-id=GRUB
The next thing I can do is to
grub-mkconfig -o /boot/grub/grub.cfg
Now after rebooting I don't see grub that was installed before, but this
https://i.ibb.co/Z8SB5M7/grub.png
I suppose you know you can use LUKS without LVM?
I also think you need somewhere to run "update-grub" to install it.
Regarding luks, you may need to use /etc/crypttab too (not if you use passwords).
I picked up another virtual machine and installed artix with this script (https://raw.githubusercontent.com/swordstrike1/artix-luks-base-install/master/artix-luks-base-install) . After installation I rebooted a few times but each time I saw the grub bootloader. But as soon as I reinstalled grub with one of these commands everything crashes into uefi shell after reboot, even though the command to install is the same.
I don't understand what's going on...
I can't help on that without spending too much time on it.
MoreoverI am using LUKS without LVM.
Let's hope someone else knows.
I think this is a problem due to the very small size of the ESP partition...
You can easily get artix with full disk encryption and LUKS2 by following the notes below.
/dev/vda1 ESP 100M #Don't make it smaller
/dev/vda2 LUKS 100%
cryptsetup luksFormat /dev/vda2
cryptsetup luksOpen /dev/vda2 lvm
pvcreate /dev/mapper/lvm
vgcreate main /dev/mapper/lvm
lvcreate -L 20G main -n root
lvcreate -l 100%FREE main -n home
lvs
mkfs.ext4 /dev/mapper/main-root
mkfs.ext4 /dev/mapper/main-home
mount /dev/mapper/main-root /mnt
mkdir /mnt/home
mount /dev/mapper/main-home /mnt/home
basestrap /mnt base base-devel openrc elogind-openrc cryptsetup lvm2 micro linux-hardened git efibootmgr
fstabgen -U /mnt >> /mnt/etc/fstab
artix-chroot /mnt
echo "host" > /etc/hostname
echo "en_US.UTF-8 UTF-8" >> /etc/locale.gen
locale-gen
echo "LANG=en_US.UTF-8" > /etc/locale.conf
# Edit /etc/mkinitcpio.conf
HOOKS=(base udev autodetect modconf kms encrypt keyboard keymap consolefont block lvm2 filesystems fsck)
mkinitcpio -P
# Edit /etc/sudoers
%wheel ALL=(ALL) ALL
useradd -m -G wheel user
passwd user
sudo su - user
git clone https://aur.archlinux.org/paru-bin.git
cd paru-bin
makepkg -si
paru -S grub-improved-luks2-git --noconfirm
exit
# Edit /etc/default/grub
GRUB_CMDLINE_LINUX="cryptdevice=UUID=uuid_for_/dev/vda2:lvm root=UUID=uuid_for_/dev/mapper/main-root"
GRUB_ENABLE_CRYPTODISK=y
mkdir /boot/efi
mount /dev/vda1 /boot/efi
grub-install --target=x86_64-efi --efi-directory=/boot/efi --bootloader-id=grub /dev/vda --recheck
grub-mkconfig -o /boot/grub/grub.cfg
exit && reboot
It seems to have missed nothing.
Everything seems to be working, thanks! It remains to understand how to make an installation script out of this.