Hello, i'm trying to set up a machine with an encrypted filesystem. It's a Debian 9/i386.
The partition table on
/dev/sda
Code:
1. 1 MiB BIOS BOOT (04) N/A N/A
2. 256 MiB Linux (83) ext4 /boot
3. 2304 MiB Linux (83) ext4 /
4. 1 MiB MINIX (81) N/A N/A
5. 510 MiB Linux swap (82) swap swap
When i finished the partitioning, i run these:
Code:
dd if=/dev/urandom of=/dev/sda4 bs=1 count=512
echo 'YES' | cryptsetup -v -c aes-xts-plain64 -s 512 -h sha256 -i 2000 --keyfile-size=512 luksFormat /dev/sda3 /dev/sda4
cryptsetup -c aes-xts-plain64 -d /dev/sda4 -s 512 -i 2000 --keyfile-size=512 open --type=plain /dev/sda3 eldcr
mkfs.ext4 -F /dev/sda2
e2label /dev/sda2 BootLabel
mkfs.ext4 -F /dev/mapper/eldcr
e2label /dev/mapper/eldcr RootLabel
mkdir -p /mnt/disk
mount /dev/mapper/eldcr /mnt/disk
mkswap /dev/sda5
/etc/fstab looks like this:
Code:
/dev/disk/by-partuuid/<partuuid of /dev/sda2> /boot ext4 errors=remount-ro 0 1
/dev/mapper/eldcr / ext4 errors=remount-ro 0 1
/dev/disk/by-partuuid/<partuuid of /dev/sda5> none swap sw 0 0
/etc/crypttab:
Code:
eldcr /dev/disk/by-partuuid/<partuuid of /dev/sda3> /dev/disk/by-partuuid/<partuuid of /dev/sda4> luks,cipher=aes-xts-plain64,size=512,hash=sha256,keyfile-size=512,time=2000,keyscript=getlukskey.sh
/etc/initramfs-tools/conf.d/cryptroot:
Code:
CRYPTROOT=target=eldcr,source=/dev/disk/by-partuuid/<partuuid of /dev/sda3>
I modified some lines in
/etc/default/grub:
Code:
GRUB_ENABLE_CRYPTODISK=y
GRUB_PRELOAD_MODULES="luks cryptodisk"
GRUB_CMDLINE_LINUX=""
GRUB_CMDLINE_LINUX_DEFAULT="cryptdevice=/dev/disk/by-partuuid/<partuuid of /dev/sda3>:eldcr root=/dev/mapper/eldcr cryptopts=target=eldcr,source=/dev/disk/by-partuuid/<partuuid of /dev/sda3>,keyscript=getlukskey.sh crypto=sha256:aes-xts-plain64:512:0:0
The scripts:
/lib/cryptsetup/scripts/getlukskey.sh:
Code:
#!/bin/sh
dd if=/dev/disk/by-partuuid/<partuuid of /dev/sda4> bs=1 count=512 2>/dev/null
/usr/share/initramfs-tools/hooks/glkcopy:
Code:
#!/bin/sh -e
PREREQS=""
case $1 in
prereqs) echo "${PREREQS}"; exit 0;;
esac
. /usr/share/initramfs-tools/hook-functions
copy_exec /lib/cryptsetup/scripts/getlukskey.sh /bin
copy_exec /sbin/cryptsetup
copy_exec /sbin/dmsetup
copy_exec /lib/cryptsetup/askpass
And i added the following modules to
/etc/initramfs-tools/modules:
chainiv, cryptomgr, krng, cbc, ecb, ctr, aes, sha256, xts, dm-mod, dm-crypt
Then i install grub and make the initramfs:
Code:
grub-install --target=i386-pc --skip-fs-probe --efi-directory=/ --boot-directory=/boot --root-directory=/ /dev/sda
grub-mkconfig -o /boot/grub/grub.cfg
update-initramfs -c -k all
and in the end "
update-initramfs -u -k". (The creation does not include my script, so i have to update it again...)
Result is "
cryptsetup (eldcr): unknown fstype, bad password or options?" when i try to boot.
What is the problem?
I also tried to remove the "
keyscript" from the boot options and the
crypttab and put "
cryptkey=/dev/disk/by-partuuid/<partuuid of /dev/sda4>:0:512" into the boot options. Then when i run the initramfs update it says: "
WARNING: root target eldcr uses a key file, skipped." And after boot it asks for a password...
Any idea?
