Home | News | Download | Packages | Forum | Wiki | Github

Setting up GRUB boot for LUKS encrypted ZFS root?


#1

If I have a LUKS encrypted boot, what should I have in my /etc/default/grub? I’m not using LVM (most of what I see on the topic is always specific to LVM/LUKS). I am doing this with ZFS if that makes a difference. (I can get a root ZFS working fine, but am having difficulty with it when that is within LUKS).


Zfs problem
#2

You need to append cryptdevice=... to GRUB_CMDLINE_LINUX_DEFAULT and add GRUB_ENABLE_CRYPTODISK=y as a new line.

If you use a keyfile you should also add it with option luks to /etc/crypttab.
I guess you are using dracut. So create a new file ending in .conf in /etc/dracut.conf.d/ containing:

add_dracutmodules+="crypt"
filesystems+=“zfs”

install_items+="[keyfile]"

Good luck!


#3

Still not having much luck.

My /etc/default/grub looks like:


#
# Configuration file for GRUB.
#
GRUB_DEFAULT=0
#GRUB_HIDDEN_TIMEOUT=0
#GRUB_HIDDEN_TIMEOUT_QUIET=false
GRUB_TIMEOUT=5
GRUB_DISTRIBUTOR="Void"
GRUB_CMDLINE_LINUX_DEFAULT="loglevel=4 elevator=noop noresume crypt_root=UUID=4ca37254-716f-4ea9-afd1-9a5a4be452d1 rd.luks.uuid=4ca37254-716f-4ea9-afd1-9a5a4be452d1 rootfstype=zfs"
# Uncomment to use basic console
#GRUB_TERMINAL_INPUT="console"
# Uncomment to disable graphical terminal
GRUB_TERMINAL_OUTPUT=console
GRUB_BACKGROUND=/usr/share/void-artwork/splash.png
#GRUB_GFXMODE=1920x1080x32
#GRUB_DISABLE_LINUX_UUID=true
#GRUB_DISABLE_RECOVERY=true
GRUB_DISABLE_OS_PROBER=true
GRUB_ENABLE_CRYPTODISK=y

I’ve added a file /etc/dracut.conf.d/zol.conf:


hostonly="yes"
nofsck="yes"
add_dracutmodules+=" zfs crypt "
omit_dracutmodules+=" btrfs resume "
filesystems+=" zfs "

But when I boot, I get the Void GRUB menu, and then am prompted for a password, and after entering it, I get:


[   19.584891] device-mapper: table: 254:0: crypt: Error allocating crypto tfm
device-mapper: reload  ioctl on  failed: No such file or directory
Failed to setup dm-crypt key mapping for device /dev/sda1
Check that kernel supports aes-xts-plain64 cipher (check syslog for more info).
Wrong password

I’ve tried playing with the GRUB settings. I.e. adding:

cryptdevice=/dev/sda1

and deleting crypt_root… and rd.luks.uuid=... and various combinations of adding and deleting these elements. Either I don’t get any chance to enter a passphrase, or else I get the same error message.

To me it looks like the crypt modules isn’t getting properly into the initrd, but given my dracut.conf file, I don’t understand why not.


#4

You have to be aware that there are two separate processes: First a “minimal” grub tries to decrypt the specified cryptdevice just to access /boot and present you with the normal boot prompt. Only then the (now decrypted) initramfs (built with your dracut settings) can be used and the “normal” boot process starts. If you’re not using a keyfile you’ll have to put in your password a second time.

So I think the problem is that the “minimal” grub doesn’t know zfs (and it’s also important to know that when you type in your password it only knows the english keymap). I don’t know if this can be tweaked somehow (not that I wasn’t looking ;-)) . A simple solution could be to use a small ext4 /boot partition.


#5

I have /boot on a separate unencrypted ext2 partition, so none of this should be an issue, should it?


#6

I’m confused. So this question isn’t about “Setting up LUKS encrypted boot”, but encrypted root?


#7

So to clear things up: You have an unencrypted ext2 /boot partition and an encrypted zfs /?

Re-reading your error message: Wrong password
Do you have any special characters in your password and your keyboard layout isn’t english? You might have to add

rd.vconsole.keymap=<your_layout>

to GRUB_CMDLINE_LINUX_DEFAULT (or know where the special characters are in the english layout).


#8

Alright. Thanks for clearing that up.
Just ignore everything I said before and add cryptdevice to your GRUB_CMDLINE_LINUX_DEFAULT.

That is not enough. You have to tell dm-crypt where to map the device. So it should be something like cryptdevice=/dev/sda1:crypt-root.
(But don’t do that. Use persistent block device naming.)

You may add root=/dev/mapper/crypt-root if grub-mkconfig wont detect your root. But it should usually.


#9

Right, sorry, the title made sense to me at the time. But what I meant was: “I’ve got an encrypted root, and I’m having trouble getting the boot initialisation to work.”

No, I’ve got a US English keyboard.

My GRUB already ends up with a root=ZFS=tank/ROOT/void, which is what I need.

I’ll try adding cryptdevice with a UUID and proper mapping. (Though I would have thought my crypttab already took care of that…)


EDIT: Ok, I tried that. Unfortunately, I get exactly the same error message.

So my /boot/grub/grub.cfg looks like:

......
echo   'Loading Linux 4.10.17_1 ... '
linux  /vmlinuz-4.10.17_1 root=ZFS=tank/ROOT/void ro loglevel=4 elevator=noop noresume crypt_root=UUID=4ba39254-777b-4ef9-afd8-9b5a4be412b2 rd.luks.uuid=4ba39254-777b-4ef9-afd8-9b5a4be412b2 cryptdevice=UUID=4ba39254-777b-4ef9-afd8-9b5a4be412b2:cryptzfs rootfstype=zfs
echo   'Loading initial ramdisk ...'
initrd    /initramfs-4.10.17_1.img
.....

#10

Investigating how Ubuntu handles this (LUKS encrypted ZFS root) I came across this:

bug: cryptsetup does not support ZFS

There’s a patch included there, so perhaps I should try patching cryptsetup on Void and trying again? Does this seem like the right plan of attack?

EDIT: Though it looks like what the Install Ubuntu 16.04 with LUKS ZFS root guide does in fact is to add initramfs as an option/flag in crypttab. But, having tried this, I can report it doesn’t work with Void. Perhaps they’re using a hacked initramfs, since the guide has one install apt install --yes zfs-initramfs.


Zfs problem
#11

Hiya, not on Void but Debian Jessie with this setup, and using ZFS root with NO separate /boot (using a small 2MB GRUB partition instead), everything except GRUB is on LUKS, using passphrase and keyfile. GRUB is from Stretch (v2.02~beta3-5), otherwise vanilla Jessie.

My /etc/default/grub includes:

GRUB_CMDLINE_LINUX_DEFAULT="quiet init=/sbin/runit-init"
GRUB_CMDLINE_LINUX="cryptdevice=/dev/disk/by-uuid/1234-1234-1234-1234-1234:zcrypt"
GRUB_ENABLE_CRYPTODISK=y

And /etc/crypttab (discard because SSD):

zcrypt UUID=1234-1234-1234-1234-1234 /keyfile luks,keyscript=/bin/cat,discard

Not sure if this will be of much use, since I’m using initramfs-tools rather than dracut. Booting is 100% stable, the system itself a bit less so (random crashes about once in a month). I have a script to debootstrap this into an external drive, can share.