Hi there,
I'm trying to setup a LUKS installation on my laptop. I have the
following partitions:
- /dev/nvme0n1p1 - efi
- /dev/nvme0n1p2 - boot
- /dev/nvme0n1p3 - root (luks)
The appropriate UUID are:
/dev/nvme0n1p3: UUID="10619912-5aa0-4698-b058-fdc3477a797c"
/dev/mapper/cryptroot UUID="4bb876e8-8788-4d79-89f7-6e92158973f0"
So my linux command line in grub is as following:
linux /vmlinuz-lts ro quiet dmcrypt=cryptroot
cryptroot=UUID=10619912-5aa0-4698-b058-fdc3477a797c
root=UUID=4bb876e8-8788-4d79-89f7-6e92158973f0 rootfstype=ext4
the root= parameter is automatically added by grub-mkconfig but it seems
good anyway.
I have the following features in mkinitfs.conf:
features="ata base cdrom cryptsetup ext4 keymap kms mmc nvme scsi usb"
I have the following /etc/fstab:
/dev/nvme0n1p2 /boot ext4 defaults 0 1
/dev/nvme0n1p1 /boot/efi vfat defaults 0 1
/dev/mapper/cryptroot / ext4 defaults 0 1
Then, at boot it asks properly for the /dev/nvme0n1p3 device but
afterwards it says:
Mounting of UUID=4bb876e8-8788-4d79-89f7-6e92158973f0 on /sysroot
failed: No such file or directory
The weird thing is that /dev/mapper/ is empty at this step (being in the
recovery shell). If I open manually the device it will be listed.
# cryptsetup open /dev/nvme0n1p3 cryptroot
-> /dev/mapper/cryptroot exists
What do I miss to boot my Alpine 3.11 correctly?
Regards,
Hey David, you might be interested in this alpine-conf patch I've been
working on:
https://lists.alpinelinux.org/~alpine/devel/patches/3214
It'll prompt you during setup-alpine to add encryption to sys installs.
To do an installation with this patch...
1. Boot up the install media
2. Run setup-interfaces
3. service networking start
4. Run setup-apkrepos
5. apk add alpine-sdk curl
6. git clone https://git.alpinelinux.org/alpine-conf
7. cd alpine-conf
8. curl -s https://lists.alpinelinux.org/~alpine/devel/patches/3214/mbox | git am -3
9. make install
10. setup-alpine (finish installation normally)
Let me know if it works well for you.
On Sat, 2020-01-11 at 09:25 -0500, Drew DeVault wrote:
> Hey David, you might be interested in this alpine-conf patch I've> been> working on:> > https://lists.alpinelinux.org/~alpine/devel/patches/3214> > It'll prompt you during setup-alpine to add encryption to sys> installs.> To do an installation with this patch...
Thanks, I keep this on my table.
For now I was unable to boot my system, I just inverted the kernel
command line cryptdm <-> dmcrypt. What's interesting though is that the
package/project name is definitely dmcrypt but not its kernel
parameter.
Consistency, at its best. :-!
Cheers,
--
David
Le 11/01/2020 à 15:25, Drew DeVault a écrit :
> Hey David, you might be interested in this alpine-conf patch I've been> working on:> > https://lists.alpinelinux.org/~alpine/devel/patches/3214> > It'll prompt you during setup-alpine to add encryption to sys installs.> To do an installation with this patch...> > 1. Boot up the install media> 2. Run setup-interfaces> 3. service networking start> 4. Run setup-apkrepos> 5. apk add alpine-sdk curl> 6. git clone https://git.alpinelinux.org/alpine-conf> 7. cd alpine-conf> 8. curl -s https://lists.alpinelinux.org/~alpine/devel/patches/3214/mbox | git am -3> 9. make install> 10. setup-alpine (finish installation normally)> > Let me know if it works well for you.>
Hello Drew,
Sorry for the extreme delay, I'll try this as soon as possible :-).
I saw that you hardcoded --type luks2 (which seems a sane default). Do
you think it's worth adding a new question for the type and use luks2 by
default?
--
David
Hi,
On 2020-01-24 10:20:15 +0100, David Demelier wrote:
> I saw that you hardcoded --type luks2 (which seems a sane default). Do you> think it's worth adding a new question for the type and use luks2 by> default?
IMHO asking which luks to use would be nice. luks2 is still fairly new
and for example grub landed support for it just 14 days back (
365e0cc3e7e44151c14dd29514c2f870b49f9755 ). Also older cryptsetups (from
live CD and such) might not speak luks2 as well.
So giving user the choice (since there are no security holes in luks1)
would my opinion good thing to do.
W.
--
There are only two hard things in Computer Science:
cache invalidation, naming things and off-by-one errors.
LUKS2 is 3 years old now, and included in every still-supported release
of Alpine Linux, plus several now unsupported releases. It's more secure
and we should use it by default going forward.