Separate encrypted /boot doesnt mount at boot
by I7sReact from LinuxQuestions.org on (#6EFJR)
I made a Void Linux install, followed their Documentation on FDE, and some other places too (Arch Wiki, mutschler.dev, ect). After finishing it, during boot (kernel loading), the root partition is decrypted and mounted, but the boot partition it isnt, so it throws me to a Emergency mode were i can decrypt /boot manually and mount it, after that i do an exit and i can boot the system normally
This is my layout and configs
Code:nvme0n1
nvme0n1p1 -> /boot/efi - vFat (Unencrypted)
nvme0n1p2 (Encrypted with LUKS1, because of GRUB)
void_boot -> /boot - EXT4
nvme0n1p3 (Encrypted with LUKS2, using Argon2id algorithm)
void_sys -> / -> BTRFS (@, @home, @root, @var)UUIDs
Code:/dev/nvme0n1p1: UUID="393E-A2B1"
/dev/nvme0n1p2: UUID="88eca136-19a9-49fa-b9c7-d2a173b5cd76"
/dev/nvme0n1p3: UUID="8505c55a-3e35-4d63-a86f-a7d0c4d743dc"
/dev/mapper/void_sys: UUID="fdf140cc-afbd-444a-8601-1afcf116149f"
/dev/mapper/void_boot: UUID="9517754a-6e5f-4362-9eae-3d3c1c3e878d"/etc/default/grub
Code:GRUB_DEFAULT=0
#GRUB_HIDDEN_TIMEOUT=0
#GRUB_HIDDEN_TIMEOUT_QUIET=false
GRUB_TIMEOUT=30
GRUB_DISTRIBUTOR="Void"
GRUB_CMDLINE_LINUX_DEFAULT="quiet loglevel=3 rd.luks.uuid=8505c55a-3e35-4d63-a86f-a7d0c4d743dc root=UUID=fdf140cc-afbd-444a-8601-1afcf116149f rd.luks.allow-discards rd.luks.key=88eca136-19a9-49fa-b9c7-d2a173b5cd76=/boot/unlock.key resume_offset=1145547"
GRUB_ENABLE_CRYPTODISK=y
# Uncomment to use basic console
#GRUB_TERMINAL_INPUT="console"
# Uncomment to disable graphical terminal
#GRUB_TERMINAL_OUTPUT=console
#GRUB_BACKGROUND=/usr/share/void-artwork/splash.png
#GRUB_GFXMODE=1920x1080x32
#GRUB_DISABLE_LINUX_UUID=true
#GRUB_DISABLE_RECOVERY=true
# Uncomment and set to the desired menu colors. Used by normal and wallpaper
# modes only. Entries specified as foreground/background.
#GRUB_COLOR_NORMAL="light-blue/black"
#GRUB_COLOR_HIGHLIGHT="light-cyan/blue"
GRUB_DISABLE_OS_PROBER=true/etc/crypttab
Code:# <name> <device> <password> <options>
void_boot UUID=88eca136-19a9-49fa-b9c7-d2a173b5cd76 /etc/luks/unlock.key luks,cipher=serpent-xts-plain64
void_sys UUID=8505c55a-3e35-4d63-a86f-a7d0c4d743dc /etc/luks/unlock.key luks,cipher=aes-xts-plain64,discard/etc/fstab
Code:UUID=fdf140cc-afbd-444a-8601-1afcf116149f / btrfs rw,relatime,compress=zstd:2,ssd,discard=async,space_cache=v2,commit=120,subvolid=256,subvol=/@ 0 0
UUID=fdf140cc-afbd-444a-8601-1afcf116149f /home btrfs rw,relatime,compress=zstd:2,ssd,discard=async,space_cache=v2,commit=120,subvolid=257,subvol=/@home 0 0
UUID=fdf140cc-afbd-444a-8601-1afcf116149f /var btrfs rw,relatime,compress=zstd:2,ssd,discard=async,space_cache=v2,commit=120,subvolid=258,subvol=/@var 0 0
UUID=fdf140cc-afbd-444a-8601-1afcf116149f /root btrfs rw,relatime,compress=zstd:2,ssd,discard=async,space_cache=v2,commit=120,subvolid=259,subvol=/@root 0 0
UUID=9517754a-6e5f-4362-9eae-3d3c1c3e878d /boot ext4 rw,relatime 0 0
UUID=393E-A2B1 /boot/efi vfat rw,relatime,fmask=0022,dmask=0022,codepage=437,iocharset=iso8859-1,shortname=mixed,utf8,errors=remount-ro 0 0
/etc/swapfile none swap defaults,pri=2 0 0/etc/dracut.conf.d/10-crypt.conf
Code:install_items+=" /etc/luks/unlock.key /etc/crypttab "The keyfile i created and configured like this
Code:dd if=/dev/urandom of=/etc/luks/boot_os.keyfile bs=4096 count=1
chmod 500 /etc/luks
chmod 400 /etc/luks/unlock.key
cryptsetup luksAddKey /dev/nvme0n1p2 /etc/luks/unlock.key
cryptsetup luksAddKey /dev/nvme0n1p3 /etc/luks/unlock.keyIts something related how Runit manages mount points during boot time? Or is something else
This is my layout and configs
Code:nvme0n1
nvme0n1p1 -> /boot/efi - vFat (Unencrypted)
nvme0n1p2 (Encrypted with LUKS1, because of GRUB)
void_boot -> /boot - EXT4
nvme0n1p3 (Encrypted with LUKS2, using Argon2id algorithm)
void_sys -> / -> BTRFS (@, @home, @root, @var)UUIDs
Code:/dev/nvme0n1p1: UUID="393E-A2B1"
/dev/nvme0n1p2: UUID="88eca136-19a9-49fa-b9c7-d2a173b5cd76"
/dev/nvme0n1p3: UUID="8505c55a-3e35-4d63-a86f-a7d0c4d743dc"
/dev/mapper/void_sys: UUID="fdf140cc-afbd-444a-8601-1afcf116149f"
/dev/mapper/void_boot: UUID="9517754a-6e5f-4362-9eae-3d3c1c3e878d"/etc/default/grub
Code:GRUB_DEFAULT=0
#GRUB_HIDDEN_TIMEOUT=0
#GRUB_HIDDEN_TIMEOUT_QUIET=false
GRUB_TIMEOUT=30
GRUB_DISTRIBUTOR="Void"
GRUB_CMDLINE_LINUX_DEFAULT="quiet loglevel=3 rd.luks.uuid=8505c55a-3e35-4d63-a86f-a7d0c4d743dc root=UUID=fdf140cc-afbd-444a-8601-1afcf116149f rd.luks.allow-discards rd.luks.key=88eca136-19a9-49fa-b9c7-d2a173b5cd76=/boot/unlock.key resume_offset=1145547"
GRUB_ENABLE_CRYPTODISK=y
# Uncomment to use basic console
#GRUB_TERMINAL_INPUT="console"
# Uncomment to disable graphical terminal
#GRUB_TERMINAL_OUTPUT=console
#GRUB_BACKGROUND=/usr/share/void-artwork/splash.png
#GRUB_GFXMODE=1920x1080x32
#GRUB_DISABLE_LINUX_UUID=true
#GRUB_DISABLE_RECOVERY=true
# Uncomment and set to the desired menu colors. Used by normal and wallpaper
# modes only. Entries specified as foreground/background.
#GRUB_COLOR_NORMAL="light-blue/black"
#GRUB_COLOR_HIGHLIGHT="light-cyan/blue"
GRUB_DISABLE_OS_PROBER=true/etc/crypttab
Code:# <name> <device> <password> <options>
void_boot UUID=88eca136-19a9-49fa-b9c7-d2a173b5cd76 /etc/luks/unlock.key luks,cipher=serpent-xts-plain64
void_sys UUID=8505c55a-3e35-4d63-a86f-a7d0c4d743dc /etc/luks/unlock.key luks,cipher=aes-xts-plain64,discard/etc/fstab
Code:UUID=fdf140cc-afbd-444a-8601-1afcf116149f / btrfs rw,relatime,compress=zstd:2,ssd,discard=async,space_cache=v2,commit=120,subvolid=256,subvol=/@ 0 0
UUID=fdf140cc-afbd-444a-8601-1afcf116149f /home btrfs rw,relatime,compress=zstd:2,ssd,discard=async,space_cache=v2,commit=120,subvolid=257,subvol=/@home 0 0
UUID=fdf140cc-afbd-444a-8601-1afcf116149f /var btrfs rw,relatime,compress=zstd:2,ssd,discard=async,space_cache=v2,commit=120,subvolid=258,subvol=/@var 0 0
UUID=fdf140cc-afbd-444a-8601-1afcf116149f /root btrfs rw,relatime,compress=zstd:2,ssd,discard=async,space_cache=v2,commit=120,subvolid=259,subvol=/@root 0 0
UUID=9517754a-6e5f-4362-9eae-3d3c1c3e878d /boot ext4 rw,relatime 0 0
UUID=393E-A2B1 /boot/efi vfat rw,relatime,fmask=0022,dmask=0022,codepage=437,iocharset=iso8859-1,shortname=mixed,utf8,errors=remount-ro 0 0
/etc/swapfile none swap defaults,pri=2 0 0/etc/dracut.conf.d/10-crypt.conf
Code:install_items+=" /etc/luks/unlock.key /etc/crypttab "The keyfile i created and configured like this
Code:dd if=/dev/urandom of=/etc/luks/boot_os.keyfile bs=4096 count=1
chmod 500 /etc/luks
chmod 400 /etc/luks/unlock.key
cryptsetup luksAddKey /dev/nvme0n1p2 /etc/luks/unlock.key
cryptsetup luksAddKey /dev/nvme0n1p3 /etc/luks/unlock.keyIts something related how Runit manages mount points during boot time? Or is something else