Dev1 Galaxy Forum / serial console - full disk encryption

Re: serial console - full disk encryption

dummy@example.com (golinux) — Sun, 05 Mar 2023 21:52:21 +0000

Welcome to Devuan . . . could you please not post line-formatted text to the forum? The forum messages are a fixed width and it causes ugly line breaks. You should be able to go in and edit your post to get rid of them . . . Thanks!

Re: serial console - full disk encryption

dummy@example.com (tranquilo) — Sun, 05 Mar 2023 21:45:31 +0000

Hi Glenn,

Unfortunately as far as I know this will not work. The intelligence built into /etc/default/grub does not allow for this "special" scenario. As you might be aware, if you add the GRUB_ENABLE_CRYPTODISK option in that file, grub will do all the magic necessary to be able to "unlock" the disk before reading the grub.cfg. Obviously you can also add GRUB_SERIAL_COMMAND to the same file and you will see the grub boot menu in the serial console, but only AFTER decrypting the disk. That is why I posted this fix, it is a special case (seeing the passphrase prompt in the serial console) for which there are no out of the box solutions. If you have a solution that works without this hack and survives grub-update (which is basically grub-mkconfig -o for grub2) please post it and I will take a look.

Cheers
Gabriel

P.S. to be clear my hack survives grub-update but NOT grub-install

Re: serial console - full disk encryption

dummy@example.com (GlennW) — Sat, 04 Mar 2023 22:34:46 +0000

When I have edits to grub that I want to "stick" from kernel version to new/other kernel version I edit /etc/default/grub.

Each time I do grub-update it uses that template.

I use it for simple stuff, but it may help you as well.

regards, Glenn

serial console - full disk encryption

dummy@example.com (tranquilo) — Sat, 04 Mar 2023 03:59:33 +0000

Hello,

I use Devuan for most of my VM work. For servers, I try to keep the install light and minimum. I work mostly in the console, so I usually run my server VMs with serial console output only. More recently I have begun to fully encrypt the whole os, without a separate /boot partition. All went well until I realized that the cryptomount command which is called by Grub, is executed before the serial console initialization and as a result the prompt to enter the passphrase was not being passed to the serial console. I started working to fix the problem only to find out that as far as I could see, there were no simple clear examples of how to solve this specific problem. So here I am trying to detail how I fixed the problem in case this is useful to anyone else.

Cheers, and please feel free to correct/improve my post.

NOTE:

* My setup uses BIOS/MBR, but should also work for UEFI with small tweaks.
* I assume that the reader already knows how to configure grub to display in the serial console.
* Check your grub.cfg carefully for all the modules that need to be preloaded in the core.img ... i.e. luks2 vs luks
* A subsequent grub-install will blow out this configuration and it will no longer work.

I worked out the solution based on information provided by these two links:

https://wiki.archlinux.org/title/GRUB/Tips_and_tricks
https://cryptsetup-team.pages.debian.ne … ard-layout

----------------- early-grub.cfg ----------------------------------
serial --unit=0 --speed=9600
terminal_output serial
terminal_input serial
cryptomount -u YOUR_UUID
set root=(cryptouuid/YOUR_UUID)
set prefix=/boot/grub
configfile grub.cfg
----------------------------------------------------------------------------

grub-mkimage -c early-grub.cfg  -o /boot/grub/i386-pc/core.img -O i386-pc biosdisk cryptodisk ext2 gcry_rijndael gcry_sha256 gzio luks part_gpt part_msdos serial terminal configfile keylayouts at_keyboard 
grub-bios-setup -d /boot/grub/i386-pc/ /dev/YOUR_DISK