[SOLVED] GRUB, LUKS, unknown filesystem

upnort · 05-15-2018, 12:07 AM

I am missing the big picture with configuring GRUB and LUKS on Slackware. I have reviewed README_CRYPT.TXT. I am trying to chainload a second encrypted distro.

Slackware 14.2 64-bit. Using GRUB 2.00 from 14.2. Slackware is not encrypted. I am not using LVM. Disk is SSD with GPT. Lenovo T400 laptop with 4 GB RAM and Core Duo P8400 (no AES support). Old style BIOS.

I converted a virtual machine to physical (V2P). I want this partition LUKS encrypted. There are no issues with the V2P -- that all went fine without issues.

I created a partition and encrypted with LUKS:

Code:

cryptsetup -y -v luksFormat /dev/sda7
cryptsetup luksOpen /dev/sda7 lukssda7
mkfs.ext4 /dev/mapper/lukssda7

I copied the contents of the converted V2P into the partition.

There are no problems accessing the encrypted partition from within Slackware.

My brain block is the chainloading.

In /etc/default/grub I added GRUB_ENABLE_CRYPTODISK=y and ran grub-mkconfig.

My GRUB menu entry:

Code:

menuentry 'V2P' --class gnu-linux --class gnu --class os' {
insmod luks
cryptomount hd0,7
insmod chain
set root=(hd0,7)
chainloader +1
boot
}

When I select this menu option I am prompted to enter the passphrase. Most times the system hangs with no feedback after typing the passphrase and I have to power down to recover. Some times when I type the passphrase the system reboots. Some times the passphrase succeeds, I see Slot 0 opened, but I am informed of an invalid signature and I need to load the kernel.

I reboot and enter the GRUB command line:

Code:

insmod luks
cryptomount hd0,7 {enter passphrase}
ls (hd0,7)/
error: unknown filesystem

This is as far as I have gotten. Likely I need to provide more details. Let me know what to post.

Thanks again.

Darth Vader · 05-15-2018, 05:05 PM

IF I remember right, for the grub, both the disks and partitions count starts from 0 (zero).

So, I believe that /dev/sda7 should be (hd0,6) in grub-ish

colorpurple21859 · 05-15-2018, 05:14 PM

Grub 2 drives start at 0 partitions at 1.
Grub legacy drives 0 partitions 0
Slackware uses grub 2

Darth Vader · 05-15-2018, 05:15 PM

Oh, my bad!

colorpurple21859 · 05-15-2018, 05:38 PM

Did you run grub-install /dev/sda7?

upnort · 05-15-2018, 07:46 PM

This is my first effort with disk encryption. Just never had a need until now.

I think this is a chicken-and-egg thing. I can't get into the converted VM inside an encrypted partition so I can run grub-install correctly. If I now understand correctly, I need to create a separate unencrypted /boot partition. My RTFM understanding is /boot can be encrypted too but because I am converting a VM rather than performing a fresh install, I might need that intermediate step. After I get that far I might be able to merge /boot back into the encrypted partition. Maybe not. I'm just not experienced enough to know.

Another option might be to move /home to a separate encrypted partition and then not encrypt the system partition. Encrypting only /home might be good enough. My encryption need is not providing direct access to SSH key pairs, stored passwords, etc.

That latter approach is doable but I'd rather have everything but /boot encrypted.

The first experience is always the hardest. I am trying to learn as much as practical. At work we have several laptops used in the field. None have encryption.

Back to the drawing boards.

yancek · 05-16-2018, 08:58 AM

Quote:

error: unknown filesystem

The above error would seem to be a pretty good indication that Grub doesn't understand the filesystem. When you created the new encrypted system, did it include a separate boot partition or did you have the boot directory in the / (root) filesystem partition? You indicate in your first post that you are using GPT on the base Slackware install but not whether it is EFI or you have a BIOS boot partition, which is it? You might try adding to the grub menuentry: insmod part_gpt and changing your set root line to include it: set root=(hd0,gpt7)

I don't use LVM or encryption but, my understanding is that historically, both needed a separate boot partition and Grub supposedly is now able to access encrypted partitions but I haven't seen much success with it. Maybe a newer version of Grub?

Was the install on the virtual machine using Grub2 to boot? If so, access it from the main Slackware and take a look at the menuentry in the /boot/grub/grub.cfg file. It may be possible to copy it and modify it to fit it's current location.

upnort · 05-16-2018, 10:57 AM

Quote:

When you created the new encrypted system, did it include a separate boot partition or did you have the boot directory in the / (root) filesystem partition?

While I did not explicitly share, my previous post implies no separate boot.

Quote:

You indicate in your first post that you are using GPT on the base Slackware install but not whether it is EFI or you have a BIOS boot partition, which is it?

In my original post I wrote "Old style BIOS."

For the short term I am going to extract /home from the V2P, create a separate partition for /home, and encrypt that partition rather than the entire V2P. I'll post an update when I make progress.

colorpurple21859 · 05-16-2018, 11:25 AM

From your Ubuntu installation, mount the encrypted partition, chroot into and then run the grub commands.

Darth Vader · 05-16-2018, 11:28 AM

@unport

From what I know, when the root filesystem is encrypted, you must have a separate /boot partition, which is not encrypted.

Maybe GRUB2 it is capable to unlock and look for files in an encrypted filesystem, but itself and its extensions, I believe it should stay in a non-encrypted partition.

Also, the GRUB2 is a modular bootloader, and somewhat like a mini-operating system, then I think all used files, and its modules (i.e. "luks"), should be available in that non-encrypted partition, otherwise it will not be able to find them.

In other hand, maybe you should look if there is a difference between the LUKS formats which are recognized by GRUB2 infrastructure, compared with the ones used by Slackware itself.

However, I wonder: why this solution?

Whatever bootloader you use, either LILO, SYSLINUX (EXTLINUX) or GRUB(2), from what I know the usage of a system encryption is about using a separate boot partition (or device; my favorite is booting from an USB flash drive), from where the bootloader read a particular kernel and initrd. Which initrd do the root partition unlocking, after all.

Code:

  # Unlock any encrypted partitions necessary to access the
  # root filesystem, such as encrypted LVM Physical volumes, disk
  # partitions or mdadm arrays.
  # Unavailable devices such as LVM Logical Volumes will need to be
  # deferred until they become available after the vgscan.

  if [ -x /sbin/cryptsetup ]; then

    # Determine if we have to use a LUKS keyfile:
    if [ ! -z "$LUKSKEY" ]; then
      mkdir  /mountkey
      KEYPART=$(echo $LUKSKEY |cut -f1 -d:)
      KEYNAME=$(echo $KEYPART |cut -f2 -d=)
      LUKSPATH="/mountkey$(echo $LUKSKEY |cut -f2 -d:)"
      # Catch possible mount failure:
      if blkid |grep "TYPE=\"vfat\"" |grep $KEYNAME 1>/dev/null 2>&1 ; then
        MOUNTOPTS="-t vfat -o shortname=mixed"
      else
        MOUNTOPTS="-t auto"
      fi
      mount $MOUNTOPTS $(findfs $KEYPART) /mountkey 2>/dev/null
      # Check if we can actually use this file:
      if [ ! -f $LUKSPATH ]; then
        LUKSKEY=""
      else
        echo ">>> Using LUKS key file: '$LUKSKEY'"
        LUKSKEY="-d $LUKSPATH"
      fi
    fi

    LUKSLIST_DEFERRED=""
    LUKSLIST=$(echo $LUKSDEV | tr -s ':' ' ')
    for LUKSDEV in $LUKSLIST ; do
      if echo $LUKSDEV | grep -q "LABEL=" || echo $LUKSDEV | grep -q "UUID=" ; then
        LUKSDEV=$(findfs $LUKSDEV)
      fi
      if /sbin/cryptsetup isLuks ${LUKSDEV} 1>/dev/null 2>/dev/null ; then
        if echo $ROOTDEV | grep -q "LABEL=" || echo $ROOTDEV | grep -q "UUID=" ; then
          CRYPTDEV="luks$(basename $LUKSDEV)"
        elif [ "x$ROOTDEV" = "x$(basename $ROOTDEV)" ]; then
          CRYPTDEV="$ROOTDEV"
        else
          CRYPTDEV="luks$(basename $LUKSDEV)"
        fi
        if echo $LUKSTRIM | grep -wq $LUKSDEV 2>/dev/null ; then
          LUKSOPTS="--allow-discards"
        else
          LUKSOPTS=""
        fi
        if [ -z "${LUKSOPTS}" ]; then
          echo "Unlocking LUKS encrypted device '${LUKSDEV}' as luks mapped device '$CRYPTDEV':"
        else
          echo "Unlocking LUKS encrypted device '${LUKSDEV}' as luks mapped device '$CRYPTDEV' with '$LUKSOPTS':"
        fi
        /sbin/cryptsetup ${LUKSOPTS} ${LUKSKEY} luksOpen ${LUKSDEV} ${CRYPTDEV} </dev/tty0 >/dev/tty0 2>&1
        if [ "$ROOTDEV" = "$LUKSDEV" -o "$ROOTDEV" = "$CRYPTDEV" ] ; then
          ROOTDEV="/dev/mapper/$CRYPTDEV"
        fi
      else
        LUKSLIST_DEFERRED="${LUKSLIST_DEFERRED} ${LUKSDEV}"
      fi
    done
  fi

Did you try to avoid an initrd and separate boot partition usage, in fact?

Darth Vader · 05-16-2018, 11:42 AM

EUREKA!

https://wiki.archlinux.org/index.php..._entire_system

According with this page:

Quote:

Warning: GRUB does not support LUKS2. Do not use LUKS2 on partitions that GRUB needs to access.

That explains fully the OP adventures. The root fileystem is probably encrypted on the modern LUKS2 format, then it will not be recognized.

So, dear OP, I strongly suggest you to use the orthodox way (as used by Slackware), with an un-ecrypted boot partition and initrd, whatever you use as bootloader.

PS. Meanwhile you can use a flash drive for boot. Works like a charm.

upnort · 05-16-2018, 12:04 PM

Quote:

mount the encrypted partition, chroot into and then run the grub commands.

I tried that with a Live ISO. I am not a chroot expert but I needed to bind mount proc, /dev, etc. Did not go well. I tried that very late at night so perhaps I was just sleep deprived.

Quote:

The root fileystem is probably encrypted on the modern LUKS2 format, then it will not be recognized.

Slackware 14.2 provides cryptsetup-1.7.1. As far as I can tell, that means Slackware is using LUKS1 and not LUKS2.

Slackware 14.2 uses GRUB 2.00, while the V2P uses 2.02. I don't know if the differences affect anything related to LUKS.

I am considering a fresh install into an encrypted partition and then diff that with the converted V2P. Everything I have read indicates I need to create my partition scheme before installing because the installers are limited with support for complex partitioning with encryption. Not a big deal, just that my schedule limits my time working on this project. Same challenge all of us face every day.

When I try that I will create separate partitions for /boot and / and encrypt only /. I think a separate /boot just for the new system is needed so I can chainload from my Slackware GRUB. I need to use chainload so I don't have to manually update the Slackware GRUB with changes in the new system.

I need a working system soon. As mentioned in my previous post, for the short term I am going to encrypt /home. I will post updates as I can.

Darth Vader · 05-16-2018, 12:07 PM

Well, I would love to see the news.

I for one, I consider a very interesting subject this thread. Thanks for raising it up!

upnort · 08-05-2018, 12:26 PM

Quote:

Well, I would love to see the news.

This turned out to be an interesting exercise. Read more here. A two-part post so follow the link at the end. Considering those posts, I'll tag this thread as solved.

Richard Cranium · 08-06-2018, 08:31 PM

I've gone the route of using LVM on my laptops and using LUKS to encrypt the physical volume the laptop uses for all the logical volumes. (None of my laptops can handle multiple hard drives.) If I put my swap on a logical volume (and I do on my laptops), then everything is encrypted other than the /boot partition.

You aren't using a laptop, but the steps are the same.

FWIW, here's my fstab and other information:

Code:

cranium@toshiba:~$ cat /etc/fstab
/dev/cryptvg/swaplv swap             swap        defaults         0   0
/dev/cryptvg/rootlv /                ext4        defaults         1   1
/dev/sda1        /boot            ext2        defaults         1   2
/dev/cryptvg/homelv /home            jfs       defaults         1   2
/dev/cryptvg/optlv /opt             ext4        defaults         1   2
/dev/cryptvg/tmplv /tmp             ext4        defaults         1   2
/dev/cryptvg/usrlv /usr             ext4        defaults         1   2
/dev/cryptvg/varlv /var             ext4        defaults         1   2
/dev/cryptvg/varloglv /var/log         ext4        defaults         1   2
/dev/cryptvg/usrlocallv /usr/local ext4       defaults,journal_async_commit 1 2
devpts           /dev/pts         devpts      gid=5,mode=620   0   0
proc             /proc            proc        defaults         0   0
tmpfs            /dev/shm         tmpfs       defaults         0   0
debugfs          /sys/kernel/debug debugfs    defaults         0   0
cranium@toshiba:~$

Code:

root@toshiba:~# pvs
  PV                   VG      Fmt  Attr PSize   PFree 
  /dev/mapper/lukssda2 cryptvg lvm2 a--  232.38g 66.38g
root@toshiba:~# cd /boot/initrd-tree/
root@toshiba:/boot/initrd-tree# cat luksdev 
/dev/sda2

/dev/sda1 is the /boot partition.