gentoo using disk encryption

dosensuppe · 05-07-2023, 05:06 AM

Hello there. I'm trying to install gentoo using encryption and haven't had any success so far.
I can't tell if it is a problem with the kernel or with the initramfs.

I have configured the kernel manually and set all the options recommended in the encryption wiki page.
The kernel and initramfs are both on the (unencrypted) efi partition.
The initramfs is generated using dracut. the following is my dracut config:

Code:

early_microcode="yes"
add_dracutmodules+=" btrfs crypt dm "
omit_dracutmodules+=" network cifs nfs brltty "
compress="zstd"
kernel_cmdline="
rd.luks.uuid=a18375d2-4470-4c81-91be-abde1e6d8456
root=UUID=85499172-bc5f-407e-a9ff-a891f0f71143
rd.luks.allow-discards 
rootfstype=btrfs "

I am using grub as bootloader. In the grub cmdline line I usually have the UUID of the blockdevice of the drvie specidied with :cryptroot to be used as mapper name. It doesn't make a difference if I omit that line.

The following is the output of the kernel boot:
https://pastebin.com/xqynJVje

Code:

[    2.386798] dracut: luksOpen /dev/nvme0n1p2 luks-a18375d2-4470-4c81-91be-abde1e6d8456  
[    2.447451] scsi 8:0:0:0: Direct-Access     VendorCo ProductCode      2.00 PQ: 0 ANSI: 4
[    2.447953] sd 8:0:0:0: Attached scsi generic sg0 type 0
[    2.448145] sd 8:0:0:0: [sda] 4096000000 512-byte logical blocks: (2.10 TB/1.91 TiB)
[    2.448830] sd 8:0:0:0: [sda] Write Protect is off
[    2.449170] sd 8:0:0:0: [sda] Mode Sense: 03 00 00 00
[    2.449274] sd 8:0:0:0: [sda] No Caching mode page found
[    2.449603] sd 8:0:0:0: [sda] Assuming drive cache: write through
[    2.451019]  sda: sda1
[    2.451429] sd 8:0:0:0: [sda] Attached SCSI removable disk
[    2.572851] scsi 9:0:0:0: Direct-Access     Kingston DataTraveler 3.0      PQ: 0 ANSI: 6
[    2.573323] sd 9:0:0:0: Attached scsi generic sg1 type 0
[    2.573530] sd 9:0:0:0: [sdb] 60437492 512-byte logical blocks: (30.9 GB/28.8 GiB)
[    2.574106] sd 9:0:0:0: [sdb] Write Protect is off
[    2.574417] sd 9:0:0:0: [sdb] Mode Sense: 4f 00 00 00
[    2.574549] sd 9:0:0:0: [sdb] Write cache: disabled, read cache: enabled, doesn't support DPO or FUA
[    2.581661]  sdb: sdb1 sdb2

For some reason it doesn't bring up a prompt to enter the key.
Best regards.

dosensuppe · 05-14-2023, 03:38 PM

Trying to set up encryption on Gentoo.
It's getting REALLY tiresome. Instead of first trying it on a VM, of course I did it on hardware right away hence I can't use my main computer right now.

>/boot is unencrypted and both initramfs and kernel reside on there.
>I specified the mapper name "cryptroot" in the grub and dracut.conf.
>picrel is what happens when it asks for the key. It shows a bunch of gibberish
>I can still enter the password and it encrypts accordingly, just NOT USING THE MAPPER NAME I SPECIFIED
>waits a few minutes maybe
>shows error message "can't boot: cryptroot not found"
yes I rebuilt both configs everytime after changing anything.
I also added a crypttab in the hope that this would help in some way.

here's the "rdsreport.txt" showing the full boot log of the initramfs:
https://pastebin.com/9zBY1TmP

crypttab:

Code:

cryptroot	/dev/disk/by-uuid/85499172-bc5f-407e-a9ff-a891f0f71143	none	luks

Code:

dracut.conf:
possible language: perl, relevance: 6
install_items+=" /etc/crypttab "
early_microcode="yes"
add_dracutmodules+=" btrfs crypt dm uefi-lib "
omit_dracutmodules+=" network cifs nfs brltty "
compress="zstd"
kernel_cmdline="
rd.luks.uuid=a18375d2-4470-4c81-91be-abde1e6d8456
root=/dev/mapper/cryptroot
rd.luks.allow-discards 
raid=noautodetect
rootfstype=btrfs "

grub:

Code:

possible language: perl, relevance: 113
# Copyright 1999-2020 Gentoo Authors
# Distributed under the terms of the GNU General Public License v2
#
# To populate all changes in this file you need to regenerate your
# grub configuration file afterwards:
#     'grub-mkconfig -o /boot/grub/grub.cfg'
#
# See the grub info page for documentation on possible variables and
# their associated values.

GRUB_CMDLINE_LINUX="cryptdevice=UUID=a18375d2-4470-4c81-91be-abde1e6d8456:cryptroot:allow-discards root=/dev/mapper/cryptroot"
GRUB_ENABLE_CRYPTODISK=y
GRUB_DISTRIBUTOR="Gentoo"

# Default menu entry
#GRUB_DEFAULT=0

# Boot the default entry this many seconds after the menu is displayed
#GRUB_TIMEOUT=5
#GRUB_TIMEOUT_STYLE=menu

# Append parameters to the linux kernel command line
#GRUB_CMDLINE_LINUX=""
#
# Examples:
#
# Boot with network interface renaming disabled
# GRUB_CMDLINE_LINUX="net.ifnames=0"
#
# Boot with systemd instead of sysvinit (openrc)
# GRUB_CMDLINE_LINUX="init=/usr/lib/systemd/systemd"

# Append parameters to the linux kernel command line for non-recovery entries
#GRUB_CMDLINE_LINUX_DEFAULT=""

# Uncomment to disable graphical terminal (grub-pc only)
#GRUB_TERMINAL=console

# The resolution used on graphical terminal.
# Note that you can use only modes which your graphic card supports via VBE.
# You can see them in real GRUB with the command `vbeinfo'.
#GRUB_GFXMODE=640x480

# Set to 'text' to force the Linux kernel to boot in normal text
# mode, 'keep' to preserve the graphics mode set using
# 'GRUB_GFXMODE', 'WIDTHxHEIGHT'['xDEPTH'] to set a particular
# graphics mode, or a sequence of these separated by commas or
# semicolons to try several modes in sequence.
#GRUB_GFXPAYLOAD_LINUX=

# Path to theme spec txt file.
# The starfield is by default provided with use truetype.
# NOTE: when enabling custom theme, ensure you have required font/etc.
#GRUB_THEME="/boot/grub/themes/starfield/theme.txt"

# Background image used on graphical terminal.
# Can be in various bitmap formats.
#GRUB_BACKGROUND="/boot/grub/mybackground.png"

# Uncomment if you don't want GRUB to pass "root=UUID=xxx" parameter to kernel
#GRUB_DISABLE_LINUX_UUID=true

# Comment if you don't want GRUB to pass "root=PARTUUID=xxx" parameter to kernel
#GRUB_DISABLE_LINUX_PARTUUID=false

# Uncomment to disable generation of recovery mode menu entries
#GRUB_DISABLE_RECOVERY=true

# Uncomment to disable generation of the submenu and put all choices on
# the top-level menu.
# Besides the visual affect of no sub menu, this makes navigation of the
# menu easier for a user who can't see the screen.
#GRUB_DISABLE_SUBMENU=y

# Uncomment to play a tone when the main menu is displayed.
# This is useful, for example, to allow users who can't see the screen
# to know when they can make a choice on the menu.
#GRUB_INIT_TUNE="60 800 1"

I am absolutely clueless as to what to do. Is this the kernel somehow being misconfigured or dracut?