nxe9
n00b
Joined: 05 Jun 2021
Posts: 72
|
 Posted: Mon Oct 21, 2024 9:32 pm Post subject: Encrypted root partition: Invalid passphrase, Grub and LUKS2 |
 |
|
Hi, I'm trying to install gentoo with an encrypted partition. During startup, a password prompt appears and after entering the correct password, the follow error appears.
| Code: | Enter passphrase for hd0,gpt2 (<uuid>):
error: Invalid passphrase
error: no such cryptodisk found, perhaps a needed disk or cryptodisk module is not loaded.
error: disk `lvmid/<...>' not found.
Entering rescue mode...
grub rescue> |
I have read the following thread and realize that it is probably related to LUKS2 and PBKDF: argon2id.
https://forums.gentoo.org/viewtopic-p-8819261.html
User @sMueggli also brought this to my attention in another thread, and I also found this information on another forum.
https://forums.gentoo.org/viewtopic-p-8843694.html#8843694
https://bbs.archlinux.org/viewtopic.php?pid=2160962#p2160962
However, before I try to solve the problem, I wanted to describe what I actually do and how I understand the boot process and steps to prepare the boot process. I probably don't understand everything yet, so I would like to compare my knowledge and make sure that my approach makes sense. Let me start by saying that I have two machines that have Gentoo encrypted. The first system (pc1) works without any problems and it was configured some time ago. I'm trying to install the second system (pc2).
@pietinger Recently I read some of your posts, which allowed me to better understand what happens when the system boots. Thanks for this.
pc1:
I will ignore additional irrelevant partitions for simplicity.
| Code: | - sda1: no encryption, vfat, mounted on /boot, contains EFI/BOOT/BOOTX64.EFI and grub/ with some grub files
- sda2: lvm (pvcreate - lvm, vgcreate - vg0, lvcreate - root)
-- root |
Build-in kernel command line:
| Code: | | (dolvm crypt_root=PARTUUID=<...> root=/dev/mapper/vg0-root) build in kernel command string |
initramfs creation using genkernel:
| Code: | mkdir /tmp/initramfs
cd /tmp/initramfs
cp /usr/src/linux/.config .
genkernel --luks --lvm --kernel-config=.config initramfs |
grub install
| Code: | | grub-install --target=x86_64-efi --efi-directory=/boot --removable |
grub config
| Code: | | grub-mkconfig -o /boot/grub/grub.cfg |
So the following things happen:
1. 'make install' copies the kernel to /boot
2. 'genkernel...' creates initramfs and will copy it to /boot, which will allow initramfs to prepare the root partition during boot
3. 'grub-install...' installs grub to the sda1 device. More specifically, it will create a bootx64.efi binary that will be loaded during boot and some grub files inside /boot/grub/..
4. 'grub-mkconfig...' will create a configuration file that will allow to find and load the kernel and initramfs during boot
What happens while booting?
1. Firmware / UEFI looks for BOOTX64.EFI binary (grub binary) and loads it.
2. Grub binary loads the kernel
3. Kernel starts initramfs
4. Initramfs asks for a password and mounts the encrypted root partition
Did I understand it correctly? There are two questions from me about this.
1. Why doesn't the error I mentioned at the beginning, the one on PC2, appear here? Because in this case grub doesn't have to decrypt anything. Decryption only happens in initramfs without the involvement of grub. True?
2. What about the build-in kernel command line (dolvm crypt_root=PARTUUID=<...> root=/dev/mapper/vg0-root)? Does the kernel calls it before loading initfams so that initramfs can access the lvm container?
Now let's move on to pc2. My idea was to use the /efi partition instead of /boot, because that's how it was described in the handbook and prepare booting using dracut and new tools such as makeinstall with the dracut flag.
pc2:
it's actually nvme instead of sda, but that's not important.
| Code: | - sda1: no encryption, vfat, mounted on /efi, contains EFI/BOOT/BOOTX64.EFI
- sda2: lvm (pvcreate - lvm, vgcreate - vg0, lvcreate - root)
-- root, contains /boot/grub |
Build-in kernel command line:
| Code: | | root=UUID=<...> rd.luks.uuid=<...> rd.lvm.vg=vg0 |
package.use, because 'make install' should generate dracut initramfs
| Code: | | sys-kernel/installkernel dracut |
/etc/dracut.conf
| Code: | | add_dracutmodules+=" crypt dm rootfs-block lvm " |
/etc/default/grub, because /boot is on crypted root.
| Code: | | GRUB_ENABLE_CRYPTODISK=y |
grub install
| Code: | | grub-install --efi-directory=/efi |
grub config
| Code: | | grub-mkconfig -o /boot/grub/grub.cfg |
So the following things happen:
1. 'make install' copies the kernel to /boot, creates initramfs with dracut and copy it to /boot
2. 'grub-install...' installs grub to the sda1 device (/efi) and sda2 (/boot). More specifically, it will create a bootx64.efi binary inside /efi that will be loaded during boot and some grub files inside /boot/grub/.
4. 'grub-mkconfig...' will create a configuration file inside /boot/grub that will allow to find and load the kernel and initramfs during boot
What happens while booting?
1. Firmware / UEFI looks for BOOTX64.EFI binary (grub binary) and loads it.
2. Grub binary wants to access the kernel inside root/boot and needs to encrypt the /root partition. A password prompt appears and in my case the encryption fails because grub cannot decrypt LUKS2.
3. Grub binary loads kernel from /root/boot
4. Kernel starts initramfs
5. Initramfs asks for a password and mounts the encrypted root partition
Have I understood this process correctly? If so, now let's move on to the solution. One solution is luks1. However, I don't really see the advantage of keeping /boot on an encrypted partition. What is the main advantage? That no one with physical access to the disk will be able to view my kernel, right? Do I understand correctly that in this case I will have to enter the password twice, or maybe grub will be able to pass the decrypted partition to initramfs?
Thank you very much if anyone made it to the end and would like to share their knowledge with me. |
|
Installing Gentoo
