Skip to main content
Topic solved
This topic has been marked as solved and requires no further attention.
Topic: LUKS broken in the last updates (Read 1520 times) previous topic - next topic
0 Members and 1 Guest are viewing this topic.

LUKS broken in the last updates

Hi :)
I've migrated from manjaro few months ago and I was an happy artix user until yesterday.
Yesterday I've updated the system (my previous update has been on 2017-11-11) and the system can't boot because there isn't LUKS support in the kernel (or something related). In fact,  /dev/sda1 is my unencrypted boot partition and /dev/sda2 is my luks partition. Now (in boot process) after selecting the kernel, it doesn't ask me the passphrase anymore and I get a shell...

Please let me know if you are going to fix luks support or if it'll be unsupported for some time.  Meanwhile, I'm making backup. Thanks

Re: LUKS broken in the last updates

Reply #1
The most likely issue is that your 'mkinitcpio' made the initramfs without the [encrypt] hook. To check if that is so, perform a live boot and and look at '/etc/mkinitcpio.conf'.

So you now have to chroot into your machine, add that hook in '/etc/mkinitcpio.conf' and run
Code: [Select]
# mkinitcpio -p linux-lts

Re: LUKS broken in the last updates

Reply #2
This has nothing to do with Artix specifically. They build the kernel with LUKS support like 99.9% of distros. I'm on the latest testing repos running full disk encryption just fine myself. What physkets said seems like the most likely fix to me although I don't know why your [encrypt] hook would suddenly disappear from your mkinitcpio.

Re: LUKS broken in the last updates

Reply #3
Hi :)
I've migrated from manjaro few months ago and I was an happy artix user until yesterday.
Yesterday I've updated the system (my previous update has been on 2017-11-11) and the system can't boot because there isn't LUKS support in the kernel (or something related). In fact,  /dev/sda1 is my unencrypted boot partition and /dev/sda2 is my luks partition. Now (in boot process) after selecting the kernel, it doesn't ask me the passphrase anymore and I get a shell...

Please let me know if you are going to fix luks support or if it'll be unsupported for some time.  Meanwhile, I'm making backup. Thanks

I'm using LUKS too, (4.9.x and 4.13.x kernel) and I've no problem; your situation is very strange.

I don't know if you have never chroot-ed for a LUKS partition, but this is the procedure to chroot for a LUKS volume (I'm using LUKS from a long time and I got, in the past, the needed to manage the LUKS partition).

1) Boot with a liveUSB

2) Open a Terminal session

3) Identify the hd partition: lsblk

In this example I suppose that:
/dev/sda1 is the /boot partition
/dev/sda2 is the LUKS encrypted partition

NOTE: replace sda1 or sda2 with the partition name that you get with the lsblk command

$ su
$ cryptsetup open --type luks /dev/sda2 root # where sda2 is the encrypted device
$ mount /dev/mapper/root /mnt
$ mount /dev/sda1 /mnt/boot # mount here the boot partition
$ mount -t proc proc /mnt/proc
$ mount -t sysfs sys /mnt/sys
$ mount -o bind /dev /mnt/dev
$ mount -o bind /run /mnt/run
$ mount -t devpts pts /mnt/dev/pts

$ cp /etc/resolv.conf /mnt/etc/resolv.conf

$ chroot /mnt

4) now you can use all the command as if this is your new root environment
5) insert the encrypt parameter in the mkinitcpio.conf

$ mkinitcpio -P

HINT: if you are using BTRFS, probably  the installation program have generated 2 subvolume: @ and @home. If so you must modify all the reference from /mnt to /mnt/@. For example:

mount -t proc proc /mnt/proc  become  mount -t proc proc /mnt/@/proc

Good Luck :)


 

Re: LUKS broken in the last updates

Reply #4
Thanks to everybody!  :)

The /etc/crypttab was empty (weird) so the root parameter in grub was wrong. However, today I had some free time so I thought it was time to make a clean Artix installation. Here there are my notes, in case someone is interested. I know you can make it differently, but this way is easier for me  ;)  And remember  to read the official installation first.



/dev/sda1 unencrypted boot partition 200-300MB
/dev/sda2 big partition
boot from media, then login with username artix and password artix


sudo -s
mkfs.jfs /dev/sda1
cryptsetup luksFormat /dev/sda2
cryptsetup luksOpen /dev/sda2 root
mkfs.jfs /dev/mapper/root
mount /dev/mapper/root /mnt
mkdit /mnt/boot
mount /dev/sda1 /mnt/boot
pacman -Syy
basestrap /mnt base base-devel
fstabgen -L /mnt >>/mnt/etc/fstab
artools-chroot /mnt


nano /etc/crypttab    [add the following line]
root    /dev/sda2       none



nano /etc/mkinitcpio.conf
add "encrypt" in HOOKS, for example:
HOOKS="base udev autodetect modconf block filesystems keyboard fsck encrypt"



mkinitcpio -p linux-lts

pacman -S grub os-prober


nano /etc/default/grup
edit GRUB_CMDLINE_LINUX_DEFAULT (line 4) like this:
GRUB_CMDLINE_LINUX_DEFAULT="cryptdevice=/dev/sda2:root   root=/dev/mapper/root"


grub-install --recheck /dev/sda
grub-mkconfig -o /boot/grub/grub.cfg
update-grub

useradd -m user
passwd user
passwd

nano /etc/locale.gen
locale-gen

exit
umount -R /mnt/boot
umount -R /mnt
reboot

So you are able to enter the passphrase and boot in your encrypted disk. Then install every packages you need.