SlackwareThis Forum is for the discussion of Slackware Linux.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I am missing the big picture with configuring GRUB and LUKS on Slackware. I have reviewed README_CRYPT.TXT. I am trying to chainload a second encrypted distro.
Slackware 14.2 64-bit. Using GRUB 2.00 from 14.2. Slackware is not encrypted. I am not using LVM. Disk is SSD with GPT. Lenovo T400 laptop with 4 GB RAM and Core Duo P8400 (no AES support). Old style BIOS.
I converted a virtual machine to physical (V2P). I want this partition LUKS encrypted. There are no issues with the V2P -- that all went fine without issues.
When I select this menu option I am prompted to enter the passphrase. Most times the system hangs with no feedback after typing the passphrase and I have to power down to recover. Some times when I type the passphrase the system reboots. Some times the passphrase succeeds, I see Slot 0 opened, but I am informed of an invalid signature and I need to load the kernel.
This is my first effort with disk encryption. Just never had a need until now.
I think this is a chicken-and-egg thing. I can't get into the converted VM inside an encrypted partition so I can run grub-install correctly. If I now understand correctly, I need to create a separate unencrypted /boot partition. My RTFM understanding is /boot can be encrypted too but because I am converting a VM rather than performing a fresh install, I might need that intermediate step. After I get that far I might be able to merge /boot back into the encrypted partition. Maybe not. I'm just not experienced enough to know.
Another option might be to move /home to a separate encrypted partition and then not encrypt the system partition. Encrypting only /home might be good enough. My encryption need is not providing direct access to SSH key pairs, stored passwords, etc.
That latter approach is doable but I'd rather have everything but /boot encrypted.
The first experience is always the hardest. I am trying to learn as much as practical. At work we have several laptops used in the field. None have encryption.
The above error would seem to be a pretty good indication that Grub doesn't understand the filesystem. When you created the new encrypted system, did it include a separate boot partition or did you have the boot directory in the / (root) filesystem partition? You indicate in your first post that you are using GPT on the base Slackware install but not whether it is EFI or you have a BIOS boot partition, which is it? You might try adding to the grub menuentry: insmod part_gpt and changing your set root line to include it: set root=(hd0,gpt7)
I don't use LVM or encryption but, my understanding is that historically, both needed a separate boot partition and Grub supposedly is now able to access encrypted partitions but I haven't seen much success with it. Maybe a newer version of Grub?
Was the install on the virtual machine using Grub2 to boot? If so, access it from the main Slackware and take a look at the menuentry in the /boot/grub/grub.cfg file. It may be possible to copy it and modify it to fit it's current location.
When you created the new encrypted system, did it include a separate boot partition or did you have the boot directory in the / (root) filesystem partition?
While I did not explicitly share, my previous post implies no separate boot.
Quote:
You indicate in your first post that you are using GPT on the base Slackware install but not whether it is EFI or you have a BIOS boot partition, which is it?
In my original post I wrote "Old style BIOS."
For the short term I am going to extract /home from the V2P, create a separate partition for /home, and encrypt that partition rather than the entire V2P. I'll post an update when I make progress.
From what I know, when the root filesystem is encrypted, you must have a separate /boot partition, which is not encrypted.
Maybe GRUB2 it is capable to unlock and look for files in an encrypted filesystem, but itself and its extensions, I believe it should stay in a non-encrypted partition.
Also, the GRUB2 is a modular bootloader, and somewhat like a mini-operating system, then I think all used files, and its modules (i.e. "luks"), should be available in that non-encrypted partition, otherwise it will not be able to find them.
In other hand, maybe you should look if there is a difference between the LUKS formats which are recognized by GRUB2 infrastructure, compared with the ones used by Slackware itself.
However, I wonder: why this solution?
Whatever bootloader you use, either LILO, SYSLINUX (EXTLINUX) or GRUB(2), from what I know the usage of a system encryption is about using a separate boot partition (or device; my favorite is booting from an USB flash drive), from where the bootloader read a particular kernel and initrd. Which initrd do the root partition unlocking, after all.
Code:
# Unlock any encrypted partitions necessary to access the
# root filesystem, such as encrypted LVM Physical volumes, disk
# partitions or mdadm arrays.
# Unavailable devices such as LVM Logical Volumes will need to be
# deferred until they become available after the vgscan.
if [ -x /sbin/cryptsetup ]; then
# Determine if we have to use a LUKS keyfile:
if [ ! -z "$LUKSKEY" ]; then
mkdir /mountkey
KEYPART=$(echo $LUKSKEY |cut -f1 -d:)
KEYNAME=$(echo $KEYPART |cut -f2 -d=)
LUKSPATH="/mountkey$(echo $LUKSKEY |cut -f2 -d:)"
# Catch possible mount failure:
if blkid |grep "TYPE=\"vfat\"" |grep $KEYNAME 1>/dev/null 2>&1 ; then
MOUNTOPTS="-t vfat -o shortname=mixed"
else
MOUNTOPTS="-t auto"
fi
mount $MOUNTOPTS $(findfs $KEYPART) /mountkey 2>/dev/null
# Check if we can actually use this file:
if [ ! -f $LUKSPATH ]; then
LUKSKEY=""
else
echo ">>> Using LUKS key file: '$LUKSKEY'"
LUKSKEY="-d $LUKSPATH"
fi
fi
LUKSLIST_DEFERRED=""
LUKSLIST=$(echo $LUKSDEV | tr -s ':' ' ')
for LUKSDEV in $LUKSLIST ; do
if echo $LUKSDEV | grep -q "LABEL=" || echo $LUKSDEV | grep -q "UUID=" ; then
LUKSDEV=$(findfs $LUKSDEV)
fi
if /sbin/cryptsetup isLuks ${LUKSDEV} 1>/dev/null 2>/dev/null ; then
if echo $ROOTDEV | grep -q "LABEL=" || echo $ROOTDEV | grep -q "UUID=" ; then
CRYPTDEV="luks$(basename $LUKSDEV)"
elif [ "x$ROOTDEV" = "x$(basename $ROOTDEV)" ]; then
CRYPTDEV="$ROOTDEV"
else
CRYPTDEV="luks$(basename $LUKSDEV)"
fi
if echo $LUKSTRIM | grep -wq $LUKSDEV 2>/dev/null ; then
LUKSOPTS="--allow-discards"
else
LUKSOPTS=""
fi
if [ -z "${LUKSOPTS}" ]; then
echo "Unlocking LUKS encrypted device '${LUKSDEV}' as luks mapped device '$CRYPTDEV':"
else
echo "Unlocking LUKS encrypted device '${LUKSDEV}' as luks mapped device '$CRYPTDEV' with '$LUKSOPTS':"
fi
/sbin/cryptsetup ${LUKSOPTS} ${LUKSKEY} luksOpen ${LUKSDEV} ${CRYPTDEV} </dev/tty0 >/dev/tty0 2>&1
if [ "$ROOTDEV" = "$LUKSDEV" -o "$ROOTDEV" = "$CRYPTDEV" ] ; then
ROOTDEV="/dev/mapper/$CRYPTDEV"
fi
else
LUKSLIST_DEFERRED="${LUKSLIST_DEFERRED} ${LUKSDEV}"
fi
done
fi
Did you try to avoid an initrd and separate boot partition usage, in fact?
Last edited by Darth Vader; 05-16-2018 at 11:36 AM.
Warning: GRUB does not support LUKS2. Do not use LUKS2 on partitions that GRUB needs to access.
That explains fully the OP adventures. The root fileystem is probably encrypted on the modern LUKS2 format, then it will not be recognized.
So, dear OP, I strongly suggest you to use the orthodox way (as used by Slackware), with an un-ecrypted boot partition and initrd, whatever you use as bootloader.
PS. Meanwhile you can use a flash drive for boot. Works like a charm.
Last edited by Darth Vader; 05-16-2018 at 11:47 AM.
mount the encrypted partition, chroot into and then run the grub commands.
I tried that with a Live ISO. I am not a chroot expert but I needed to bind mount proc, /dev, etc. Did not go well. I tried that very late at night so perhaps I was just sleep deprived.
Quote:
The root fileystem is probably encrypted on the modern LUKS2 format, then it will not be recognized.
Slackware 14.2 provides cryptsetup-1.7.1. As far as I can tell, that means Slackware is using LUKS1 and not LUKS2.
Slackware 14.2 uses GRUB 2.00, while the V2P uses 2.02. I don't know if the differences affect anything related to LUKS.
I am considering a fresh install into an encrypted partition and then diff that with the converted V2P. Everything I have read indicates I need to create my partition scheme before installing because the installers are limited with support for complex partitioning with encryption. Not a big deal, just that my schedule limits my time working on this project. Same challenge all of us face every day.
When I try that I will create separate partitions for /boot and / and encrypt only /. I think a separate /boot just for the new system is needed so I can chainload from my Slackware GRUB. I need to use chainload so I don't have to manually update the Slackware GRUB with changes in the new system.
I need a working system soon. As mentioned in my previous post, for the short term I am going to encrypt /home. I will post updates as I can.
This turned out to be an interesting exercise. Read more here. A two-part post so follow the link at the end. Considering those posts, I'll tag this thread as solved.
I've gone the route of using LVM on my laptops and using LUKS to encrypt the physical volume the laptop uses for all the logical volumes. (None of my laptops can handle multiple hard drives.) If I put my swap on a logical volume (and I do on my laptops), then everything is encrypted other than the /boot partition.
You aren't using a laptop, but the steps are the same.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.