Cannot Get Detached LUKS Headers to Boot
by FossilizedDaemon from LinuxQuestions.org on (#6DXHB)
Hello everyone,
I am currently working on writing some installation instructions for a project and part of those instructions is using detached LUKS headers for two factor authenticated booting with cryptsetup. For this project I have been using Void Linux with dracut and syslinux; the initramfs utility and bootloader I know the most about (and prefer). To start this project I wrote out instructions to configure the disk for setups using no encryption and attached LUKS encryption (regular LUKS encryption) to ensure that my broader installation steps were correct. I was able, last I tried, to successfully boot both aformention disk configurations using Void Linux with dracut and syslinux. However, I have not been able to get my detached LUKS headers working.
In terms of the broader installation steps I did a rather regular Void Linux install for all three attempts; only tweaking where needed to accommodate the two different encryption methods (i.e. adding the lvm and dm-crypt modules to dracut along with changing the kernel_cmdline as well as making the needed changes to syslinux). As I said before the first, regular attached LUKS headers, installation worked fine (after some tweaking about). I was able to boot my system and login as root. However, my detached LUKS header system does not boot at all and doesn't even give me any error. The steps for my detached LUKS headers installation are as follows. Note that any environment variables are not used in the actual deployment of these instructions, but rather are stated here for simplicity's sake.
Code:## Log into Void Linux.
root
voidlinux
## Run a newer shell.
bash
## Connect to the internet.
rfkill
ip link set up INTERFACE
wpa_passphrase "ESSID" PASSPHRASE | sudo tee /etc/wpa_supplicant.conf
wpa_supplicant -b -c /etc/wpa_supplicant/wpa_supplicant.conf -i INTERFACE
sv restart dhcpcd
## Install parted.
xbps-install parted
## Format hard drive (1 physical partition).
parted /dev/sda
mktable msdos
unit mib
mkpart primary 1 100%
set 1 boot on
quit
## Format USB flash drive (2 physical partitions).
parted /dev/sdb
mktable msdos
unit mib
mkpart primary 1 512
mkpart primary 512 100%
quit
## Encrypt the system hard drive and store the LUKS header on /dev/sdb2.
cryptsetup -v -c serpent-xts-plain64 -s 512 --hash whirlpool --iter-time 500 --use-random luksFormat /dev/sda1 --header=/dev/sdb2
cryptsetup luksOpen /dev/sda1 cryptroot --header=/dev/sdb2
## Create the logical volumes.
pvcreate /dev/mapper/cryptroot
vgcreate cryptlvm /dev/mapper/cryptroot
lvcreate --name root -L 50G cryptlvm
lvcreate --name home -l 100%FREE cryptlvm
## Install the file system.
mkfs.ext4 -L root /dev/cryptlvm/root
mkfs.ext4 -L home /dev/cryptlvm/home
mkfs.ext4 -L boot /dev/sdb1
## Mount partitions.
mount /dev/cryptlvm/root /mnt
mkdir /mnt/boot
mkdir /mnt/home
mount /dev/sdb1 /mnt/boot
mount /dev/cryptlvm/home /mnt/home
## Set the appropriate variables.
REPO=https://repo-fastly.voidlinux.org/current/musl
ARCH=x86_64-musl
## Install the system.
XBPS_ARCH=$ARCH xbps-install -S -R "$REPO" -r /mnt base-system lvm2 syslinux
## Chroot into the new system.
for dir in dev proc sys run; do mount --rbind /$dir /mnt/$dir; mount --make-rslave /mnt/$dir; done
cp /etc/resolv.conf /mnt/etc/
PS1='(chroot) # ' chroot /mnt/ /bin/bash
## Set hostname.
echo "host" > /etc/hostname
## Configure /etc/fstab
BOOT_UUID=$(blkid -s UUID -o value /dev/sdb1)
ROOT_UUID=$(blkid -s UUID -o value /dev/mapper/cryptlvm-root)
HOME_UUID=$(blkid -s UUID -o value /dev/mapper/cryptlvm-home)
cat <<EOF > /etc/fstab
UUID=$ROOT_UUID / ext4 defaults 0 1
UUID=$BOOT_UUID /boot ext4 defaults 0 2
UUID=$HOME_UUID /home ext4 defaults 0 2
EOF
## Point cryptsetup to the USB flash drive in /etc/crypttab.
cryptroot /dev/sda1 none luks,header=/dev/sdb2
## Edit /etc/dracut.conf
add_dracutmodules+=" lvm crypt "
show_modules="yes"
use_fstab="yes"
hostonly="yes"
kernel_cmdline="rd.luks.key=/dev/sdb2 rd.luks.uuid=luks-xxxx-xxxx-xxxx rd.luks rd.lvm rd.lvm.vg=cryptroot rd.lvm.lv=cryptroot/root root=/dev/mapper/cyptroot rootfstype=ext4
kernel_image="/boot/vmlinuz-$VERSION"
## Install syslinux.
dd bs=440 count=1 conv=notrunc if=/usr/lib/syslinux/mbr.bin of=/dev/sdb
syslinux --install /dev/sdb1
## Edit /boot/syslinux/syslinux.cfg.
mkdir /boot/syslinux
TIMEOUT 30
ONTIMEOUT main
DEFAULT main
LABEL main
LINUX ../vmlinuz-$VERSION
APPEND root=/dev/mapper/cryptroot cryptdevice=/dev/sdb2 rw
INITRD ../initramfs-linux-$VERSION
## Set the root password.
passwd
## Regenerate initramfs and ensure all packages are installed correctly.
xbps-reconfigure -fa
## Reboot.
exit
shutdown -r nowSadly, as stated before, this does not work and I cannot seem to find the culprit. I have done a lot of internet sleuthing and have found that dracut has had issues in the past with using detached LUKS headers; however, I also have been told that these problems were fixed a few years ago. I cannot find any errors in my syslinux.cfg nor my broader installation steps. The only error type thing I can find is when I boot my PC my BIOS says "No bootable operating system found." Admittedly I am no superuser and by no means an expert. At this point I have hit that crux of being too far into the problem to have the clear mind needed to know what I am missing and what, if anything, I am doing obviously wrong. Does anyone here have some insight regarding detached LUKS headers with dracut and syslinux? I would greatly appreciate any and all advice.
Thank you for your time,
- FossilizedDaemon
I am currently working on writing some installation instructions for a project and part of those instructions is using detached LUKS headers for two factor authenticated booting with cryptsetup. For this project I have been using Void Linux with dracut and syslinux; the initramfs utility and bootloader I know the most about (and prefer). To start this project I wrote out instructions to configure the disk for setups using no encryption and attached LUKS encryption (regular LUKS encryption) to ensure that my broader installation steps were correct. I was able, last I tried, to successfully boot both aformention disk configurations using Void Linux with dracut and syslinux. However, I have not been able to get my detached LUKS headers working.
In terms of the broader installation steps I did a rather regular Void Linux install for all three attempts; only tweaking where needed to accommodate the two different encryption methods (i.e. adding the lvm and dm-crypt modules to dracut along with changing the kernel_cmdline as well as making the needed changes to syslinux). As I said before the first, regular attached LUKS headers, installation worked fine (after some tweaking about). I was able to boot my system and login as root. However, my detached LUKS header system does not boot at all and doesn't even give me any error. The steps for my detached LUKS headers installation are as follows. Note that any environment variables are not used in the actual deployment of these instructions, but rather are stated here for simplicity's sake.
Code:## Log into Void Linux.
root
voidlinux
## Run a newer shell.
bash
## Connect to the internet.
rfkill
ip link set up INTERFACE
wpa_passphrase "ESSID" PASSPHRASE | sudo tee /etc/wpa_supplicant.conf
wpa_supplicant -b -c /etc/wpa_supplicant/wpa_supplicant.conf -i INTERFACE
sv restart dhcpcd
## Install parted.
xbps-install parted
## Format hard drive (1 physical partition).
parted /dev/sda
mktable msdos
unit mib
mkpart primary 1 100%
set 1 boot on
quit
## Format USB flash drive (2 physical partitions).
parted /dev/sdb
mktable msdos
unit mib
mkpart primary 1 512
mkpart primary 512 100%
quit
## Encrypt the system hard drive and store the LUKS header on /dev/sdb2.
cryptsetup -v -c serpent-xts-plain64 -s 512 --hash whirlpool --iter-time 500 --use-random luksFormat /dev/sda1 --header=/dev/sdb2
cryptsetup luksOpen /dev/sda1 cryptroot --header=/dev/sdb2
## Create the logical volumes.
pvcreate /dev/mapper/cryptroot
vgcreate cryptlvm /dev/mapper/cryptroot
lvcreate --name root -L 50G cryptlvm
lvcreate --name home -l 100%FREE cryptlvm
## Install the file system.
mkfs.ext4 -L root /dev/cryptlvm/root
mkfs.ext4 -L home /dev/cryptlvm/home
mkfs.ext4 -L boot /dev/sdb1
## Mount partitions.
mount /dev/cryptlvm/root /mnt
mkdir /mnt/boot
mkdir /mnt/home
mount /dev/sdb1 /mnt/boot
mount /dev/cryptlvm/home /mnt/home
## Set the appropriate variables.
REPO=https://repo-fastly.voidlinux.org/current/musl
ARCH=x86_64-musl
## Install the system.
XBPS_ARCH=$ARCH xbps-install -S -R "$REPO" -r /mnt base-system lvm2 syslinux
## Chroot into the new system.
for dir in dev proc sys run; do mount --rbind /$dir /mnt/$dir; mount --make-rslave /mnt/$dir; done
cp /etc/resolv.conf /mnt/etc/
PS1='(chroot) # ' chroot /mnt/ /bin/bash
## Set hostname.
echo "host" > /etc/hostname
## Configure /etc/fstab
BOOT_UUID=$(blkid -s UUID -o value /dev/sdb1)
ROOT_UUID=$(blkid -s UUID -o value /dev/mapper/cryptlvm-root)
HOME_UUID=$(blkid -s UUID -o value /dev/mapper/cryptlvm-home)
cat <<EOF > /etc/fstab
UUID=$ROOT_UUID / ext4 defaults 0 1
UUID=$BOOT_UUID /boot ext4 defaults 0 2
UUID=$HOME_UUID /home ext4 defaults 0 2
EOF
## Point cryptsetup to the USB flash drive in /etc/crypttab.
cryptroot /dev/sda1 none luks,header=/dev/sdb2
## Edit /etc/dracut.conf
add_dracutmodules+=" lvm crypt "
show_modules="yes"
use_fstab="yes"
hostonly="yes"
kernel_cmdline="rd.luks.key=/dev/sdb2 rd.luks.uuid=luks-xxxx-xxxx-xxxx rd.luks rd.lvm rd.lvm.vg=cryptroot rd.lvm.lv=cryptroot/root root=/dev/mapper/cyptroot rootfstype=ext4
kernel_image="/boot/vmlinuz-$VERSION"
## Install syslinux.
dd bs=440 count=1 conv=notrunc if=/usr/lib/syslinux/mbr.bin of=/dev/sdb
syslinux --install /dev/sdb1
## Edit /boot/syslinux/syslinux.cfg.
mkdir /boot/syslinux
TIMEOUT 30
ONTIMEOUT main
DEFAULT main
LABEL main
LINUX ../vmlinuz-$VERSION
APPEND root=/dev/mapper/cryptroot cryptdevice=/dev/sdb2 rw
INITRD ../initramfs-linux-$VERSION
## Set the root password.
passwd
## Regenerate initramfs and ensure all packages are installed correctly.
xbps-reconfigure -fa
## Reboot.
exit
shutdown -r nowSadly, as stated before, this does not work and I cannot seem to find the culprit. I have done a lot of internet sleuthing and have found that dracut has had issues in the past with using detached LUKS headers; however, I also have been told that these problems were fixed a few years ago. I cannot find any errors in my syslinux.cfg nor my broader installation steps. The only error type thing I can find is when I boot my PC my BIOS says "No bootable operating system found." Admittedly I am no superuser and by no means an expert. At this point I have hit that crux of being too far into the problem to have the clear mind needed to know what I am missing and what, if anything, I am doing obviously wrong. Does anyone here have some insight regarding detached LUKS headers with dracut and syslinux? I would greatly appreciate any and all advice.
Thank you for your time,
- FossilizedDaemon