Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
help initramfs for LUKS full disk encryption & keyfile
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Installing Gentoo
View previous topic :: View next topic  
Author Message
Latrina
n00b
n00b


Joined: 13 Aug 2017
Posts: 27
Location: Newcastle upon Tyne

PostPosted: Fri Aug 25, 2017 5:01 am    Post subject: help initramfs for LUKS full disk encryption & keyfile Reply with quote

Hello folks.

My Gentoo system is installed on a full disk encrypted LUKS LVM volume. Right now in order to decrypt and open the rootfs partition I have to type the rootfs volume passphrase twice, first before grub loads up and second time at the point where the kernel needs to remount the rootfs volume.

I have been trying to create a custom one as per this wiki article, however I have got no way near it as the SATA controller is not even being recognized, despite the fact I believe the controller's module is being loaded.

Anyways, do you guys have any suggestion on any tool that has the ability to create a initramfs with a keyfile? Obviously the ideal scenario would be to just entering the password once and before grub is loaded.

Any feedback or suggestion will be much appreciated.

Thanks
Back to top
View user's profile Send private message
charles17
Advocate
Advocate


Joined: 02 Mar 2008
Posts: 2613

PostPosted: Fri Aug 25, 2017 6:18 am    Post subject: Re: help initramfs for LUKS full disk encryption & keyfi Reply with quote

Latrina wrote:
... as the SATA controller is not even being recognized, despite the fact I believe the controller's module is being loaded.

Have you tried with the driver compiled into the kernel instead of having it as a module?

Latrina wrote:
Anyways, do you guys have any suggestion on any tool that has the ability to create a initramfs with a keyfile? Obviously the ideal scenario would be to just entering the password once and before grub is loaded.

In case the computer has UEFI, what if you went without grub?

For the keyfile matter you might check the sakaki guide.
Back to top
View user's profile Send private message
gen2saurus
n00b
n00b


Joined: 20 Aug 2017
Posts: 11

PostPosted: Fri Aug 25, 2017 2:42 pm    Post subject: Reply with quote

You should encrypt the PV. In this case the system asks password once when it opens the PV.

I use it for years...
Back to top
View user's profile Send private message
Latrina
n00b
n00b


Joined: 13 Aug 2017
Posts: 27
Location: Newcastle upon Tyne

PostPosted: Fri Aug 25, 2017 8:12 pm    Post subject: Re: help initramfs for LUKS full disk encryption & keyfi Reply with quote

charles17 wrote:

Have you tried with the driver compiled into the kernel instead of having it as a module?


Hey, I am not entirely sure what you mean with: "the driver compiled into the kernel instead of having it as a module". I mean I copied the kernel compiled modules over to the initramfs, modprobe loads them but no SATA controller is detected.

charles17 wrote:

In case the computer has UEFI, what if you went without grub?


Uhm this is a legacy bios MBR install, and I am not sure what you mean with: "what if you went without grub".

charles17 wrote:

For the keyfile matter you might check the sakaki guide.


However thanks for sharing the knowledge, I will definitely give this guide a read. Btw for the record, this is a Lenovo ThinkPad x230.
_________________
USE="-systemd"
Back to top
View user's profile Send private message
Latrina
n00b
n00b


Joined: 13 Aug 2017
Posts: 27
Location: Newcastle upon Tyne

PostPosted: Fri Aug 25, 2017 8:14 pm    Post subject: Reply with quote

gen2saurus wrote:
You should encrypt the PV. In this case the system asks password once when it opens the PV.

I use it for years...


Hey, sorry for the noob question, but could you explain what you mean with PV? Anything to read that is worth taking a look at?

Thanks
_________________
USE="-systemd"
Back to top
View user's profile Send private message
gen2saurus
n00b
n00b


Joined: 20 Aug 2017
Posts: 11

PostPosted: Fri Aug 25, 2017 11:19 pm    Post subject: Reply with quote

Latrina wrote:
gen2saurus wrote:
You should encrypt the PV. In this case the system asks password once when it opens the PV.

I use it for years...


Hey, sorry for the noob question, but could you explain what you mean with PV? Anything to read that is worth taking a look at?

Thanks
FYI: PV - http://www.tldp.org/HOWTO/LVM-HOWTO/pv.html

The idea:

1. Partitioning:
Code:
desktop ~ # fdisk -lu /dev/sdb
...
Device     Boot Start        End    Sectors   Size Id Type
/dev/sdb1        2048 1953521663 1953519616 931.5G 83 Linux

2. PVs are created on /dev/sda2 (no encryption) and /dev/sdb1 (PV encrypted, not the partition itself!):
Code:
desktop ~ # pvs
  PV                             VG     Fmt  Attr PSize   PFree 
  /dev/mapper/root_sdb1-sys-root sys    lvm2 a--  931.51g 823.51g
  /dev/sda2                      data   lvm2 a--  931.02g 852.02g

3. Add these kernel commands into GRUB config:
Code:
dolvm crypt_root=UUID=6a4e648c-d569-4a1a-9759-d16fcdebe7e5

FYI: in my case
Code:
desktop ~ # blkid
/dev/mapper/sys-root: UUID="2b72879c-8819-4484-87b1-e5823a77b666" TYPE="ext4"
...
/dev/sdb1: UUID="6a4e648c-d569-4a1a-9759-d16fcdebe7e5" TYPE="crypto_LUKS" PARTUUID="d6cdc2c0-01"
...
/dev/mapper/root_sdb1-sys-root: UUID="53eoyX-gAqb-BO7V-u0p1-S31J-fvqa-Pap0ls" TYPE="LVM2_member"
...

4. Finally:
Code:
desktop ~ # mount|grep /dev/mapper/   
/dev/mapper/sys-root on / type ext4 (rw,noatime,data=ordered)
/dev/mapper/sys-usr on /usr type ext4 (rw,noatime,data=ordered)
/dev/mapper/data-usr_portage on /usr/portage type reiserfs (rw,noatime)
/dev/mapper/data-distfiles on /usr/portage/distfiles type ext4 (rw,noatime,data=ordered)
/dev/mapper/sys-usrsrc on /usr/src type ext4 (rw,noatime,data=ordered)
/dev/mapper/sys-opt on /opt type ext4 (rw,noatime,data=ordered)
/dev/mapper/sys-usrlocal on /usr/local type ext4 (rw,noatime,data=ordered)
/dev/mapper/sys-home on /home type ext4 (rw,noatime,data=ordered)
/dev/mapper/sys-var on /var type ext4 (rw,noatime,data=ordered)
/dev/mapper/data-var_tmp on /var/tmp type ext4 (rw,noatime,data=ordered)
/dev/mapper/sys-varlog on /var/log type ext4 (rw,noatime,data=ordered)

P.S. Fill free to search iNet for more detail info.

P.P.S. I have another desktop (some PVs are encrypted as well) with more complex configuration (some PVs are created on RAIDs, there is no /boot in the box, etc) but the main idea is the same, so it is universal, powerful and quiet flexible solution.
Back to top
View user's profile Send private message
charles17
Advocate
Advocate


Joined: 02 Mar 2008
Posts: 2613

PostPosted: Sat Aug 26, 2017 7:55 am    Post subject: Re: help initramfs for LUKS full disk encryption & keyfi Reply with quote

Latrina wrote:
charles17 wrote:

Have you tried with the driver compiled into the kernel instead of having it as a module?


Hey, I am not entirely sure what you mean with: "the driver compiled into the kernel instead of having it as a module". I mean I copied the kernel compiled modules over to the initramfs, modprobe loads them but no SATA controller is detected.

See the Kernel Modules wiki article. If the kernel itself had the SATA driver built-in and not as a module, then there's no need to copy that driver to the initramfs.
For comparison see my older thread: post 8109204
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Installing Gentoo All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum