View previous topic :: View next topic |
Author |
Message |
389292 Guru
Joined: 26 Mar 2019 Posts: 504
|
Posted: Tue Mar 26, 2019 2:44 pm Post subject: encrypted install (luks + lvm) |
|
|
I'm installing from within the host OS (arch), bios grub (not EFI), boot partition unencrypted.
The encryption happens off of the gpg key-file on a separate usb flash drive (which is also a boot drive, as in Sakaki's guide)
I was able to install traditionally (without encryption), but having troubles with encrypted setup.
When I boot off of my flash drive it gets to the grub but halts on screen with "GRUB GRUB _" message.
My setup:
Code: |
sda 8:0 0 931.5G 0 disk
└─sda1 8:1 0 931.5G 0 part
└─gentoo-root 254:0 0 931.5G 0 crypt
└─vg1-root 254:1 0 465.8G 0 lvm /
sdd 8:48 1 3.7G 0 disk
└─sdd1 8:49 1 3.7G 0 part /boot
|
The boot drive is formatted in a gpt/ext2, with bios_grub flag, nothing else, only one partition.
Kernel compiled manually with enabled support for ext2, lvm, luks(dm-crypt), (did this referring the gentoo wikis)
also did this:
emerge lvm2 cryptsetup gentoolkit genkernel
initramfs install:
genkernel --luks --lvm initramfs
grub config (changed section):
Code: | GRUB_PRELOAD_MODULES=lvm
GRUB_ENABLE_CRYPTODISK=y
GRUB_DEVICE=/dev/ram0
GRUB_CMDLINE_LINUX="crypt_root=/dev/sda1 real_root=/dev/mapper/vg1-root dolvm" |
did this also: rc-update add lvm default
blkid:
Code: | /dev/sda1: UUID="06fe14b6-aec1-4bf0-b73b-4b307b4d1838" TYPE="crypto_LUKS" PARTUUID="c4c53bb7-7ebd-4158-ac66-1d90bd98c198"
/dev/sdd1: UUID="2dcc5534-bb84-4ca1-a3c5-470c3cff60d3" TYPE="ext2" PARTUUID="3dee3a5f-660f-429e-8d93-f5af8c509dc0"
/dev/mapper/gentoo-root: UUID="Hu6GiU-vI6F-D0sj-Mi0U-Watk-C1rM-SHhU3E" TYPE="LVM2_member"
/dev/mapper/vg1-root: LABEL="root" UUID="cef013a1-6df5-4d9e-8f99-b8c4a6820c83" TYPE="ext4"
|
fstab:
Code: | UUID=2dcc5534-bb84-4ca1-a3c5-470c3cff60d3 /boot ext2 noauto,noatime 1 2
UUID=cef013a1-6df5-4d9e-8f99-b8c4a6820c83 / ext4 defaults,noatime 0 1
# tmps
tmpfs /tmp tmpfs size=4Gb 0 0
tmpfs /run tmpfs size=100M 0 0
# shm
shm /dev/shm tmpfs nodev,nosuid,noexec 0 0 |
I can get to the grub, it shouldn't be the grub/boot partition problem? Help me please.
---------------- upd -----------------
Hm, interesting, the "cryptsetup luksDump /dev/sda1" from within the chrooted env spits: Unsupported LUKS version 2.
But I'm certain that I activated all kernel modules form these pages:
https://wiki.gentoo.org/wiki/Dm-crypt
https://wiki.gentoo.org/wiki/LVM |
|
Back to top |
|
|
389292 Guru
Joined: 26 Mar 2019 Posts: 504
|
Posted: Wed Mar 27, 2019 6:38 pm Post subject: |
|
|
I decided to fallback a little, and install without the gpg key first.
Referring this guide https://wiki.gentoo.org/wiki/Full_Disk_Encryption_From_Scratch_Simplified
I was able to past initial grub stage, but now it stops at loading with this: https://imgur.com/BmXs4CJ
Code: | The LUKS device 49648af2-ebf5-4f8d-9cf4-8ea8d9446af5 does not contain a LUKS header |
It didn't prompt me for any passwords.
From my previous post I formatted the usb flash drive (it's still my boot drive) as stated in the guide above.
my new blkid
Code: | /dev/sda1: UUID="49648af2-ebf5-4f8d-9cf4-8ea8d9446af5" TYPE="crypto_LUKS" PARTUUID="b0487ab6-8747-4096-9f78-4cb08b0588ea"
/dev/sdd1: PARTLABEL="grub" PARTUUID="d407010f-4a2c-4dd4-be99-6509111ff5b8"
/dev/sdd2: UUID="A490-D856" TYPE="vfat" PARTLABEL="boot" PARTUUID="c8958a6f-a4e0-4d38-b92d-4ee6cbf6bda7"
/dev/mapper/gentoo-root: UUID="WrMxMW-0o5p-ViT9-SeZQ-hj4E-KTsn-pfFJFs" TYPE="LVM2_member"
/dev/mapper/vg1-root: LABEL="root" UUID="7249d2c8-c31c-4cbe-8cd2-4290176b114e" TYPE="ext4" |
my new fstab
Code: | UUID=A490-D856 /boot ext2 noauto,noatime 1 2
UUID=49648af2-ebf5-4f8d-9cf4-8ea8d9446af5 / ext4 defaults 0 1 |
/etc/default/grub
Code: | GRUB_PRELOAD_MODULES=lvm
GRUB_ENABLE_CRYPTODISK=y
GRUB_DEVICE=/dev/ram0
GRUB_CMDLINE_LINUX="dolvm rootfstype=ext4 crypt_root=49648af2-ebf5-4f8d-9cf4-8ea8d9446af5 real_root=/dev/mapper/vg1-root" |
content of a /boot
Code: | config-4.19.27-gentoo-r1 System.map-4.19.27-gentoo-r1
grub vmlinuz-4.19.27-gentoo-r1
initramfs-genkernel-x86_64-4.19.27-gentoo-r1 |
Did I make some stupid mistake with UUIDs? I don't see it.. |
|
Back to top |
|
|
Hu Administrator
Joined: 06 Mar 2007 Posts: 22634
|
Posted: Thu Mar 28, 2019 2:06 am Post subject: |
|
|
What is the output of file -s /dev/sda1? How exactly did you create the LUKS container there? Are you still trying to mix LUKS1 and LUKS2? |
|
Back to top |
|
|
389292 Guru
Joined: 26 Mar 2019 Posts: 504
|
Posted: Thu Mar 28, 2019 4:43 am Post subject: |
|
|
Hu wrote: | What is the output of file -s /dev/sda1? How exactly did you create the LUKS container there? Are you still trying to mix LUKS1 and LUKS2? |
/dev/sda1: LUKS encrypted file, ver 2 [, , sha256] UUID: 49648af2-ebf5-4f8d-9cf4-8ea8d9446af5
cryptsetup -v -y --cipher serpent-xts-plain64 --key-size 512 --hash whirlpool --type luks2 luksFormat /dev/sda1
I didn't tried to mix luks1 and 2 (well at least I think I didn't), because I'm not encrypting the boot drive in either setup.
I don't know why is it outputting the 'Unsupported LUKS version 2' after cryptsetup luksDump /dev/sda1, it worked in previous setup.
If you don't have any ideas to test on this setup, I will delete the partition and will try to luksDump it right after its creation,
it will change my blkids and the above post will become irrelevant once again.
-----
I did everything from zero, and it still shows Unsupported LUKS version 2, is it normal for chrooted environment? |
|
Back to top |
|
|
Hu Administrator
Joined: 06 Mar 2007 Posts: 22634
|
Posted: Fri Mar 29, 2019 1:43 am Post subject: |
|
|
etnull wrote: | /dev/sda1: LUKS encrypted file, ver 2 [, , sha256] UUID: 49648af2-ebf5-4f8d-9cf4-8ea8d9446af5
cryptsetup -v -y --cipher serpent-xts-plain64 --key-size 512 --hash whirlpool --type luks2 luksFormat /dev/sda1 | You definitely created a LUKS2 volume. Why? Have you checked that your Gentoo cryptsetup will support LUKS2? etnull wrote: | I didn't tried to mix luks1 and 2 (well at least I think I didn't), because I'm not encrypting the boot drive in either setup. | Your error output suggests you are trying to use a LUKS1-only cryptsetup to open a LUKS2 device. |
|
Back to top |
|
|
389292 Guru
Joined: 26 Mar 2019 Posts: 504
|
Posted: Fri Mar 29, 2019 11:37 am Post subject: |
|
|
Hu wrote: | You definitely created a LUKS2 volume. Why? Have you checked that your Gentoo cryptsetup will support LUKS2? |
What do you mean? It isn't supported? I want to use the latest version. How do I check it? (or how do I install luks2 supported cryptsetup? is it in testing only?)
~
ok, I see, it's 1.7.5-r1 in stable, I'm not accustomed to long release cycles. 2.0 was released almost 1.5 years ago... I will try once again with ~amd64. |
|
Back to top |
|
|
389292 Guru
Joined: 26 Mar 2019 Posts: 504
|
Posted: Sat Mar 30, 2019 5:11 pm Post subject: |
|
|
I reinstalled from zero, using ACCEPT_KEYWORDS="~amd64"
Now it asks me for the passphrase, but when I enter it I get something like this:
Code: | ...
libgcc_s.so.1 must be installed for pthread_cancel to work
Aborted
!! Failed to open LUKS device /dev/sda1
!! Could not find the root in /dev/sda1
... |
During install something asked me to do emerge @preserved-rebuild, I don't remember what it was, but I did that and it emerged 8.2.0 gcc and compiled something with it.
my installed versions
Code: | equery --quiet list gcc cryptsetup lvm2
sys-devel/gcc-8.2.0-r6
sys-devel/gcc-8.3.0
sys-fs/cryptsetup-2.1.0
sys-fs/lvm2-2.02.183 |
I have
Code: | /usr/lib64/gcc/x86_64-pc-linux-gnu/8.2.0/libgcc_s.so
/usr/lib64/gcc/x86_64-pc-linux-gnu/8.2.0/libgcc_s.so.1
/usr/lib64/gcc/x86_64-pc-linux-gnu/8.3.0/libgcc_s.so
/usr/lib64/gcc/x86_64-pc-linux-gnu/8.3.0/libgcc_s.so.1 |
blkid
Code: | /dev/mapper/gentoo-root: UUID="F3AHvo-bTec-Ivfd-3VY6-VHEC-MeiO-thoQyb" TYPE="LVM2_member"
/dev/mapper/vg1-root: LABEL="root" UUID="d018a2c9-1bfd-4a00-9501-3ffad08d6210" TYPE="ext4"
/dev/sda1: UUID="2536d534-9ab1-4935-9c53-2b5918a35766" TYPE="crypto_LUKS" PARTUUID="b2d97875-f001-4314-b62a-39f54cd8ac6b"
/dev/sdd1: PARTLABEL="bios_grub" PARTUUID="8690e1da-df0d-49b7-bd36-64d4b1195473"
/dev/sdd2: UUID="46de64a8-9e91-4946-8ed6-fdc533e1ddb1" TYPE="ext2" PARTLABEL="boot" PARTUUID="a03d9a08-bccd-496e-8f38-45a5013defaf" |
fstab
Code: | UUID=46de64a8-9e91-4946-8ed6-fdc533e1ddb1 /boot ext2 noauto,noatime 1 2
UUID=d018a2c9-1bfd-4a00-9501-3ffad08d6210 / ext4 defaults,noatime 0 1
tmpfs /tmp tmpfs size=4Gb 0 0
tmpfs /run tmpfs size=100M 0 0
shm /dev/shm tmpfs nodev,nosuid,noexec 0 0 |
grub
Code: | GRUB_PRELOAD_MODULES=lvm
GRUB_ENABLE_CRYPTODISK=y
GRUB_DEVICE=/dev/ram0
GRUB_CMDLINE_LINUX="dolvm crypt_root=UUID=2536d534-9ab1-4935-9c53-2b5918a35766 rootfstype=ext4 real_root=/dev/mapper/vg1-root" |
|
|
Back to top |
|
|
389292 Guru
Joined: 26 Mar 2019 Posts: 504
|
Posted: Sun Apr 07, 2019 6:10 pm Post subject: |
|
|
I was able to install a fully functional system by falling back to luks1. But with /boot still being unencrypted, which is not my end goal.
My end goal is to have an encrypted /boot with encrypted keyfile on it (encrypted by cryptsetup not gpg)
I found this useful guide, but it seem to be only for manually compiled initramfs:
https://wiki.gentoo.org/wiki/Custom_Initramfs#Encrypted_keyfile
Which I don't know how to do yet. Can it be done with genkernel instead?
If I create /usr/src/initramfs/init will it be read by genkernel during compilation?
After many days of research I still can't quite grasp all of the components in such setup and how they fit together.
Let's say I've generated the keyfile by dd, then I encrypted it by cryptsetup, then I added it as a keyfile to my luks volumes, then I should tell initramfs to use it,
but the information gets very sparse and diverse, some guides mounting the key somehow, some using /etc/crypttab some doing it in grub, some telling to use various of initramfs generators (apart of genkernel). Which way is the easiest? Please help me with the next 2-3 commands after my actions which I have described. |
|
Back to top |
|
|
msst Apprentice
Joined: 07 Jun 2011 Posts: 259
|
Posted: Sun Apr 07, 2019 8:31 pm Post subject: |
|
|
I am afraid this is still a rare setup so not very well documented and some hacking.
I personally live with an unencrypted boot, but I manage to have it boot the root filesystem with a single password prompt and then have the initrd (I use better-initramfs) mount some other partitions with keyfiles from the crypted root. That works relatively easy.
I also managed to use grub2 to open my encrypted rootfs and boot a kernel/initramfs from the encrypted root directly. Then one can put also a keyfile to unlock the rootfs inside the rootfs. But I somehow did not manage to get the keyfile to unlock the rootfs again (as the kernel cannot use the grub2 unlock), even when I compiled the initramfs and keyfile into the kernel it just hung. Something interferes there.
Would be nice to have an easily implementable solution for this with single password prompt. But I know none yet. |
|
Back to top |
|
|
389292 Guru
Joined: 26 Mar 2019 Posts: 504
|
Posted: Tue Apr 09, 2019 3:37 am Post subject: |
|
|
Looks like genkernel is not supporting encrypted luks keyfiles, so I'm trying to compile initramfs manually, I do it this way:
Code: | mkdir --parents /usr/src/initramfs/{bin,dev,etc,lib,lib64,mnt/root,proc,root,sbin,sys}
cp --archive /dev/{null,console,tty,sda1} /usr/src/initramfs/dev/
USE="static" emerge --ask --verbose sys-apps/busybox
cp --archive /bin/busybox /usr/src/initramfs/bin/busybox
cp --archive /sbin/lvm /usr/src/initramfs/sbin/lvm
cp --archive /sbin/cryptsetup /usr/src/initramfs/sbin/cryptsetup |
nano -w /usr/src/initramfs/init
Code: | #content of a file
mount -t proc none /proc
mount -t sysfs none /sys
cryptsetup open /dev/sdb1 root
lvm vgscan --mknodes
lvm lvchange -a ly vg1/root
lvm vgscan --mknodes
umount /proc
umount /sys
exec switch_root /mnt/root /sbin/init
|
Right now I'm not trying to use any keyfiles, because I hadn't added one yet, I just want to be able to boot first.
chmod +x /usr/src/initramfs/init
find . -print0 | cpio --null --create --verbose --format=newc | gzip --best > /boot/custom-initramfs.cpio.gz
I'm editing the generated by grub-mkconfig grub.cfg, the line for initrd of a default entry:
Code: | .....
initrd /custom-initramfs.cpio.gz
..... |
What I'm getting during boot:
Code: | ...
Failed to execute /init (error -2)
...
Kernel panic - not syncing: No working init found. Try passing init= option to kernel |
ls /usr/src/initramfs
Code: | bin dev etc init lib lib64 mnt proc root sbin sys |
ls /usr/src/initramfs/sbin
--------
I had tried to add init like so:
Code: | cp --archive /sbin/init /usr/src/initramfs/sbin/init |
so that ls /usr/src/initramfs/sbin
Code: | cryptsetup lvm init |
still same error Failed to execute /init (error -2) |
|
Back to top |
|
|
Elleni Veteran
Joined: 23 May 2006 Posts: 1289
|
|
Back to top |
|
|
Hu Administrator
Joined: 06 Mar 2007 Posts: 22634
|
Posted: Tue Apr 09, 2019 4:41 am Post subject: |
|
|
etnull wrote: | Looks like genkernel is not supporting encrypted luks keyfiles, so I'm trying to compile initramfs manually, I do it this way: | Why not use the kernel's built-in ability to create an initramfs from a description file? etnull wrote: | /init: | #content of a file |
| This looks like a shell script. Did you include the #! for it? Is the interpreter available in the initramfs, including all required supporting libraries? |
|
Back to top |
|
|
389292 Guru
Joined: 26 Mar 2019 Posts: 504
|
Posted: Tue Apr 09, 2019 5:04 am Post subject: |
|
|
Actually I do have /boot encrypted and everything is working apart of keyfiles, I'm OK with two passwords during boot, first for /boot and second for the keyfile, I can always make an unencrypted keyfile later. All your links are purple for me, I've been through like ~15 pages in search engine but the last link is promising, I've forgotten about it, it's the closest to my actual setup. I will try tomorrow, thanks! |
|
Back to top |
|
|
389292 Guru
Joined: 26 Mar 2019 Posts: 504
|
Posted: Tue Apr 09, 2019 5:09 am Post subject: |
|
|
Quote: | Why not use the kernel's built-in ability to create an initramfs from a description file? |
I haven't seen such setup anywhere in the guides. How the description file is called?
Quote: | Did you include the #! for it? Is the interpreter available in the initramfs, including all required supporting libraries? |
yes, the first line is #!/bin/busybox sh
I can't copy paste it and decided to skip comments to type less. I think I have a mistake with cryptsetup and lvm, they should be build statically before including them to initramfs, I will try it later. |
|
Back to top |
|
|
Elleni Veteran
Joined: 23 May 2006 Posts: 1289
|
Posted: Tue Apr 09, 2019 8:05 am Post subject: |
|
|
My point was that you can have the key to decrypt root in your initramfs file. That avoids the need of typing pw twice. And initramfs is in encrypted boot, how to set this up is shown in first link.
Hope this helps, if not sorry and just ignore my post(s) |
|
Back to top |
|
|
389292 Guru
Joined: 26 Mar 2019 Posts: 504
|
Posted: Tue Apr 09, 2019 3:16 pm Post subject: |
|
|
After compiling lvm2, cryptsetup, busybox statically, I'm getting:
Code: | Requested LUKS hash whirlpool is not supported. |
With the same kernel that worked previously. I can't even dump the header because of this error.
Does statically built cryptsetup not supporting whirlpool somehow?
List of my actions:
Code: | mkdir --parents /usr/src/initramfs/{bin,dev,etc,lib,lib64,mnt/root,proc,root,sbin,sys}
cp --archive /dev/{null,urandom,random,console,tty,sda1,sda2,sda3,sdb1} /usr/src/initramfs/dev/
USE="static" emerge --ask --verbose sys-apps/busybox
USE="static static-libs" emerge --ask --verbose sys-fs/lvm2
USE="-gcrypt nettle static" emerge --ask --verbose sys-fs/cryptsetup
cp --archive /bin/busybox /usr/src/initramfs/bin/busybox
cp --archive /sbin/lvm.static /usr/src/initramfs/sbin/lvm
cp --archive /sbin/cryptsetup /usr/src/initramfs/sbin/cryptsetup
nano -w /usr/src/initramfs/init
---
#!/bin/busybox sh
mount -t proc none /proc
mount -t sysfs none /sys
cryptsetup --tries 5 luksOpen /dev/sdb1 root
lvm vgscan --mknodes
lvm lvchange -a ly vg1/root
lvm vgscan --mknodes
umount /proc
umount /sys
exec switch_root /mnt/root /sbin/init
---
chmod +x /usr/src/initramfs/init
cd /usr/src/initramfs
find . -print0 | cpio --null --create --verbose --format=newc | gzip --best > /boot/custom-initramfs.cpio.gz
grub.cfg
...
initrd /custom-initramfs.cpio.gz
... |
|
|
Back to top |
|
|
389292 Guru
Joined: 26 Mar 2019 Posts: 504
|
Posted: Tue Apr 09, 2019 6:22 pm Post subject: |
|
|
nettle USE flag for cryptsetup does not support whirlpool hash function, recompiled with:
USE="-gcrypt kernel static" emerge --ask --verbose sys-fs/cryptsetup
and it worked! well, almost.. now I have something with the lvm, I remember having same thing during regular install,
to fix it I had to link host lvm/ to chrooted lvm, do I need to have like all lvm* binaries in the initramfs?
I don't know how to compile them statically, they come with lvm2 package.
https://i.imgur.com/NwgjJ1F.png
lvmetad is not statically compiled, can't copy it as is..
https://i.imgur.com/Omb7MjK.png
----
Apparently I'm stupid or blind, the https://wiki.gentoo.org/wiki/Custom_Initramfs#LVM explains everything, I just thought that vgscan in init script will be enough, but it wasn't, when I created the lvm.conf in initramfs everything mounted smoothly. Now it works! My first boot with custom initrd! Now I will try to incorporate the key file, and refactor my final installation guide, I think it should not give me any additional issues from this point. |
|
Back to top |
|
|
|
|
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum
|
|