Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
encrypted install (luks + lvm)
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Installing Gentoo
View previous topic :: View next topic  
Author Message
etnull
Apprentice
Apprentice


Joined: 26 Mar 2019
Posts: 182

PostPosted: Tue Mar 26, 2019 2:44 pm    Post subject: encrypted install (luks + lvm) Reply with quote

I'm installing from within the host OS (arch), bios grub (not EFI), boot partition unencrypted.
The encryption happens off of the gpg key-file on a separate usb flash drive (which is also a boot drive, as in Sakaki's guide)
I was able to install traditionally (without encryption), but having troubles with encrypted setup.
When I boot off of my flash drive it gets to the grub but halts on screen with "GRUB GRUB _" message.
My setup:
Code:

sda               8:0    0 931.5G  0 disk
└─sda1            8:1    0 931.5G  0 part
  └─gentoo-root 254:0    0 931.5G  0 crypt
    └─vg1-root  254:1    0 465.8G  0 lvm   /
sdd               8:48   1   3.7G  0 disk
└─sdd1            8:49   1   3.7G  0 part  /boot

The boot drive is formatted in a gpt/ext2, with bios_grub flag, nothing else, only one partition.
Kernel compiled manually with enabled support for ext2, lvm, luks(dm-crypt), (did this referring the gentoo wikis)
also did this:
emerge lvm2 cryptsetup gentoolkit genkernel
initramfs install:
genkernel --luks --lvm initramfs
grub config (changed section):
Code:
GRUB_PRELOAD_MODULES=lvm
GRUB_ENABLE_CRYPTODISK=y
GRUB_DEVICE=/dev/ram0
GRUB_CMDLINE_LINUX="crypt_root=/dev/sda1 real_root=/dev/mapper/vg1-root dolvm"

did this also: rc-update add lvm default
blkid:
Code:
/dev/sda1: UUID="06fe14b6-aec1-4bf0-b73b-4b307b4d1838" TYPE="crypto_LUKS" PARTUUID="c4c53bb7-7ebd-4158-ac66-1d90bd98c198"
/dev/sdd1: UUID="2dcc5534-bb84-4ca1-a3c5-470c3cff60d3" TYPE="ext2" PARTUUID="3dee3a5f-660f-429e-8d93-f5af8c509dc0"
/dev/mapper/gentoo-root: UUID="Hu6GiU-vI6F-D0sj-Mi0U-Watk-C1rM-SHhU3E" TYPE="LVM2_member"
/dev/mapper/vg1-root: LABEL="root" UUID="cef013a1-6df5-4d9e-8f99-b8c4a6820c83" TYPE="ext4"

fstab:
Code:
UUID=2dcc5534-bb84-4ca1-a3c5-470c3cff60d3    /boot      ext2      noauto,noatime      1 2
UUID=cef013a1-6df5-4d9e-8f99-b8c4a6820c83   /          ext4      defaults,noatime   0 1
# tmps
tmpfs                                       /tmp            tmpfs           size=4Gb        0 0
tmpfs                                       /run            tmpfs           size=100M       0 0
# shm
shm                                         /dev/shm        tmpfs           nodev,nosuid,noexec 0 0

I can get to the grub, it shouldn't be the grub/boot partition problem? Help me please.

---------------- upd -----------------

Hm, interesting, the "cryptsetup luksDump /dev/sda1" from within the chrooted env spits: Unsupported LUKS version 2.
But I'm certain that I activated all kernel modules form these pages:
https://wiki.gentoo.org/wiki/Dm-crypt
https://wiki.gentoo.org/wiki/LVM
Back to top
View user's profile Send private message
etnull
Apprentice
Apprentice


Joined: 26 Mar 2019
Posts: 182

PostPosted: Wed Mar 27, 2019 6:38 pm    Post subject: Reply with quote

I decided to fallback a little, and install without the gpg key first.
Referring this guide https://wiki.gentoo.org/wiki/Full_Disk_Encryption_From_Scratch_Simplified
I was able to past initial grub stage, but now it stops at loading with this: https://imgur.com/BmXs4CJ
Code:
The LUKS device 49648af2-ebf5-4f8d-9cf4-8ea8d9446af5 does not contain a LUKS header

It didn't prompt me for any passwords.
From my previous post I formatted the usb flash drive (it's still my boot drive) as stated in the guide above.
my new blkid
Code:
/dev/sda1: UUID="49648af2-ebf5-4f8d-9cf4-8ea8d9446af5" TYPE="crypto_LUKS" PARTUUID="b0487ab6-8747-4096-9f78-4cb08b0588ea"
/dev/sdd1: PARTLABEL="grub" PARTUUID="d407010f-4a2c-4dd4-be99-6509111ff5b8"
/dev/sdd2: UUID="A490-D856" TYPE="vfat" PARTLABEL="boot" PARTUUID="c8958a6f-a4e0-4d38-b92d-4ee6cbf6bda7"
/dev/mapper/gentoo-root: UUID="WrMxMW-0o5p-ViT9-SeZQ-hj4E-KTsn-pfFJFs" TYPE="LVM2_member"
/dev/mapper/vg1-root: LABEL="root" UUID="7249d2c8-c31c-4cbe-8cd2-4290176b114e" TYPE="ext4"

my new fstab
Code:
UUID=A490-D856                              /boot ext2 noauto,noatime 1 2
UUID=49648af2-ebf5-4f8d-9cf4-8ea8d9446af5   /     ext4 defaults 0 1

/etc/default/grub
Code:
GRUB_PRELOAD_MODULES=lvm
GRUB_ENABLE_CRYPTODISK=y
GRUB_DEVICE=/dev/ram0
GRUB_CMDLINE_LINUX="dolvm rootfstype=ext4 crypt_root=49648af2-ebf5-4f8d-9cf4-8ea8d9446af5 real_root=/dev/mapper/vg1-root"

content of a /boot
Code:
config-4.19.27-gentoo-r1                      System.map-4.19.27-gentoo-r1
grub                                          vmlinuz-4.19.27-gentoo-r1
initramfs-genkernel-x86_64-4.19.27-gentoo-r1

Did I make some stupid mistake with UUIDs? I don't see it..
Back to top
View user's profile Send private message
Hu
Moderator
Moderator


Joined: 06 Mar 2007
Posts: 14373

PostPosted: Thu Mar 28, 2019 2:06 am    Post subject: Reply with quote

What is the output of file -s /dev/sda1? How exactly did you create the LUKS container there? Are you still trying to mix LUKS1 and LUKS2?
Back to top
View user's profile Send private message
etnull
Apprentice
Apprentice


Joined: 26 Mar 2019
Posts: 182

PostPosted: Thu Mar 28, 2019 4:43 am    Post subject: Reply with quote

Hu wrote:
What is the output of file -s /dev/sda1? How exactly did you create the LUKS container there? Are you still trying to mix LUKS1 and LUKS2?

/dev/sda1: LUKS encrypted file, ver 2 [, , sha256] UUID: 49648af2-ebf5-4f8d-9cf4-8ea8d9446af5
cryptsetup -v -y --cipher serpent-xts-plain64 --key-size 512 --hash whirlpool --type luks2 luksFormat /dev/sda1

I didn't tried to mix luks1 and 2 (well at least I think I didn't), because I'm not encrypting the boot drive in either setup.
I don't know why is it outputting the 'Unsupported LUKS version 2' after cryptsetup luksDump /dev/sda1, it worked in previous setup.
If you don't have any ideas to test on this setup, I will delete the partition and will try to luksDump it right after its creation,
it will change my blkids and the above post will become irrelevant once again.
-----
I did everything from zero, and it still shows Unsupported LUKS version 2, is it normal for chrooted environment?
Back to top
View user's profile Send private message
Hu
Moderator
Moderator


Joined: 06 Mar 2007
Posts: 14373

PostPosted: Fri Mar 29, 2019 1:43 am    Post subject: Reply with quote

etnull wrote:
/dev/sda1: LUKS encrypted file, ver 2 [, , sha256] UUID: 49648af2-ebf5-4f8d-9cf4-8ea8d9446af5
cryptsetup -v -y --cipher serpent-xts-plain64 --key-size 512 --hash whirlpool --type luks2 luksFormat /dev/sda1
You definitely created a LUKS2 volume. Why? Have you checked that your Gentoo cryptsetup will support LUKS2?
etnull wrote:
I didn't tried to mix luks1 and 2 (well at least I think I didn't), because I'm not encrypting the boot drive in either setup.
Your error output suggests you are trying to use a LUKS1-only cryptsetup to open a LUKS2 device.
Back to top
View user's profile Send private message
etnull
Apprentice
Apprentice


Joined: 26 Mar 2019
Posts: 182

PostPosted: Fri Mar 29, 2019 11:37 am    Post subject: Reply with quote

Hu wrote:
You definitely created a LUKS2 volume. Why? Have you checked that your Gentoo cryptsetup will support LUKS2?

What do you mean? It isn't supported? I want to use the latest version. How do I check it? (or how do I install luks2 supported cryptsetup? is it in testing only?)
~
ok, I see, it's 1.7.5-r1 in stable, I'm not accustomed to long release cycles. 2.0 was released almost 1.5 years ago... I will try once again with ~amd64.
Back to top
View user's profile Send private message
etnull
Apprentice
Apprentice


Joined: 26 Mar 2019
Posts: 182

PostPosted: Sat Mar 30, 2019 5:11 pm    Post subject: Reply with quote

I reinstalled from zero, using ACCEPT_KEYWORDS="~amd64"
Now it asks me for the passphrase, but when I enter it I get something like this:
Code:
...
libgcc_s.so.1 must be installed for pthread_cancel to work
Aborted
!! Failed to open LUKS device /dev/sda1
!! Could not find the root in /dev/sda1
...

During install something asked me to do emerge @preserved-rebuild, I don't remember what it was, but I did that and it emerged 8.2.0 gcc and compiled something with it.
my installed versions
Code:
equery --quiet list gcc cryptsetup lvm2

sys-devel/gcc-8.2.0-r6
sys-devel/gcc-8.3.0
sys-fs/cryptsetup-2.1.0
sys-fs/lvm2-2.02.183

I have
Code:
/usr/lib64/gcc/x86_64-pc-linux-gnu/8.2.0/libgcc_s.so
/usr/lib64/gcc/x86_64-pc-linux-gnu/8.2.0/libgcc_s.so.1
/usr/lib64/gcc/x86_64-pc-linux-gnu/8.3.0/libgcc_s.so
/usr/lib64/gcc/x86_64-pc-linux-gnu/8.3.0/libgcc_s.so.1

blkid
Code:
/dev/mapper/gentoo-root: UUID="F3AHvo-bTec-Ivfd-3VY6-VHEC-MeiO-thoQyb" TYPE="LVM2_member"
/dev/mapper/vg1-root: LABEL="root" UUID="d018a2c9-1bfd-4a00-9501-3ffad08d6210" TYPE="ext4"
/dev/sda1: UUID="2536d534-9ab1-4935-9c53-2b5918a35766" TYPE="crypto_LUKS" PARTUUID="b2d97875-f001-4314-b62a-39f54cd8ac6b"
/dev/sdd1: PARTLABEL="bios_grub" PARTUUID="8690e1da-df0d-49b7-bd36-64d4b1195473"
/dev/sdd2: UUID="46de64a8-9e91-4946-8ed6-fdc533e1ddb1" TYPE="ext2" PARTLABEL="boot" PARTUUID="a03d9a08-bccd-496e-8f38-45a5013defaf"

fstab
Code:
UUID=46de64a8-9e91-4946-8ed6-fdc533e1ddb1   /boot   ext2      noauto,noatime   1 2
UUID=d018a2c9-1bfd-4a00-9501-3ffad08d6210   /      ext4      defaults,noatime   0 1

tmpfs                                           /tmp            tmpfs           size=4Gb        0 0
tmpfs                                           /run            tmpfs           size=100M       0 0

shm                                             /dev/shm        tmpfs           nodev,nosuid,noexec 0 0

grub
Code:
GRUB_PRELOAD_MODULES=lvm
GRUB_ENABLE_CRYPTODISK=y
GRUB_DEVICE=/dev/ram0
GRUB_CMDLINE_LINUX="dolvm crypt_root=UUID=2536d534-9ab1-4935-9c53-2b5918a35766 rootfstype=ext4 real_root=/dev/mapper/vg1-root"
Back to top
View user's profile Send private message
etnull
Apprentice
Apprentice


Joined: 26 Mar 2019
Posts: 182

PostPosted: Sun Apr 07, 2019 6:10 pm    Post subject: Reply with quote

I was able to install a fully functional system by falling back to luks1. But with /boot still being unencrypted, which is not my end goal.
My end goal is to have an encrypted /boot with encrypted keyfile on it (encrypted by cryptsetup not gpg)
I found this useful guide, but it seem to be only for manually compiled initramfs:
https://wiki.gentoo.org/wiki/Custom_Initramfs#Encrypted_keyfile
Which I don't know how to do yet. Can it be done with genkernel instead?
If I create /usr/src/initramfs/init will it be read by genkernel during compilation?
After many days of research I still can't quite grasp all of the components in such setup and how they fit together.
Let's say I've generated the keyfile by dd, then I encrypted it by cryptsetup, then I added it as a keyfile to my luks volumes, then I should tell initramfs to use it,
but the information gets very sparse and diverse, some guides mounting the key somehow, some using /etc/crypttab some doing it in grub, some telling to use various of initramfs generators (apart of genkernel). Which way is the easiest? Please help me with the next 2-3 commands after my actions which I have described.
Back to top
View user's profile Send private message
msst
Apprentice
Apprentice


Joined: 07 Jun 2011
Posts: 231

PostPosted: Sun Apr 07, 2019 8:31 pm    Post subject: Reply with quote

I am afraid this is still a rare setup so not very well documented and some hacking.

I personally live with an unencrypted boot, but I manage to have it boot the root filesystem with a single password prompt and then have the initrd (I use better-initramfs) mount some other partitions with keyfiles from the crypted root. That works relatively easy.

I also managed to use grub2 to open my encrypted rootfs and boot a kernel/initramfs from the encrypted root directly. Then one can put also a keyfile to unlock the rootfs inside the rootfs. But I somehow did not manage to get the keyfile to unlock the rootfs again (as the kernel cannot use the grub2 unlock), even when I compiled the initramfs and keyfile into the kernel it just hung. Something interferes there.

Would be nice to have an easily implementable solution for this with single password prompt. But I know none yet.
Back to top
View user's profile Send private message
etnull
Apprentice
Apprentice


Joined: 26 Mar 2019
Posts: 182

PostPosted: Tue Apr 09, 2019 3:37 am    Post subject: Reply with quote

Looks like genkernel is not supporting encrypted luks keyfiles, so I'm trying to compile initramfs manually, I do it this way:
Code:
mkdir --parents /usr/src/initramfs/{bin,dev,etc,lib,lib64,mnt/root,proc,root,sbin,sys}
cp --archive /dev/{null,console,tty,sda1} /usr/src/initramfs/dev/
USE="static" emerge --ask --verbose sys-apps/busybox
cp --archive /bin/busybox /usr/src/initramfs/bin/busybox
cp --archive /sbin/lvm /usr/src/initramfs/sbin/lvm
cp --archive /sbin/cryptsetup /usr/src/initramfs/sbin/cryptsetup

nano -w /usr/src/initramfs/init
Code:
#content of a file
mount -t proc none /proc
mount -t sysfs none /sys
cryptsetup open /dev/sdb1 root
lvm vgscan --mknodes
lvm lvchange -a ly vg1/root
lvm vgscan --mknodes
umount /proc
umount /sys
exec switch_root /mnt/root /sbin/init

Right now I'm not trying to use any keyfiles, because I hadn't added one yet, I just want to be able to boot first.

chmod +x /usr/src/initramfs/init
find . -print0 | cpio --null --create --verbose --format=newc | gzip --best > /boot/custom-initramfs.cpio.gz

I'm editing the generated by grub-mkconfig grub.cfg, the line for initrd of a default entry:
Code:
.....
initrd    /custom-initramfs.cpio.gz
.....


What I'm getting during boot:
Code:
...
Failed to execute /init (error -2)
...
Kernel panic - not syncing: No working init found. Try passing init= option to kernel

ls /usr/src/initramfs
Code:
bin dev etc init lib lib64 mnt proc root sbin sys

ls /usr/src/initramfs/sbin
Code:
cryptsetup lvm

--------
I had tried to add init like so:
Code:
cp --archive /sbin/init /usr/src/initramfs/sbin/init

so that ls /usr/src/initramfs/sbin
Code:
cryptsetup lvm init

still same error Failed to execute /init (error -2)
Back to top
View user's profile Send private message
Elleni
l33t
l33t


Joined: 23 May 2006
Posts: 939

PostPosted: Tue Apr 09, 2019 4:38 am    Post subject: Reply with quote

I managed to boot boot encrypted / and boot by only one passphrase @grubstage with the following description
http://blog.guya.de/linux-gentoo-encrypted-boot-partition/

Maybe this helps. The idea is to put a keyfile in initramfs which then decrypts /

Other ressources I had read while trying were:
http://www.pavelkogan.com/2014/05/23/luks-full-disk-encryption/
https://wiki.gentoo.org/wiki/DM-Crypt_LUKS
http://www.funtoo.org/Rootfs_over_encrypted_lvm
http://www.0xrage.com/?p=129

Good luck
Back to top
View user's profile Send private message
Hu
Moderator
Moderator


Joined: 06 Mar 2007
Posts: 14373

PostPosted: Tue Apr 09, 2019 4:41 am    Post subject: Reply with quote

etnull wrote:
Looks like genkernel is not supporting encrypted luks keyfiles, so I'm trying to compile initramfs manually, I do it this way:
Why not use the kernel's built-in ability to create an initramfs from a description file?
etnull wrote:
/init:
#content of a file
This looks like a shell script. Did you include the #! for it? Is the interpreter available in the initramfs, including all required supporting libraries?
Back to top
View user's profile Send private message
etnull
Apprentice
Apprentice


Joined: 26 Mar 2019
Posts: 182

PostPosted: Tue Apr 09, 2019 5:04 am    Post subject: Reply with quote

Elleni wrote:
I managed to boot boot encrypted / and boot by only one passphrase @grubstage with the following description
http://blog.guya.de/linux-gentoo-encrypted-boot-partition/

Maybe this helps. The idea is to put a keyfile in initramfs which then decrypts /

Other ressources I had read while trying were:
http://www.pavelkogan.com/2014/05/23/luks-full-disk-encryption/
https://wiki.gentoo.org/wiki/DM-Crypt_LUKS
http://www.funtoo.org/Rootfs_over_encrypted_lvm
http://www.0xrage.com/?p=129

Good luck

Actually I do have /boot encrypted and everything is working apart of keyfiles, I'm OK with two passwords during boot, first for /boot and second for the keyfile, I can always make an unencrypted keyfile later. All your links are purple for me, I've been through like ~15 pages in search engine :) but the last link is promising, I've forgotten about it, it's the closest to my actual setup. I will try tomorrow, thanks!
Back to top
View user's profile Send private message
etnull
Apprentice
Apprentice


Joined: 26 Mar 2019
Posts: 182

PostPosted: Tue Apr 09, 2019 5:09 am    Post subject: Reply with quote

Quote:
Why not use the kernel's built-in ability to create an initramfs from a description file?

I haven't seen such setup anywhere in the guides. How the description file is called?
Quote:
Did you include the #! for it? Is the interpreter available in the initramfs, including all required supporting libraries?

yes, the first line is #!/bin/busybox sh
I can't copy paste it and decided to skip comments to type less. I think I have a mistake with cryptsetup and lvm, they should be build statically before including them to initramfs, I will try it later.
Back to top
View user's profile Send private message
Elleni
l33t
l33t


Joined: 23 May 2006
Posts: 939

PostPosted: Tue Apr 09, 2019 8:05 am    Post subject: Reply with quote

My point was that you can have the key to decrypt root in your initramfs file. That avoids the need of typing pw twice. And initramfs is in encrypted boot, how to set this up is shown in first link.

Hope this helps, if not sorry and just ignore my post(s) :lol:
Back to top
View user's profile Send private message
etnull
Apprentice
Apprentice


Joined: 26 Mar 2019
Posts: 182

PostPosted: Tue Apr 09, 2019 3:16 pm    Post subject: Reply with quote

After compiling lvm2, cryptsetup, busybox statically, I'm getting:
Code:
Requested LUKS hash whirlpool is not supported.

With the same kernel that worked previously. I can't even dump the header because of this error.
Does statically built cryptsetup not supporting whirlpool somehow?

List of my actions:
Code:
mkdir --parents /usr/src/initramfs/{bin,dev,etc,lib,lib64,mnt/root,proc,root,sbin,sys}
cp --archive /dev/{null,urandom,random,console,tty,sda1,sda2,sda3,sdb1} /usr/src/initramfs/dev/
USE="static" emerge --ask --verbose sys-apps/busybox
USE="static static-libs" emerge --ask --verbose sys-fs/lvm2
USE="-gcrypt nettle static" emerge --ask --verbose sys-fs/cryptsetup
cp --archive /bin/busybox /usr/src/initramfs/bin/busybox
cp --archive /sbin/lvm.static /usr/src/initramfs/sbin/lvm
cp --archive /sbin/cryptsetup /usr/src/initramfs/sbin/cryptsetup

nano -w /usr/src/initramfs/init
---
#!/bin/busybox sh
mount -t proc none /proc
mount -t sysfs none /sys
cryptsetup --tries 5 luksOpen /dev/sdb1 root
lvm vgscan --mknodes
lvm lvchange -a ly vg1/root
lvm vgscan --mknodes
umount /proc
umount /sys
exec switch_root /mnt/root /sbin/init
---
chmod +x /usr/src/initramfs/init

cd /usr/src/initramfs
find . -print0 | cpio --null --create --verbose --format=newc | gzip --best > /boot/custom-initramfs.cpio.gz

grub.cfg
...
initrd   /custom-initramfs.cpio.gz
...
Back to top
View user's profile Send private message
etnull
Apprentice
Apprentice


Joined: 26 Mar 2019
Posts: 182

PostPosted: Tue Apr 09, 2019 6:22 pm    Post subject: Reply with quote

nettle USE flag for cryptsetup does not support whirlpool hash function, recompiled with:
USE="-gcrypt kernel static" emerge --ask --verbose sys-fs/cryptsetup
and it worked! well, almost.. now I have something with the lvm, I remember having same thing during regular install,
to fix it I had to link host lvm/ to chrooted lvm, do I need to have like all lvm* binaries in the initramfs?
I don't know how to compile them statically, they come with lvm2 package.
https://i.imgur.com/NwgjJ1F.png
lvmetad is not statically compiled, can't copy it as is..
https://i.imgur.com/Omb7MjK.png

----

Apparently I'm stupid or blind, the https://wiki.gentoo.org/wiki/Custom_Initramfs#LVM explains everything, I just thought that vgscan in init script will be enough, but it wasn't, when I created the lvm.conf in initramfs everything mounted smoothly. Now it works! My first boot with custom initrd! Now I will try to incorporate the key file, and refactor my final installation guide, I think it should not give me any additional issues from this point.
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Installing Gentoo All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum