Skip to main content
Topic: Full Disk Encryption for a new install: force GRUB to ask a passphrase for LUKS? (Read 28387 times) previous topic - next topic
0 Members and 2 Guests are viewing this topic.

Full Disk Encryption for a new install: force GRUB to ask a passphrase for LUKS?

NOTE:

FOR THE MANUAL, PLEASE VISIT - https://wiki.artixlinux.org/Main/InstallationWithFullDiskEncryption

This thread is for describing my experiences during the creation of this manual, as well as providing the support for those who try it. Feedback and improvement suggestions - are also welcome!


Found a nice guide at Artix Linux: Full Disk Encryption with UEFI (web.archive.org, archive.li) and tried to follow!

Since I'm using a BIOS machine
- I had to change :

1) gpt ---> msdos :
Code: [Select]
parted -s /dev/sdX mklabel msdos
2) esp ---> boot :
Code: [Select]
parted -s /dev/sdX set 1 boot on
3) ESP ---> BOOT :
Code: [Select]
mkfs.fat -n BOOT /dev/sdX1
4) /mnt/boot/EFI ---> /mnt/boot :
Code: [Select]
mkdir /mnt/boot
mount /dev/sdX1 /mnt/boot
5) GRUB : --target=x86_64-efi --efi-directory=/boot/EFI ---> --target=i386-pc --boot-directory=/boot :
Code: [Select]
grub-install --target=i386-pc --boot-directory=/boot --bootloader-id=artix --recheck /dev/sdX

, and didn't install a efibootmgr package. Also, I had to additionally install these packages after chroot'ing :
Code: [Select]
pacman -S lvm2 cryptsetup linux mkinitcpio
- otherwise some of the later steps give me the errors; and didn't want to use a crypto_keyfile.bin - so skipped this part.

After completing this guide and rebooting to HDD, I see a GRUB selection window and then "Loading Linux linux / Loading initial ramdisk", but after that I get:
Code: [Select]
ERROR: resume: hibernation device 'UUID=...long ID here...' 
ERROR: device '/dev/mapper/lvmSystem-volRoot' not found. Skipping fsck
mount: /new_root: no filesystem type specified.
You are now being dropped into an emergency shell.
sh: can't access tty; job control turned off
[rootfs ]#

Interesting thing is that I can manually mount a root partition in this shell:
Code: [Select]
cryptsetup luksOpen /dev/sdX2 lvm-system
, then enter a partition password.

But how to force GRUB to do that - to ask a decryption password and continue booting normally?

Here's my GRUB config:
Code: [Select]
setparams 'Artix Linux'

load_video
set gfxpayload=keep
insmod gzio
insmod part_msdos
insmod fat
set root='hd0,msdos1'
if [ x$feature_platform_search_hint = xy ]; then
  search --no-floppy --fs-uuid --set=root --hint-ieee1275='ieee1275//disk@0,msdos1' --hint-bios=hd0,msdos1 --hint-efi=hd0,msdos1 --hint-baremetal=ahci0,msdos1  A30C-4CBC
else
  search --no-floppy --fs-uuid --set=root A30C-4CBC
fi
echo 'Loading Linux linux ...'
linux /vmlinuz-linux root=/dev/mapper/lvmSystem-volRoot rw  loglevel=3 quiet resume=UUID=...long ID here... net.ifnames=0
echo 'Loading initial ramdisk ...'
initrd /initramfs-linux.img

Re: Full Disk Encryption for a new install: force GRUB to ask a passphrase for LUKS?

Reply #1
Here are three helpful answers I got on Arch Linux forum before my thread removal:
Quote
The messages you posted are from Initramfs. So whatever problem you have is with Initramfs (or missing kernel parameters), not with Grub itself.

Since cryptsetup is available and works manually inside Initramfs, it seems you added the encrypt hook but did not add the parameters necessary to make the encrypt hook ask for pass.
Code: [Select]
 mkinitcpio -H encrypt
==> Help for hook 'encrypt':
This hook allows for an encrypted root device. Users should specify the device
to be unlocked using 'cryptdevice=device:dmname' on the kernel command line,
where 'device' is the path to the raw device, and 'dmname' is the name given to
the device after unlocking, and will be available as /dev/mapper/dmname.
P.S.: grub and linux kernel/initramfs are separate entities, so even if you make GRUB ask for a passphrase, the linux kernel won't know about it so you still have to configure the initramfs to open the luks container by itself.
Quote
You'd like to compare the guide you used and our Wiki article: https://wiki.archlinux.org/index.php/Dm-crypt/Encrypting_an_entire_system#Configuring_the_boot_loader
I'd just use the wiki article as a reference for everything that's different on the one you used.
Quote
I got the same error as you until I added this line to my /etc/default/grub as suggested by the above wiki page, it is the last line in the below code snippet:
Code: [Select]
GRUB_DEFAULT=0
GRUB_TIMEOUT=5
GRUB_DISTRIBUTOR="Arch"
GRUB_CMDLINE_LINUX_DEFAULT="loglevel=3 quiet"
GRUB_CMDLINE_LINUX="cryptdevice=UUID=a4b27ffe-7e3e-49e3-9598-08538d2d7004:cryptolvm"
After that I got asked for a password before AND after grub and everything works

Re: Full Disk Encryption for a new install: force GRUB to ask a passphrase for LUKS?

Reply #2
It turned out that some sed replacements from this guide above didn't work for some reason! In particular, this code line:
Code: [Select]
$ sed -i "s/GRUB_CMDLINE_LINUX=\"\"/GRUB_CMDLINE_LINUX=\"cryptdevice=UUID=`blkid -s UUID -o value /dev/sdX2`:lvm-system\"/g" /etc/default/grub
So I booted from Artix LiveUSB, chroot'ed into this installed system
Code: [Select]
cryptsetup luksOpen /dev/sdX2 lvm-system
swapon /dev/lvmSystem/volSwap
mount /dev/lvmSystem/volRoot /mnt
mount /dev/sdX1 /mnt/boot
artools-chroot /mnt /bin/bash
Checked the other sed's and /etc/mkinitcpio.conf for "encrypt lvm2 resume" hooks just in case, then found a blkid for /dev/sdX2
Code: [Select]
blkid -s UUID -o value /dev/sdX2
, opened /etc/default/grub, inserted a manually created code line to the beginning of GRUB_CMDLINE_LINUX and re-generated the GRUB configs with
Code: [Select]
grub-mkconfig -o /boot/grub/grub.cfg
Then I can successfully reboot, enter a password (once) and boot to the installed system!  :) Although it's pretty bare: I need to install the packages like
Code: [Select]
pacman -S xorg xorg-xinit xterm mesa xorg-server openbox xfce4 xfce4-goodies nano
and put
Code: [Select]
exec xfce4-session
slightly earlier than a few ending lines at
Code: [Select]
nano /etc/X11/xinit/xinitrc
and then launch a graphical environment by startx or startxfce4 commands. However, there's no nice login manager etc.

Re: Full Disk Encryption for a new install: force GRUB to ask a passphrase for LUKS?

Reply #3
So, I repeated everything from scratch, but this time - replaced a
Code: [Select]
basestrap /mnt base base-devel
part of the instruction with pointing a Calamares graphical Artix Linux installer to the previously created partitions!
That's a trick to get a nicely preconfigured Artix Linux while enjoying the custom encryption like
Code: [Select]
--verbose --type luks1 --cipher serpent-xts-plain64 --key-size 512 --hash whirlpool --iter-time 10000 --use-random --verify-passphrase luksFormat /dev/sdX2
or even stronger (need to think how to improve it and maybe to find even stronger different ciphers) . If your desired cipher couldn't be used by cryptsetup - and
Code: [Select]
cat /proc/crypto | grep "serp"
gives an empty output, running
Code: [Select]
cryptsetup benchmark
could help them to become available.

If the encrypted volume isn't mounted already, mount it by doing
Code: [Select]
cryptsetup luksOpen /dev/sdX2 lvm-system
To run Calamares from a root console:
Code: [Select]
cat /home/artix/Desktop/calamares.desktop | grep "Exec"
and copy-paste its' command. In Calamares, select storage device as the already-partitioned-and-encrypted LVM drive lvmSystem and choose "Manual partitioning", then assign a mount point / to /dev/lvmSystem/volRoot and let volSwap to stay as swap.

After the installation, complete the rest of this guide using my hints above. Just make sure to remove the /mnt/etc/fstab entries before re-inserting them, and check if the steps advised by a guide - have been already done by Calamares. If
Code: [Select]
blkid -s UUID -o value /dev/lvmSystem/volSwap
doesn't give any results, run
Code: [Select]
sudo file -s /dev/lvmSystem/volSwap
# /dev/lvmSystem/volSwap: symbolic link to ../dm-1
sudo file -s /dev/lvmSystem/../dm-1
# /dev/lvmSystem/../dm-1: ..., UUID=...long ID here...
to learn the UUID of volSwap - for the manual insertion to /etc/default/grub instead of failing
Code: [Select]
sed -i "s/quiet/quiet resume=UUID=`blkid -s UUID -o value /dev/lvmSystem/volSwap`/g" /etc/default/grub
command, and of course run a
Code: [Select]
grub-mkconfig -o /boot/grub/grub.cfg
after that. If you still can't find a blkid for LVM's swap - you can skip specifying this argument and fix it later after the first successful boot to your freshly installed OS.

Now, the only remaining issue I'm seeing, is:
Code: [Select]
error: no such device: ...UUID of root partition here...
error: disk `lvmid/...very long...' not found.
error: disk `lvmid/...same very long...' not found.

Press any key to continue...
^^^ I get this angry message each boot, but after I press any key - I see a GRUB menu list, choose a top entry, it asks me a decryption password and boots successfully!  ???

Re: Full Disk Encryption for a new install: force GRUB to ask a passphrase for LUKS?

Reply #4
At the attachments, here are my GRUB configuration files from grub-ok virtual machine (where it's working as intended) and grub-strange virtual machine (with this minor GRUB error above). etc_grub.d is the same, but etc_default_grub and boot_grub_grub.cfg are different. Also: /boot/grub/grubenv for a flawless working case - doesn't have a saved_entry line (or any uncommented lines at all). There seems to be a minor bug at GRUB configuration - which I will figure out and resolve it later.

More files are at https://github.com/informer2016/grub_investigation

Re: Full Disk Encryption for a new install: force GRUB to ask a passphrase for LUKS?

Reply #5
Solution for the last problem:

1) back up a /etc/default/grub
2) purge a grub package with its' dependencies:
Code: [Select]
pacman -Rc grub
Code: [Select]
checking dependencies...
:: artools-base optionally requires artools-iso: Artix iso tools
 
Packages (3) artix-grub-theme-0.7-4  artools-iso-0.19.4-1  grub-2:2.04-7
 
Total Removed Size:  33.62 MiB
- notice the extra -c flag for removing packages and all packages that depend on them.
3) rm -rf
Code: [Select]
/boot/grub/
/etc/grub.d/
/etc/default/grub
/usr/share/grub/
if they haven't been erased. After that, make sure to
Code: [Select]
mkdir /boot/grub
4) install a grub package with its' dependencies (just don't install artix-grub-theme)
Code: [Select]
pacman -S grub
and restore /etc/default/grub from your saved copy
5) do
Code: [Select]
grub-install --target=i386-pc --boot-directory=/boot --bootloader-id=artix --recheck /dev/sdX
and
Code: [Select]
grub-mkconfig -o /boot/grub/grub.cfg

Not sure what was the origin of this problem, but now it's gone!  ;)  and here's my final /etc/default/grub config, if you'd like to use it as a template - just make sure to change the UUID's

EDIT : this final__etc_default_grub.txt file is still fresh - truly matches a newer artix-xfce-openrc-20230814-x86_64.iso - and can be used after you change xxx/yyy there


Re: Full Disk Encryption for a new install: force GRUB to ask a passphrase for LUKS?

Reply #7
Thank you so much @nous , I'll continue improving the instructions above  ;) After more investigation in a new VM,
I'm pretty sure the last GRUB problem is caused by artix-grub-theme package. Simply removing it and doing
Code: [Select]
grub-mkconfig -o /boot/grub/grub.cfg
while artix-grub-theme is not installed ---> it was enough to fix the last GRUB problem mentioned above.
And if you'd look at grub-strange__boot_grub_grub.cfg.txt - some parts seem to be double mentioned! ??? I.e., see
Code: [Select]
insmod lvm
insmod ext2
repeats two times through the file, while grub-ok__boot_grub_grub.cfg.txt doesn't have this problem,
so there's certainly some mistake in /boot/grub/grub.cfg generation added by a presence of artix-grub-theme package

Re: Full Disk Encryption for a new install: force GRUB to ask a passphrase for LUKS?

Reply #8
New Problem + Solution ;) Something got updated - and now, by following all the instructions above, there's a high chance of getting this error in the end of Calamares installation:
Code: [Select]
Installation Failed

Boost.Python error in job "bootloader".

Command 'grub-install --target=i386-pc --recheck --force /dev/sda' returned non-zero exit status 1.
Installing for i386-pc platform.
File descriptor 7 (/root/.cache/calamares/session.log) leaked on vgs invocation.
Parent PID 7025: grub-install File descriptor 17 (/dev/mapper/control) leaked on vgs invocation.
Parent PID 7025: grub-install WARNING: Failed to connect to lvmetad. Falling back to device scanning.
File descriptor 7 (/root/.cache/calamares/session.log) leaked on vgs invocation.
Parent PID 7025: grub-install File descriptor 17 (/dev/mapper/control) leaked on vgs invocation.
Parent PID 7025: grub-install WARNING: Failed to connect to lvmetad. Falling back to device scanning.
grub-install: error: attempt to install to encrypted disk without cryptodisk enabled. Set `GRUB_ENABLE_CRYPTODISK=y' in file `/etc/default/grub'.

Traceback:

File "/usr/lib/calamares/modules/bootloader/main.py", line 465, in run
    prepare_bootloader(fw_type)

  File "/usr/lib/calamares/modules/bootloader/main.py", line 437, in prepare_bootloader
    install_grub(efi_directory, fw_type)

  File "/usr/lib/calamares/modules/bootloader/main.py", line 344, in install_grub
    check_target_env_call([libcalamares.job.configuration["grubInstall"],

  File "<string>", line 11, in <module>
To prevent it from happening, after creating/mounting the partitions and before opening a Calamares installer, you'd need to
Code: [Select]
sudo nano /usr/lib/calamares/modules/bootloader/main.py
and comment out this line near the end of file at "def run()" function:
Code: [Select]
prepare_bootloader(fw_type)
--->
Code: [Select]
# prepare_bootloader(fw_type)
Since there doesn't seem to be an option to disable the GRUB installation at Calamares, this manual edit is a custom way of disabling - and it's fine, since we're going to install GRUB manually a bit later.

Re: Full Disk Encryption for a new install: force GRUB to ask a passphrase for LUKS?

Reply #9
Hi everyone! New Artix user here coming from Fedora.

I'm having trouble setting up LVM on LUKS despite the fact that I (I think) followed the steps from there[1][2][3][4] correctly. When I turn on my laptop it doesn't ask for the decryption password, it just shows the GRUB shell and I can't decrypt the partition there using this tutorial. I can decrypt the partition in the live ISO and mount everything there but it seems that I made a mistake when configuring GRUB or mkinitcpio.conf.

Should I create another thread or can I post the related files here?

Edit: I have a setup similar to this. Good night :)

Re: Full Disk Encryption for a new install: force GRUB to ask a passphrase for LUKS?

Reply #10
Hi, I managed to boot Artix using grub > configfile (hd2,gpt1)/EFI/Artix/grub.cfg. In the end (almost) everything was configured correctly, any ideas why it doesn't boot and ask for the password automatically? Sorry if it this is not related to this thread :P

Re: Full Disk Encryption for a new install: force GRUB to ask a passphrase for LUKS?

Reply #11
Any ideas why it doesn't boot and ask for the password automatically?
There are many potential points of failure, some are described in my second post here. It is hard to guess what exactly is wrong, and much easier to do it from scratch using a good instruction - than trying to fix what is already broken. You could either follow my detailed posts above after reading them all, or wait until I complete a new straightforward wiki manual. I already have a complete set of commands that's guaranteed to work: tested again today using a VirtualBox, installed from scratch on a blank Virtual HDD and almost everything is working perfectly. Hope to complete it in a next couple of weeks, then will post a link there.


Re: Full Disk Encryption for a new install: force GRUB to ask a passphrase for LUKS?

Reply #13
Thank you!
I'm new to Artix and Linux in general but I find it the most appealing distro to switch since I started to get interested in libre computing (using coreboot+SeaBIOS on T440p) and I wanted to get rid of as many blobs and backdoors as possible.

I managed to follow your guide up until one point, where the Calamares installer will install the bootloader, then it crashes with bootloader installation error.
It seems commenting out the line:
Code: [Select]
prepare_bootloader(fw_type)
in the python script does not work in the 2022-02-13 release of Artix OpenRC-LXQt.
I asked at the Calamares Github and they gave me a suggestion:

Quote
That last line:
if bootchoice != 'grub':
        return None
Can also be entered as is in the booloader.py under def run(), with whatever if` entry you'd prefer.
https://github.com/calamares/calamares/issues/1886#issuecomment-1041343454

Should I still comment out the line or only add this to bootloader.py ?

 

Re: Full Disk Encryption for a new install: force GRUB to ask a passphrase for LUKS?

Reply #14
1. In the future, please don't necro 2 year old threads. Create a separate thread.

2. I just installed Artix LXQt OpenRC from artix-lxqt-openrc-20220213-x86_64.iso in QEMU guest using the guide, and it booted without errors.

Make sure you understand the overall procedure and you are carefully applying every step of the guide. That guide is made for installation on BIOS/MBR, not UEFI/GPT. For UEFI/GPT, there is a separate archived article, also linked in the OP.

Edit: To be more specific:
Quote
Open it with
Code: [Select]
nano /usr/lib/calamares/modules/bootloader/main.py
and comment out this line near the end of file at def run() function:
Code: [Select]
prepare_bootloader(fw_type)
should become
Code: [Select]
# prepare_bootloader(fw_type)
Make sure you are typing the exact command you see there. Alternatively, you can use any other editor, but the pathname must be exactly the one listed. Also, make sure that the line in the file after edits is exactly like the one listed: beginning with #, with no whitespace before it.

Update: You don't even have to follow the guide anymore if you don't want precise control over parameters such as encryption algorithm, key sizes etc. Encryption is supported directly in Calamares, but nevertheless you need to know what you are doing.

You need to carefully read this:

https://wiki.archlinux.org/title/Partitioning#BIOS/MBR_layout_example

And in the case of the highly recommended BIOS/GPT, this:
https://wiki.archlinux.org/title/Partitioning#BIOS/GPT_layout_example
and this:
https://wiki.archlinux.org/title/GRUB#GUID_Partition_Table_(GPT)_specific_instructions

See the attached images for key points during install.