Linux - Distributions This forum is for Distribution specific questions.
Red Hat, Slackware, Debian, Novell, LFS, Mandriva, Ubuntu, Fedora - the list goes on and on...
Note: An (*) indicates there is no official participation from that distribution here at LQ. |
| Notices |
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
Are you new to LinuxQuestions.org? Visit the following links:
Site Howto |
Site FAQ |
Sitemap |
Register Now
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
|
 |
09-05-2023, 10:36 AM
|
#1
|
|
LQ Newbie
Registered: Aug 2023
Location: Brazil
Distribution: Devuan Daedalus (Bookworm) with SysVinit
Posts: 9
Rep: 
|
Separate encrypted /boot doesnt mount at boot
I made a Void Linux install, followed their Documentation on FDE, and some other places too (Arch Wiki, mutschler.dev, ect). After finishing it, during boot (kernel loading), the root partition is decrypted and mounted, but the boot partition it isnt, so it throws me to a Emergency mode were i can decrypt /boot manually and mount it, after that i do an exit and i can boot the system normally
This is my layout and configs
Code:
nvme0n1
├─nvme0n1p1 -> /boot/efi - vFat (Unencrypted)
├─nvme0n1p2 (Encrypted with LUKS1, because of GRUB)
│ └─void_boot -> /boot - EXT4
└─nvme0n1p3 (Encrypted with LUKS2, using Argon2id algorithm)
└─void_sys -> / -> BTRFS (@, @home, @root, @var)
UUIDs
Code:
/dev/nvme0n1p1: UUID="393E-A2B1"
/dev/nvme0n1p2: UUID="88eca136-19a9-49fa-b9c7-d2a173b5cd76"
/dev/nvme0n1p3: UUID="8505c55a-3e35-4d63-a86f-a7d0c4d743dc"
/dev/mapper/void_sys: UUID="fdf140cc-afbd-444a-8601-1afcf116149f"
/dev/mapper/void_boot: UUID="9517754a-6e5f-4362-9eae-3d3c1c3e878d"
/etc/default/grub
Code:
GRUB_DEFAULT=0
#GRUB_HIDDEN_TIMEOUT=0
#GRUB_HIDDEN_TIMEOUT_QUIET=false
GRUB_TIMEOUT=30
GRUB_DISTRIBUTOR="Void"
GRUB_CMDLINE_LINUX_DEFAULT="quiet loglevel=3 rd.luks.uuid=8505c55a-3e35-4d63-a86f-a7d0c4d743dc root=UUID=fdf140cc-afbd-444a-8601-1afcf116149f rd.luks.allow-discards rd.luks.key=88eca136-19a9-49fa-b9c7-d2a173b5cd76=/boot/unlock.key resume_offset=1145547"
GRUB_ENABLE_CRYPTODISK=y
# Uncomment to use basic console
#GRUB_TERMINAL_INPUT="console"
# Uncomment to disable graphical terminal
#GRUB_TERMINAL_OUTPUT=console
#GRUB_BACKGROUND=/usr/share/void-artwork/splash.png
#GRUB_GFXMODE=1920x1080x32
#GRUB_DISABLE_LINUX_UUID=true
#GRUB_DISABLE_RECOVERY=true
# Uncomment and set to the desired menu colors. Used by normal and wallpaper
# modes only. Entries specified as foreground/background.
#GRUB_COLOR_NORMAL="light-blue/black"
#GRUB_COLOR_HIGHLIGHT="light-cyan/blue"
GRUB_DISABLE_OS_PROBER=true
/etc/crypttab
Code:
# <name> <device> <password> <options>
void_boot UUID=88eca136-19a9-49fa-b9c7-d2a173b5cd76 /etc/luks/unlock.key luks,cipher=serpent-xts-plain64
void_sys UUID=8505c55a-3e35-4d63-a86f-a7d0c4d743dc /etc/luks/unlock.key luks,cipher=aes-xts-plain64,discard
/etc/fstab
Code:
UUID=fdf140cc-afbd-444a-8601-1afcf116149f / btrfs rw,relatime,compress=zstd:2,ssd,discard=async,space_cache=v2,commit=120,subvolid=256,subvol=/@ 0 0
UUID=fdf140cc-afbd-444a-8601-1afcf116149f /home btrfs rw,relatime,compress=zstd:2,ssd,discard=async,space_cache=v2,commit=120,subvolid=257,subvol=/@home 0 0
UUID=fdf140cc-afbd-444a-8601-1afcf116149f /var btrfs rw,relatime,compress=zstd:2,ssd,discard=async,space_cache=v2,commit=120,subvolid=258,subvol=/@var 0 0
UUID=fdf140cc-afbd-444a-8601-1afcf116149f /root btrfs rw,relatime,compress=zstd:2,ssd,discard=async,space_cache=v2,commit=120,subvolid=259,subvol=/@root 0 0
UUID=9517754a-6e5f-4362-9eae-3d3c1c3e878d /boot ext4 rw,relatime 0 0
UUID=393E-A2B1 /boot/efi vfat rw,relatime,fmask=0022,dmask=0022,codepage=437,iocharset=iso8859-1,shortname=mixed,utf8,errors=remount-ro 0 0
/etc/swapfile none swap defaults,pri=2 0 0
/etc/dracut.conf.d/10-crypt.conf
Code:
install_items+=" /etc/luks/unlock.key /etc/crypttab "
The keyfile i created and configured like this
Code:
dd if=/dev/urandom of=/etc/luks/boot_os.keyfile bs=4096 count=1
chmod 500 /etc/luks
chmod 400 /etc/luks/unlock.key
cryptsetup luksAddKey /dev/nvme0n1p2 /etc/luks/unlock.key
cryptsetup luksAddKey /dev/nvme0n1p3 /etc/luks/unlock.key
Its something related how Runit manages mount points during boot time? Or is something else |
|
|
|
|
09-05-2023, 11:19 AM
|
#2
|
|
LQ Guru
Registered: Apr 2010
Location: Continental USA
Distribution: Debian, Ubuntu, RedHat, DSL, Puppy, CentOS, Knoppix, Mint-DE, Sparky, VSIDO, tinycore, Q4OS, Manjaro
Posts: 6,282
|
Why in the world would anyone encrypt /boot? What purpose does that serve? /Boot contains NO user data whatever.
|
|
|
|
|
09-05-2023, 11:40 AM
|
#3
|
|
LQ Newbie
Registered: Aug 2023
Location: Brazil
Distribution: Devuan Daedalus (Bookworm) with SysVinit
Posts: 9
Original Poster
Rep:
|
Quote:
Originally Posted by wpeckham
Why in the world would anyone encrypt /boot? What purpose does that serve? /Boot contains NO user data whatever.
|
Just because someone cant access the user data, people can tamper GRUB to enter the system, like, its 1 in one million to find someone that knows how to, but i like to follow something that my father says, dont give luck to misfortune (idk if this would mean the same thing in english, but in portuguese is understandable) |
|
|
|
|
09-05-2023, 02:24 PM
|
#4
|
|
LQ Guru
Registered: Oct 2004
Distribution: Arch
Posts: 5,470
|
That's why /boot can be a separate partition, then one can umount /boot after the machine is up and running. Then it can't be reached because it isn't mounted. Make sure that you mount /boot before you update the kernel or the bootloader.
Info:
https://wiki.archlinux.org/title/Dm-..._entire_system |
|
|
|
All times are GMT -5. The time now is 10:45 PM.
|
|
|
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
|
|
 Latest Threads
LQ News
|
|
