help-grub
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: encrypted boot won't work

From: jnqnfe
Subject: Re: encrypted boot won't work
Date: Sat, 29 Feb 2020 12:46:12 +0000
User-agent: Evolution 3.34.1-4 
Oh yes, it was actual several days ago that I tried setting it up. I
did indeed do the GRUB_ENABLE_CRYPTODISK="y" step...

On Sat, 2020-02-29 at 12:58 +0100, sashab wrote:
> Hi jnqnfe,
> 
> As the boot partition is encrypted,
> grub has no access to grub.cfg before
> decrypting it.
> 
> Have you set
>     GRUB_ENABLE_CRYPTODISK="y"
> in
>     /etc/default/grub
> and called
>     update-grub
> afterwards?
> 
> For more information see
>     info -f grub -n 'Simple configuration' | grep CRYPTODISK -A6
> 
> 
> With kind regards,
>     sashab
> 
> On 2/28/20 8:35 AM, address@hidden wrote:
> > I decided to play with having an encrypted /boot on an old system
> > but I
> > cannot boot with it and I don't know why. Please advise.
> > 
> > The system has UEFI. The disk uses GPT. Grub version is 2.04-5
> > (debian).
> > 
> > Procedure followed:
> >  - The system already had encrypted root (luks v2)
> >  - I am aware that grub currently only supports luks v1 for
> > encrypted
> > /boot
> >  1) made a backup of all contents of /boot (excluding /boot/efi)
> >  2) unmounted /boot/efi and /boot
> >  3) overwrote /dev/sda2 (/boot) with cryptsetup as a new luks v1
> > volume
> >  4) opened the new encrypted /dev/sda2
> >  5) created an ext4 filesystem inside it
> >  6) copied all of the backed up files into it
> >  7) ensured that all of the ownership and permissions for them was
> > correct (comparing with another system)
> >  8) remounted as /boot
> >  9) remounted /dev/sda1 as /boot/efi
> >  10) added an entry to /etc/crypttab
> >  11) adjusted /etc/fstab
> >  12) ran `update-initramfs -u` and `update-grub` (not sure which
> > order
> > if it matter, pretty sure I've run them each multiple times now
> > anyway)
> >  13) rebooted
> > 
> > note, below i've replaced the real UUID's with simple replacements
> > like
> > 'aaa'...
> > 
> > the partition table looks like this:
> > 
> > NAME                    FS     UUID  MOUNT
> > /dev/sda1               fat32  aaa   /boot/efi
> > /dev/sda2               -      bbb   -
> > /dev/sda3               -      ccc   -
> > /dev/mapper/sda2_crypt  ext4   ddd   /boot
> > /dev/mapper/sda3_crypt  ext4   eee   /
> > 
> > when I boot, I get a prompt like this:
> > attempting to decrypt master key...
> > enter passphrase for hd0,gpt2 (bbb):
> > 
> > but several moments after entering the password I get:
> > error:access denied
> > error: no such cryptodisk found
> > error: no such device: ddd
> > Loading Linux 5.4.0-3-amd64 ...
> > error: no server specified
> > Loading initial ramdisk ...
> > error: you need to load the kernel first
> > 
> > crypttab:
> > ```
> > boot_crypt UUID=bbb none luks
> > root_crypt UUID=ccc none luks
> > ```
> > 
> > fstab:
> > ```
> > # <file system>  <mount point>  <type>  <options>  <dump>  <pass>
> > /dev/mapper/root_crypt  /  ext4  errors=remount-ro  0  1
> > /dev/mapper/boot_crypt  /boot  ext4  errors=remount-ro  0  2
> > UUID=aaa                /boot/efi  vfat  umask=0077  0  2
> > /dev/sr1                /media/cdrom0  udf,iso9660  user,noauto  0 
> >  0
> > /dev/sr0                /media/cdrom1  udf,iso9660  user,noauto  0 
> >  0
> > /swapfile               none  swap  defaults  0  0
> > ```
> > 
> > /boot/grub.cfg (autogenerated) looks like this (stripped down):
> > ```
> > insmod luks
> > insmod cryptodisk
> > ...
> > if [ x$feature_default_font_path = xy ] ; then
> >     font=unicode
> > else
> >     insmod ext2
> >     set root='hd0'
> >     if [ x$feature_platform_search_hint = xy ]; then
> >         search --no-floppy --fs-uuid --set=root --hint-bios=hd0 --
> > hint-
> > efi=hd0 --hint-baremetal=ahci0  eee
> >     else
> >         search --no-floppy --fs-uuid --set=root eee
> >     fi
> >     font="/usr/share/grub/unicode.pf2"
> > fi
> > ...
> > insmod ext2
> > set root='hd0'
> > if [ x$feature_platform_search_hint = xy ]; then
> >     search --no-floppy --fs-uuid --set=root --hint-bios=hd0 --hint-
> > efi=hd0 --hint-baremetal=ahci0  eee
> > else
> >     search --no-floppy --fs-uuid --set=root eee
> > fi
> > ...
> > menuentry 'Debian GNU/Linux' --class debian --class gnu-linux --
> > class
> > gnu --class os $menuentry_id_option 'gnulinux-simple-eee' {
> >     ...
> >     insmod cryptodisk
> >     insmod luks
> >     insmod gcry_rijndael
> >     insmod gcry_rijndael
> >     insmod gcry_sha256
> >     insmod ext2
> >     cryptomount -u bbb
> >     set root='cryptouuid/bbb'
> >     if [ x$feature_platform_search_hint = xy ]; then
> >       search --no-floppy --fs-uuid --set=root --hint-bios=hd0 --
> > hint-efi=hd0 --hint-baremetal=ahci0 --hint='cryptouuid/bbb'  ddd
> >     else
> >       search --no-floppy --fs-uuid --set=root ddd
> >     fi
> >     echo    'Loading Linux 5.4.0-3-amd64 ...'
> >     linux   /vmlinuz-5.4.0-3-amd64 root=UUID=eee ro
> > cryptdevice=/dev/sda3:root root=/dev/mapper/root_crypt quiet
> >     echo    'Loading initial ramdisk ...'
> >     initrd  /initrd.img-5.4.0-3-amd64
> > }
> > submenu 'Advanced options for Debian GNU/Linux'
> > $menuentry_id_option
> > 'gnulinux-advanced-eee' {
> >     ...
> > }
> > ...
> > ```
> > 
> > I can unlock /dev/sda2 fine with cryptsetup in a live environment
> > (as
> > well as /dev/sda3), so it surely cannot be as simple as entering
> > the
> > wrong password...
> > 
> >
reply via email to
[Prev in Thread] Current Thread [Next in Thread]