If I have a LUKS encrypted boot, what should I have in my
/etc/default/grub? I’m not using LVM (most of what I see on the topic is always specific to LVM/LUKS). I am doing this with ZFS if that makes a difference. (I can get a root ZFS working fine, but am having difficulty with it when that is within LUKS).
If I have a LUKS encrypted boot, what should I have in my
You need to append
GRUB_CMDLINE_LINUX_DEFAULT and add
GRUB_ENABLE_CRYPTODISK=y as a new line.
If you use a keyfile you should also add it with option
I guess you are using dracut. So create a new file ending in
Still not having much luck.
/etc/default/grub looks like:
# # Configuration file for GRUB. # GRUB_DEFAULT=0 #GRUB_HIDDEN_TIMEOUT=0 #GRUB_HIDDEN_TIMEOUT_QUIET=false GRUB_TIMEOUT=5 GRUB_DISTRIBUTOR="Void" GRUB_CMDLINE_LINUX_DEFAULT="loglevel=4 elevator=noop noresume crypt_root=UUID=4ca37254-716f-4ea9-afd1-9a5a4be452d1 rd.luks.uuid=4ca37254-716f-4ea9-afd1-9a5a4be452d1 rootfstype=zfs" # Uncomment to use basic console #GRUB_TERMINAL_INPUT="console" # Uncomment to disable graphical terminal GRUB_TERMINAL_OUTPUT=console GRUB_BACKGROUND=/usr/share/void-artwork/splash.png #GRUB_GFXMODE=1920x1080x32 #GRUB_DISABLE_LINUX_UUID=true #GRUB_DISABLE_RECOVERY=true GRUB_DISABLE_OS_PROBER=true GRUB_ENABLE_CRYPTODISK=y
I’ve added a file
hostonly="yes" nofsck="yes" add_dracutmodules+=" zfs crypt " omit_dracutmodules+=" btrfs resume " filesystems+=" zfs "
But when I boot, I get the Void GRUB menu, and then am prompted for a password, and after entering it, I get:
[ 19.584891] device-mapper: table: 254:0: crypt: Error allocating crypto tfm device-mapper: reload ioctl on failed: No such file or directory Failed to setup dm-crypt key mapping for device /dev/sda1 Check that kernel supports aes-xts-plain64 cipher (check syslog for more info). Wrong password
I’ve tried playing with the GRUB settings. I.e. adding:
rd.luks.uuid=... and various combinations of adding and deleting these elements. Either I don’t get any chance to enter a passphrase, or else I get the same error message.
To me it looks like the
crypt modules isn’t getting properly into the initrd, but given my dracut.conf file, I don’t understand why not.
You have to be aware that there are two separate processes: First a “minimal” grub tries to decrypt the specified
cryptdevice just to access
/boot and present you with the normal boot prompt. Only then the (now decrypted) initramfs (built with your dracut settings) can be used and the “normal” boot process starts. If you’re not using a keyfile you’ll have to put in your password a second time.
So I think the problem is that the “minimal” grub doesn’t know zfs (and it’s also important to know that when you type in your password it only knows the english keymap). I don’t know if this can be tweaked somehow (not that I wasn’t looking ;-)) . A simple solution could be to use a small ext4
I have /boot on a separate unencrypted ext2 partition, so none of this should be an issue, should it?
I’m confused. So this question isn’t about “Setting up LUKS encrypted boot”, but encrypted root?
So to clear things up: You have an unencrypted ext2
/boot partition and an encrypted zfs
Re-reading your error message: Wrong password
Do you have any special characters in your password and your keyboard layout isn’t english? You might have to add
GRUB_CMDLINE_LINUX_DEFAULT (or know where the special characters are in the english layout).
Alright. Thanks for clearing that up.
Just ignore everything I said before and add
cryptdevice to your
That is not enough. You have to tell dm-crypt where to map the device. So it should be something like
(But don’t do that. Use persistent block device naming.)
You may add
grub-mkconfig wont detect your root. But it should usually.
Right, sorry, the title made sense to me at the time. But what I meant was: “I’ve got an encrypted root, and I’m having trouble getting the boot initialisation to work.”
No, I’ve got a US English keyboard.
My GRUB already ends up with a
root=ZFS=tank/ROOT/void, which is what I need.
I’ll try adding
cryptdevice with a UUID and proper mapping. (Though I would have thought my
crypttab already took care of that…)
EDIT: Ok, I tried that. Unfortunately, I get exactly the same error message.
So my /boot/grub/grub.cfg looks like:
...... echo 'Loading Linux 4.10.17_1 ... ' linux /vmlinuz-4.10.17_1 root=ZFS=tank/ROOT/void ro loglevel=4 elevator=noop noresume crypt_root=UUID=4ba39254-777b-4ef9-afd8-9b5a4be412b2 rd.luks.uuid=4ba39254-777b-4ef9-afd8-9b5a4be412b2 cryptdevice=UUID=4ba39254-777b-4ef9-afd8-9b5a4be412b2:cryptzfs rootfstype=zfs echo 'Loading initial ramdisk ...' initrd /initramfs-4.10.17_1.img .....
Investigating how Ubuntu handles this (LUKS encrypted ZFS root) I came across this:
There’s a patch included there, so perhaps I should try patching
cryptsetup on Void and trying again? Does this seem like the right plan of attack?
EDIT: Though it looks like what the Install Ubuntu 16.04 with LUKS ZFS root guide does in fact is to add
initramfs as an option/flag in
crypttab. But, having tried this, I can report it doesn’t work with Void. Perhaps they’re using a hacked
initramfs, since the guide has one install
apt install --yes zfs-initramfs.
Hiya, not on Void but Debian Jessie with this setup, and using ZFS root with NO separate
/boot (using a small 2MB GRUB partition instead), everything except GRUB is on LUKS, using passphrase and keyfile. GRUB is from Stretch (v2.02~beta3-5), otherwise vanilla Jessie.
GRUB_CMDLINE_LINUX_DEFAULT="quiet init=/sbin/runit-init" GRUB_CMDLINE_LINUX="cryptdevice=/dev/disk/by-uuid/1234-1234-1234-1234-1234:zcrypt" GRUB_ENABLE_CRYPTODISK=y
discard because SSD):
zcrypt UUID=1234-1234-1234-1234-1234 /keyfile luks,keyscript=/bin/cat,discard
Not sure if this will be of much use, since I’m using
initramfs-tools rather than
dracut. Booting is 100% stable, the system itself a bit less so (random crashes about once in a month). I have a script to
debootstrap this into an external drive, can share.