[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
encrypted boot won't work
From: |
jnqnfe |
Subject: |
encrypted boot won't work |
Date: |
Fri, 28 Feb 2020 07:35:49 +0000 |
User-agent: |
Evolution 3.34.1-4 |
I decided to play with having an encrypted /boot on an old system but I
cannot boot with it and I don't know why. Please advise.
The system has UEFI. The disk uses GPT. Grub version is 2.04-5
(debian).
Procedure followed:
- The system already had encrypted root (luks v2)
- I am aware that grub currently only supports luks v1 for encrypted
/boot
1) made a backup of all contents of /boot (excluding /boot/efi)
2) unmounted /boot/efi and /boot
3) overwrote /dev/sda2 (/boot) with cryptsetup as a new luks v1 volume
4) opened the new encrypted /dev/sda2
5) created an ext4 filesystem inside it
6) copied all of the backed up files into it
7) ensured that all of the ownership and permissions for them was
correct (comparing with another system)
8) remounted as /boot
9) remounted /dev/sda1 as /boot/efi
10) added an entry to /etc/crypttab
11) adjusted /etc/fstab
12) ran `update-initramfs -u` and `update-grub` (not sure which order
if it matter, pretty sure I've run them each multiple times now anyway)
13) rebooted
note, below i've replaced the real UUID's with simple replacements like
'aaa'...
the partition table looks like this:
NAME FS UUID MOUNT
/dev/sda1 fat32 aaa /boot/efi
/dev/sda2 - bbb -
/dev/sda3 - ccc -
/dev/mapper/sda2_crypt ext4 ddd /boot
/dev/mapper/sda3_crypt ext4 eee /
when I boot, I get a prompt like this:
attempting to decrypt master key...
enter passphrase for hd0,gpt2 (bbb):
but several moments after entering the password I get:
error:access denied
error: no such cryptodisk found
error: no such device: ddd
Loading Linux 5.4.0-3-amd64 ...
error: no server specified
Loading initial ramdisk ...
error: you need to load the kernel first
crypttab:
```
boot_crypt UUID=bbb none luks
root_crypt UUID=ccc none luks
```
fstab:
```
# <file system> <mount point> <type> <options> <dump> <pass>
/dev/mapper/root_crypt / ext4 errors=remount-ro 0 1
/dev/mapper/boot_crypt /boot ext4 errors=remount-ro 0 2
UUID=aaa /boot/efi vfat umask=0077 0 2
/dev/sr1 /media/cdrom0 udf,iso9660 user,noauto 0 0
/dev/sr0 /media/cdrom1 udf,iso9660 user,noauto 0 0
/swapfile none swap defaults 0 0
```
/boot/grub.cfg (autogenerated) looks like this (stripped down):
```
insmod luks
insmod cryptodisk
...
if [ x$feature_default_font_path = xy ] ; then
font=unicode
else
insmod ext2
set root='hd0'
if [ x$feature_platform_search_hint = xy ]; then
search --no-floppy --fs-uuid --set=root --hint-bios=hd0 --hint-
efi=hd0 --hint-baremetal=ahci0 eee
else
search --no-floppy --fs-uuid --set=root eee
fi
font="/usr/share/grub/unicode.pf2"
fi
...
insmod ext2
set root='hd0'
if [ x$feature_platform_search_hint = xy ]; then
search --no-floppy --fs-uuid --set=root --hint-bios=hd0 --hint-
efi=hd0 --hint-baremetal=ahci0 eee
else
search --no-floppy --fs-uuid --set=root eee
fi
...
menuentry 'Debian GNU/Linux' --class debian --class gnu-linux --class
gnu --class os $menuentry_id_option 'gnulinux-simple-eee' {
...
insmod cryptodisk
insmod luks
insmod gcry_rijndael
insmod gcry_rijndael
insmod gcry_sha256
insmod ext2
cryptomount -u bbb
set root='cryptouuid/bbb'
if [ x$feature_platform_search_hint = xy ]; then
search --no-floppy --fs-uuid --set=root --hint-bios=hd0 --
hint-efi=hd0 --hint-baremetal=ahci0 --hint='cryptouuid/bbb' ddd
else
search --no-floppy --fs-uuid --set=root ddd
fi
echo 'Loading Linux 5.4.0-3-amd64 ...'
linux /vmlinuz-5.4.0-3-amd64 root=UUID=eee ro
cryptdevice=/dev/sda3:root root=/dev/mapper/root_crypt quiet
echo 'Loading initial ramdisk ...'
initrd /initrd.img-5.4.0-3-amd64
}
submenu 'Advanced options for Debian GNU/Linux' $menuentry_id_option
'gnulinux-advanced-eee' {
...
}
...
```
I can unlock /dev/sda2 fine with cryptsetup in a live environment (as
well as /dev/sda3), so it surely cannot be as simple as entering the
wrong password...
- encrypted boot won't work,
jnqnfe <=