Home | News | Download | Packages | Forum | Wiki | Github

LUKS detached header problem



I want to install Void Linux (GPT, LUKS on LVM, encrypted /dev/sda not /dev/sda1) with separate /boot partiton on usb stick with detached LUKS header. When I install system with separate /boot only (key file is on usb stick also), everything is ok. But when I try to detach LUKS header, there is a problem.

What I did do:

GRUB_CMDLINE_LINUX_DEFAULT=“cryptdevice=/dev/sda:lvm:header=/path/to/header.img:cryptokey=/path/to/keyfile.bin rd.auto=1 loglevel=4”

pool-root /dev/sda /path/to/keyfile.bin header=/path/to/header.img luks

install_items+="/path/to/header.img /path/to/keyfile.bin"

Reconfigure kernel goes ok, but after next step, when kernel is configured again the same error occurs.

When I try to make grub config file (grub-mkconfig /boot/grub/grub.cfg) I got an error:

/usr/bin/grub-probe: error: disk ‘lvmid/XXXX…XXXXX’ not found.

I can’t find a mistake. I think there is something wrong with hooks or intramfs, but I’m new to dracut.

(Masato the Empty) #2

It might be helpful if you include real paths, it would make it easier for us here to know what you’re doing.

EDIT: but hold on. I think your post answered what I asked… duh…

(Masato the Empty) #3

OK, here’s what you [still] might want to look into (and what would aid folks here in troubleshooting).
You should have your initrd in an unencrypted location. While grub can get to encrypted locations, the files needed for doing so (key, header) still need to be stored outside of that location. In other words, you could put the necessary files in the initrd on an encrypted volume, and those would be used to let the kernel deal with that encrypted volume, but you then still need to put the (key and header) files where grub can get to them. Chicken and egg…

My notes still apply regarding storing the keyfile on the boot medium, as well as the header. It’s like putting your house key on a chain hanging from the doorknob.