LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Distributions (https://www.linuxquestions.org/questions/linux-distributions-5/)
-   -   Separate encrypted /boot doesnt mount at boot (https://www.linuxquestions.org/questions/linux-distributions-5/separate-encrypted-boot-doesnt-mount-at-boot-4175728674/)

I7sReact 09-05-2023 10:36 AM
Separate encrypted /boot doesnt mount at boot
 
I made a Void Linux install, followed their Documentation on FDE, and some other places too (Arch Wiki, mutschler.dev, ect). After finishing it, during boot (kernel loading), the root partition is decrypted and mounted, but the boot partition it isnt, so it throws me to a Emergency mode were i can decrypt /boot manually and mount it, after that i do an exit and i can boot the system normally

This is my layout and configs

Code:
nvme0n1       
├─nvme0n1p1 -> /boot/efi - vFat (Unencrypted)
├─nvme0n1p2 (Encrypted with LUKS1, because of GRUB)
│ └─void_boot -> /boot - EXT4
└─nvme0n1p3 (Encrypted with LUKS2, using Argon2id algorithm) 
  └─void_sys -> / -> BTRFS (@, @home, @root, @var)
UUIDs

Code:
/dev/nvme0n1p1: UUID="393E-A2B1"
/dev/nvme0n1p2: UUID="88eca136-19a9-49fa-b9c7-d2a173b5cd76"
/dev/nvme0n1p3: UUID="8505c55a-3e35-4d63-a86f-a7d0c4d743dc"
/dev/mapper/void_sys: UUID="fdf140cc-afbd-444a-8601-1afcf116149f"
/dev/mapper/void_boot: UUID="9517754a-6e5f-4362-9eae-3d3c1c3e878d"
/etc/default/grub

Code:
GRUB_DEFAULT=0
#GRUB_HIDDEN_TIMEOUT=0
#GRUB_HIDDEN_TIMEOUT_QUIET=false
GRUB_TIMEOUT=30
GRUB_DISTRIBUTOR="Void"
GRUB_CMDLINE_LINUX_DEFAULT="quiet loglevel=3 rd.luks.uuid=8505c55a-3e35-4d63-a86f-a7d0c4d743dc root=UUID=fdf140cc-afbd-444a-8601-1afcf116149f rd.luks.allow-discards rd.luks.key=88eca136-19a9-49fa-b9c7-d2a173b5cd76=/boot/unlock.key resume_offset=1145547"
GRUB_ENABLE_CRYPTODISK=y

# Uncomment to use basic console
#GRUB_TERMINAL_INPUT="console"

# Uncomment to disable graphical terminal
#GRUB_TERMINAL_OUTPUT=console
#GRUB_BACKGROUND=/usr/share/void-artwork/splash.png
#GRUB_GFXMODE=1920x1080x32
#GRUB_DISABLE_LINUX_UUID=true
#GRUB_DISABLE_RECOVERY=true

# Uncomment and set to the desired menu colors.  Used by normal and wallpaper
# modes only.  Entries specified as foreground/background.
#GRUB_COLOR_NORMAL="light-blue/black"
#GRUB_COLOR_HIGHLIGHT="light-cyan/blue"

GRUB_DISABLE_OS_PROBER=true
/etc/crypttab

Code:
# <name>        <device>                                        <password>                <options>
void_boot        UUID=88eca136-19a9-49fa-b9c7-d2a173b5cd76        /etc/luks/unlock.key        luks,cipher=serpent-xts-plain64
void_sys        UUID=8505c55a-3e35-4d63-a86f-a7d0c4d743dc        /etc/luks/unlock.key        luks,cipher=aes-xts-plain64,discard
/etc/fstab
Code:
UUID=fdf140cc-afbd-444a-8601-1afcf116149f        /                btrfs        rw,relatime,compress=zstd:2,ssd,discard=async,space_cache=v2,commit=120,subvolid=256,subvol=/@                        0 0
UUID=fdf140cc-afbd-444a-8601-1afcf116149f        /home                btrfs        rw,relatime,compress=zstd:2,ssd,discard=async,space_cache=v2,commit=120,subvolid=257,subvol=/@home                0 0
UUID=fdf140cc-afbd-444a-8601-1afcf116149f        /var                btrfs        rw,relatime,compress=zstd:2,ssd,discard=async,space_cache=v2,commit=120,subvolid=258,subvol=/@var                0 0
UUID=fdf140cc-afbd-444a-8601-1afcf116149f        /root                btrfs        rw,relatime,compress=zstd:2,ssd,discard=async,space_cache=v2,commit=120,subvolid=259,subvol=/@root                0 0
UUID=9517754a-6e5f-4362-9eae-3d3c1c3e878d        /boot                ext4        rw,relatime                                                        0 0
UUID=393E-A2B1                                        /boot/efi        vfat        rw,relatime,fmask=0022,dmask=0022,codepage=437,iocharset=iso8859-1,shortname=mixed,utf8,errors=remount-ro        0 0
/etc/swapfile                                        none                swap        defaults,pri=2                                                        0 0
/etc/dracut.conf.d/10-crypt.conf

Code:
install_items+=" /etc/luks/unlock.key /etc/crypttab "
The keyfile i created and configured like this

Code:
dd if=/dev/urandom of=/etc/luks/boot_os.keyfile bs=4096 count=1

chmod 500 /etc/luks
chmod 400 /etc/luks/unlock.key

cryptsetup luksAddKey /dev/nvme0n1p2 /etc/luks/unlock.key
cryptsetup luksAddKey /dev/nvme0n1p3 /etc/luks/unlock.key
Its something related how Runit manages mount points during boot time? Or is something else

wpeckham 09-05-2023 11:19 AM
Why in the world would anyone encrypt /boot? What purpose does that serve? /Boot contains NO user data whatever.

I7sReact 09-05-2023 11:40 AM
Quote:
Originally Posted by wpeckham (Post 6451939)
Why in the world would anyone encrypt /boot? What purpose does that serve? /Boot contains NO user data whatever.
Just because someone cant access the user data, people can tamper GRUB to enter the system, like, its 1 in one million to find someone that knows how to, but i like to follow something that my father says, dont give luck to misfortune (idk if this would mean the same thing in english, but in portuguese is understandable)

teckk 09-05-2023 02:24 PM
That's why /boot can be a separate partition, then one can umount /boot after the machine is up and running. Then it can't be reached because it isn't mounted. Make sure that you mount /boot before you update the kernel or the bootloader.

Info:
https://wiki.archlinux.org/title/Dm-..._entire_system


All times are GMT -5. The time now is 01:31 PM.