I7sReact |
09-05-2023 10:36 AM |
Separate encrypted /boot doesnt mount at boot
I made a Void Linux install, followed their Documentation on FDE, and some other places too (Arch Wiki, mutschler.dev, ect). After finishing it, during boot (kernel loading), the root partition is decrypted and mounted, but the boot partition it isnt, so it throws me to a Emergency mode were i can decrypt /boot manually and mount it, after that i do an exit and i can boot the system normally
This is my layout and configs
Code:
nvme0n1
├─nvme0n1p1 -> /boot/efi - vFat (Unencrypted)
├─nvme0n1p2 (Encrypted with LUKS1, because of GRUB)
│ └─void_boot -> /boot - EXT4
└─nvme0n1p3 (Encrypted with LUKS2, using Argon2id algorithm)
└─void_sys -> / -> BTRFS (@, @home, @root, @var)
UUIDs
Code:
/dev/nvme0n1p1: UUID="393E-A2B1"
/dev/nvme0n1p2: UUID="88eca136-19a9-49fa-b9c7-d2a173b5cd76"
/dev/nvme0n1p3: UUID="8505c55a-3e35-4d63-a86f-a7d0c4d743dc"
/dev/mapper/void_sys: UUID="fdf140cc-afbd-444a-8601-1afcf116149f"
/dev/mapper/void_boot: UUID="9517754a-6e5f-4362-9eae-3d3c1c3e878d"
/etc/default/grub
Code:
GRUB_DEFAULT=0
#GRUB_HIDDEN_TIMEOUT=0
#GRUB_HIDDEN_TIMEOUT_QUIET=false
GRUB_TIMEOUT=30
GRUB_DISTRIBUTOR="Void"
GRUB_CMDLINE_LINUX_DEFAULT="quiet loglevel=3 rd.luks.uuid=8505c55a-3e35-4d63-a86f-a7d0c4d743dc root=UUID=fdf140cc-afbd-444a-8601-1afcf116149f rd.luks.allow-discards rd.luks.key=88eca136-19a9-49fa-b9c7-d2a173b5cd76=/boot/unlock.key resume_offset=1145547"
GRUB_ENABLE_CRYPTODISK=y
# Uncomment to use basic console
#GRUB_TERMINAL_INPUT="console"
# Uncomment to disable graphical terminal
#GRUB_TERMINAL_OUTPUT=console
#GRUB_BACKGROUND=/usr/share/void-artwork/splash.png
#GRUB_GFXMODE=1920x1080x32
#GRUB_DISABLE_LINUX_UUID=true
#GRUB_DISABLE_RECOVERY=true
# Uncomment and set to the desired menu colors. Used by normal and wallpaper
# modes only. Entries specified as foreground/background.
#GRUB_COLOR_NORMAL="light-blue/black"
#GRUB_COLOR_HIGHLIGHT="light-cyan/blue"
GRUB_DISABLE_OS_PROBER=true
/etc/crypttab
Code:
# <name> <device> <password> <options>
void_boot UUID=88eca136-19a9-49fa-b9c7-d2a173b5cd76 /etc/luks/unlock.key luks,cipher=serpent-xts-plain64
void_sys UUID=8505c55a-3e35-4d63-a86f-a7d0c4d743dc /etc/luks/unlock.key luks,cipher=aes-xts-plain64,discard
/etc/fstab
Code:
UUID=fdf140cc-afbd-444a-8601-1afcf116149f / btrfs rw,relatime,compress=zstd:2,ssd,discard=async,space_cache=v2,commit=120,subvolid=256,subvol=/@ 0 0
UUID=fdf140cc-afbd-444a-8601-1afcf116149f /home btrfs rw,relatime,compress=zstd:2,ssd,discard=async,space_cache=v2,commit=120,subvolid=257,subvol=/@home 0 0
UUID=fdf140cc-afbd-444a-8601-1afcf116149f /var btrfs rw,relatime,compress=zstd:2,ssd,discard=async,space_cache=v2,commit=120,subvolid=258,subvol=/@var 0 0
UUID=fdf140cc-afbd-444a-8601-1afcf116149f /root btrfs rw,relatime,compress=zstd:2,ssd,discard=async,space_cache=v2,commit=120,subvolid=259,subvol=/@root 0 0
UUID=9517754a-6e5f-4362-9eae-3d3c1c3e878d /boot ext4 rw,relatime 0 0
UUID=393E-A2B1 /boot/efi vfat rw,relatime,fmask=0022,dmask=0022,codepage=437,iocharset=iso8859-1,shortname=mixed,utf8,errors=remount-ro 0 0
/etc/swapfile none swap defaults,pri=2 0 0
/etc/dracut.conf.d/10-crypt.conf
Code:
install_items+=" /etc/luks/unlock.key /etc/crypttab "
The keyfile i created and configured like this
Code:
dd if=/dev/urandom of=/etc/luks/boot_os.keyfile bs=4096 count=1
chmod 500 /etc/luks
chmod 400 /etc/luks/unlock.key
cryptsetup luksAddKey /dev/nvme0n1p2 /etc/luks/unlock.key
cryptsetup luksAddKey /dev/nvme0n1p3 /etc/luks/unlock.key
Its something related how Runit manages mount points during boot time? Or is something else
|