The officially official Devuan Forum!

You are not logged in.

#1 2019-01-07 23:19:37

alphalpha
Member
Registered: 2018-01-23
Posts: 24  

Problem booting encrypted LVM

Hello friends,

I'm trying to install on an encrypted LVM
installation was ok but after reboot i am not asked to enter the password,
instead i get:
"WARNING: Failed to connect to lvmetad. Falling back to internal scanning."
then i end up in busybox

any ideas for troubleshooting?
i already tried

update-initramfs -u

Offline

#2 2019-01-08 17:55:19

rolfie
Member
Registered: 2017-11-25
Posts: 175  

Re: Problem booting encrypted LVM

The lvmetad message is don't care, thats not the problem.

During the boot you will be asked for the de-ciphering password. That should come past this message. Are you sure you do not get that request? Past a wrong password or after a timeout you end up in the busybox.

There you might call cryptsetup luksOpen....

Regards, rolfie

Offline

#3 2019-01-08 21:00:23

alphalpha
Member
Registered: 2018-01-23
Posts: 24  

Re: Problem booting encrypted LVM

Nope i dont get a password request and my volumegroup is not found

Offline

#4 2019-01-09 19:38:12

rolfie
Member
Registered: 2017-11-25
Posts: 175  

Re: Problem booting encrypted LVM

Well, bad enough. Then we need to look at all the details. Got 3 PCs on ASCII working with a LVM working in a LUKS encrypted volume, should be no problem.

First off all please describe exactly what you want to achieve. Do you want to setup a similar setup as I use, or do you want to encrypt a partition in an LVM?
What do you want to use to encrypt? LUKS?
What is your partitioning scheme?
How does your crypttab look like?
Jessie or ASCII?
Where did the grub go to?
Please describe roughly what you did during the installation? Describe media used.

Thanks, rolfie

Last edited by rolfie (2019-01-09 19:45:51)

Offline

#5 2019-01-12 16:54:05

alphalpha
Member
Registered: 2018-01-23
Posts: 24  

Re: Problem booting encrypted LVM

I want to have an encrypted LVM container that contains /root and swap on sda2
and unencrypted /boot on sda1
for encryption i used luks
crypttab looks like this:

vol1		/dev/mapper/grp1-root		none		luks

for installation i used a snapshot from an older ASCII install that i had
with i slightly modified installer script that contains commands for pvcreate, lvcreate etc

i noticed that  /mnt/etc/cryptsetup-initramfs/conf-hook was unconfigured
so i added CRYPTSETUP=y and updated initramfs but its still not working

Offline

#6 2019-01-12 17:10:19

golinux
Administrator
Registered: 2016-11-25
Posts: 1,675  

Re: Problem booting encrypted LVM

I have never done encryption but noticed this in the section on encryption in the  Visual install guide  for the desktop-live installer that I just put together with fsmithred.  A careful reading might give you some clues.

3.2) Encryption: The installer can only encrypt root and home filesystems. A separate boot partition is optional and will be unencrypted if present. For full protection of your data you should not use a separate swap partition. If there is no swap partition, a swap file will be created on the root filesystem and that will be encrypted.

Offline

#7 2019-01-12 22:41:29

rolfie
Member
Registered: 2017-11-25
Posts: 175  

Re: Problem booting encrypted LVM

What you describe as your goal sounds very normal to me, and achieving this is possible. Well, I guess your problem is related to your crypttab, that looks very strange to me, looks screwed. I wonder how you created this, this hasn't been done via the installer.

Lets take your crypttab apart.
1.) vol1 as target name is unusual. The installed normally would name the target like sda2_crypt. Its just a name, and if the update-initramfs works ok, it should do the job.
2.) /dev/mapper/grp1-root sound like it isn't pointing to the luks container, this sounds more like you are listing the LVM container pointing to root. That cannot work. You should list there /dev/sda2, better even use the UUID of the encrypted partition.

You may try to fix this manually with a chroot if you know what you need to do.

The alternative is to start from scratch with an up to date ASCII CD or DVD. Don't worry about LVM, both have all you need on board. It does not matter if you use the cli or the graphical installer, normal or expert mode. It works with or without EFI, with msdos or gpt partitions. When you come to partitioning, choose manual. Create a /boot partition with extx file system and set size and parameters. Then create sda2 as volume for encryption. Configure the encrypted volume, let the installer erase it, set you PW. Then create the LVM on top of the encrypted volume, define the details, and go on with the installation. This is a very rough description. In the internet you can find detailled documentation with screen shots etc if your search for this. You may use Debian stuff that can be as old as Squueze or Lenny, the principle hasn't really changed. 

If you need more help on details, please ask.

rolfie

Offline

#8 2019-01-13 12:28:15

alphalpha
Member
Registered: 2018-01-23
Posts: 24  

Re: Problem booting encrypted LVM

thanks for the replies

i always used the minimal-live iso withouth the gui installer,
i will try the desktop-live with the graphical install

Offline

#9 2019-01-13 16:06:14

golinux
Administrator
Registered: 2016-11-25
Posts: 1,675  

Re: Problem booting encrypted LVM

The cli install follows the same process as the graphical installer.  We'll be putting together a Visual Guide for that before too long.  The important bit in the para that I quoted is that a swap partition cannot be encrypted.   Hopefully fsmithred will be back soon.  He could help you sort this in no time.

Offline

#10 2019-01-13 22:30:00

Simplicio
Member
Registered: 2017-04-21
Posts: 23  

Re: Problem booting encrypted LVM

I've got into trouble with the installer too. It expects you to set up lvm volumes which are then subsequently encrypted.

What I do on an UEFI system is to create two GPT partitions  - the first is a non-encrypted EFI System Partition (ESP) and the second is the rest of the disk. This second GPT partition is then LUKS encrypted. I then create lvm volumes inside (or on top of, depending on your way of looking at it) the encrypted partition, creating separate lvm volumes, including one for swap.

The downside of doing this is that you need to enter the encryption key twice on booting: once when GRUB2* opens the initial ramdisk stored on the encrypted boot volume, and once again when the inital startup hands over to the full-fat system. It is a fair amount of manual set up. It is possible to embed a keyfile into the inital ram disk (which is stored in the encrypted /boot partition), so you need only enter the encryption password once, but I have not done that, partly out of laziness.

As I said, it is a pretty manual process, and getting the standard installer** to do this would require a major rewrite, so it is unlikely to occur in the near future, if at all.

For me, the benefit is effectively having full disk encryption, including an encrypted swap file, and any new volumes I create while experimenting are automatically encrypted without me having to think about it, and without me having to juggle multiple different encryption passphrases.

Simplicio

*GRUB2 has a module that can open LUKS1 (not LUKS2) format encrypted volumes, and a module that can open LVM volumes. It also has modules that understand enough of many different filesystem layouts to boot. One of the bits needed to be done is ensuring GRUB2 has all the necessary modules to hand. Similarly initramfs needs to have all the necessary capabilities included.

**fsmithred's refracta installer looks like it makes the process a great deal easier. Details here: Refracta:RAID - LUKS - LVM

Offline

#11 2019-01-15 11:59:06

fsmithred
Administrator
Registered: 2016-11-25
Posts: 1,155  

Re: Problem booting encrypted LVM

Sorry I wasn't available earlier. I'd like to know how this turned out. Did fixing crypttab fix the problem?

Also, for clarification...

The installer in the live isos (refractainstaller and refractainstaller-yad) will let you encrypt /home or / but without lvm. Instead of an encrypted swap partition, it can create a swap file on the encrypted root partition.

It's possible to manually create lvm and then use refractainstaller (cli version only) to install the system. See the link that Simplicio provided in the previous post for some examples.

If you (alphalpha) have a modified refractainstaller script that does lvm, I'd like to see it. Thanks.

Offline

Board footer