GRUB, LUKS, unknown filesystem
I am missing the big picture with configuring GRUB and LUKS on Slackware. I have reviewed README_CRYPT.TXT. I am trying to chainload a second encrypted distro.
Slackware 14.2 64-bit. Using GRUB 2.00 from 14.2. Slackware is not encrypted. I am not using LVM. Disk is SSD with GPT. Lenovo T400 laptop with 4 GB RAM and Core Duo P8400 (no AES support). Old style BIOS. I converted a virtual machine to physical (V2P). I want this partition LUKS encrypted. There are no issues with the V2P -- that all went fine without issues. I created a partition and encrypted with LUKS: Code:
cryptsetup -y -v luksFormat /dev/sda7 There are no problems accessing the encrypted partition from within Slackware. My brain block is the chainloading. In /etc/default/grub I added GRUB_ENABLE_CRYPTODISK=y and ran grub-mkconfig. My GRUB menu entry: Code:
menuentry 'V2P' --class gnu-linux --class gnu --class os' { I reboot and enter the GRUB command line: Code:
insmod luks Thanks again. :) |
IF I remember right, for the grub, both the disks and partitions count starts from 0 (zero).
So, I believe that /dev/sda7 should be (hd0,6) in grub-ish |
Grub 2 drives start at 0 partitions at 1.
Grub legacy drives 0 partitions 0 Slackware uses grub 2 |
Oh, my bad!
|
Did you run grub-install /dev/sda7?
|
This is my first effort with disk encryption. Just never had a need until now. :)
I think this is a chicken-and-egg thing. I can't get into the converted VM inside an encrypted partition so I can run grub-install correctly. If I now understand correctly, I need to create a separate unencrypted /boot partition. My RTFM understanding is /boot can be encrypted too but because I am converting a VM rather than performing a fresh install, I might need that intermediate step. After I get that far I might be able to merge /boot back into the encrypted partition. Maybe not. I'm just not experienced enough to know. Another option might be to move /home to a separate encrypted partition and then not encrypt the system partition. Encrypting only /home might be good enough. My encryption need is not providing direct access to SSH key pairs, stored passwords, etc. That latter approach is doable but I'd rather have everything but /boot encrypted. The first experience is always the hardest. I am trying to learn as much as practical. At work we have several laptops used in the field. None have encryption. Back to the drawing boards. :) |
Quote:
I don't use LVM or encryption but, my understanding is that historically, both needed a separate boot partition and Grub supposedly is now able to access encrypted partitions but I haven't seen much success with it. Maybe a newer version of Grub? Was the install on the virtual machine using Grub2 to boot? If so, access it from the main Slackware and take a look at the menuentry in the /boot/grub/grub.cfg file. It may be possible to copy it and modify it to fit it's current location. |
Quote:
Quote:
For the short term I am going to extract /home from the V2P, create a separate partition for /home, and encrypt that partition rather than the entire V2P. I'll post an update when I make progress. |
From your Ubuntu installation, mount the encrypted partition, chroot into and then run the grub commands.
|
@unport
From what I know, when the root filesystem is encrypted, you must have a separate /boot partition, which is not encrypted. Maybe GRUB2 it is capable to unlock and look for files in an encrypted filesystem, but itself and its extensions, I believe it should stay in a non-encrypted partition. Also, the GRUB2 is a modular bootloader, and somewhat like a mini-operating system, then I think all used files, and its modules (i.e. "luks"), should be available in that non-encrypted partition, otherwise it will not be able to find them. In other hand, maybe you should look if there is a difference between the LUKS formats which are recognized by GRUB2 infrastructure, compared with the ones used by Slackware itself. However, I wonder: why this solution? Whatever bootloader you use, either LILO, SYSLINUX (EXTLINUX) or GRUB(2), from what I know the usage of a system encryption is about using a separate boot partition (or device; my favorite is booting from an USB flash drive), from where the bootloader read a particular kernel and initrd. Which initrd do the root partition unlocking, after all. Code:
# Unlock any encrypted partitions necessary to access the |
EUREKA!
https://wiki.archlinux.org/index.php..._entire_system According with this page: Quote:
So, dear OP, I strongly suggest you to use the orthodox way (as used by Slackware), with an un-ecrypted boot partition and initrd, whatever you use as bootloader. ;) PS. Meanwhile you can use a flash drive for boot. Works like a charm. |
Quote:
Quote:
Slackware 14.2 uses GRUB 2.00, while the V2P uses 2.02. I don't know if the differences affect anything related to LUKS. I am considering a fresh install into an encrypted partition and then diff that with the converted V2P. Everything I have read indicates I need to create my partition scheme before installing because the installers are limited with support for complex partitioning with encryption. Not a big deal, just that my schedule limits my time working on this project. Same challenge all of us face every day. :) When I try that I will create separate partitions for /boot and / and encrypt only /. I think a separate /boot just for the new system is needed so I can chainload from my Slackware GRUB. I need to use chainload so I don't have to manually update the Slackware GRUB with changes in the new system. I need a working system soon. As mentioned in my previous post, for the short term I am going to encrypt /home. I will post updates as I can. :) |
Well, I would love to see the news. :thumbsup:
I for one, I consider a very interesting subject this thread. Thanks for raising it up! |
Quote:
|
I've gone the route of using LVM on my laptops and using LUKS to encrypt the physical volume the laptop uses for all the logical volumes. (None of my laptops can handle multiple hard drives.) If I put my swap on a logical volume (and I do on my laptops), then everything is encrypted other than the /boot partition.
You aren't using a laptop, but the steps are the same. FWIW, here's my fstab and other information: Code:
cranium@toshiba:~$ cat /etc/fstab Code:
root@toshiba:~# pvs |
All times are GMT -5. The time now is 03:42 PM. |