Full Disk Encryption (including

[Survey Response]

Hi,

On my USB drive, I have encrypted the entire disk as a single LUKS encrypted partition. I have the grub files on this partition with an ISO image for a Debian-live based distribution. I compiled Grub 2.00 with the necessary crypto modules and left a larger embedding zone before the first LUKS partition to accommodate the larger second-stage bootloader (my core.img is about 44K). When I boot off this USB drive, GRUB asks me the password initially for the encrypted drive and then gets to the point where it brings up the menu, but I couldn't get it to load the kernel since I need to pass the kernel the system device for the ISO image (the live-media and fromiso boot parameters below) and I notice that the devices are not available at the time of loading the kernel (or later, for that matter). Can somebody help me figure out what I am doing wrong? Would be much obliged, since I have been spending some time trying to figure this out.

Here is my grub.cfg

menuentry 'FDE Live' {

        

        set isofile="/ISOs/linux.iso"

        # The UUID for the encrypted LUKS partition as obtained by running blkid

        set encryptedfs_uuid="377da6816e9a4c7092ae9016a719d04d" 

        # The UUID for the decrypted ext4 fs in the LUKS partition

        set decryptedfs_uuid="a8604976-269b-4ab1-8ecc-63960f60f008"

        insmod part_msdos

        insmod loopback

        insmod iso9660

        insmod cryptodisk

        insmod luks

        echo 'Mounting encrypted disk ...' 

        cryptomount -u ${encryptedfs_uuid}

        echo 'Searching for the root fs in the decrypted fs...'

        set root=(cryptouuid/${encryptedfs_uuid})

        search --no-floppy --fs-uuid --set=root ${decryptedfs_uuid}

        echo 'Setting up a loopback device to the CD image'

        loopback loop $root/$isofile

        set root=loop

        echo 'Loading Linux Kernel ...'

        linux  /live/vmlinuz boot=live live-media=/dev/disk/by-uuid/${decryptedfs_uuid} fromiso=/dev/disk/by-uuid/${decryptedfs_uuid}$isofile initrd=/live/initrd.img config debug video=640x480 fbcon=scrollback:128

        echo 'Loading initial ramdisk ...'

        initrd /live/initrd.img

}

From the debugging output on the console, I see that /dev/disk/by-uuid/a8604976-269b-4ab1-8ecc-63960f60f008 (the decryptedfs_uuid) does not exist at the time the linux kernel is being loaded. I can access this folder from the grub command line using the Grub drive (cyrptuuid/377da6816e9a4c7092ae9016a719d04d)/ISOs/linux.iso, but I need to be able to reference this in a way the linux kernel would understand.

Once again, thanks for any help. Pardon any newbie mistakes I may be making. It's a learning experience for me and I am hoping this would be a good exercise in understanding how it all works.

Thanks,

Steve