root encryption with LUKS: root partition not found

The layout of my only disk is the following: /dev/sda1 for the plaintext boot partition /dev/sda2 for the encrypted root partition

My system is ArchLinux and I followed this guide to set up root encryption (no lvm, no raid). Here is what I did: ran cryptsetup on /dev/sda2 and mapped it into /dev/mapper/cryptroot

My /etc/fstab looks like this: UUID=of /dev/mapper/cryptroot / ext4 rw,relatime,data=ordered,discard 0 1 UUID=of /dev/sda1 /boot ext4 rw,relatime,data=ordered,discard 0 2

In my /etc/default/grub I altered one single line to be: GRUB_CMDLINE_LINUX="cryptdevice=UUID of /dev/sda2:cryptroot:allow-discards"

In the /etc/mkinitcpio.conf the hooks look like this: HOOKS="base udev autodetect modconf block encrypt filesystems keyboard fsck"

Finally, I did not forget to run mkinitcpio -p linux and grub-mkconfig -o /boot/grub/grub.cfg respectively.

I have enumerated my actions in such a brisk manner because I have previously been successful at configuring encryption for my root fs. So, in the end I get the following error:

ERROR: device *UUID of /dev/mapper/cryptroot* not found. Skipping fsck. ERROR: unable to find root device *UUID of /dev/mapper/cryptroot* You are being dropped into recovery shell

The weird thing is that it attempts to look for the unencrypted /dev/mapper/cryptroot and yet it doesn't ask me for the password (which I created when cryptsetup'ing on /dev/sda2 at the beginning). So, naturally it cannot find the unencrypted block device because it did not ask me for its password in the first place. Could you please tell me what have I configured wrong?

alisianoi

Posted 2015-05-30T19:55:51.317

Reputation: 213

Answers

I had success with cryptdevice=/dev/disk/by-uuid/<UUID_OF_LOGICAL_DEVICE>:cryptroot root=/dev/mapper/cryptroot for the additional kernel options in GRUB.

It's worth noting that if you're doing this without precision of copying and pasting the UUID (such as in a console/tty), you might have typo'd that. Here's a one-liner, that also sucks to type from console, but might prove easier.

sed "s/$GRUB_CMDLINE_LINUX=\"$/\1cryptdevice=\/dev\/disk\/by-uuid\/$(blkid -o value -s UUID /dev/<LOGICAL_DEVICE>):cryptroot root=\/dev\/mapper\/cryptroot/" /etc/default/grub > ~/grub.defaults && mv ~/grub.defaults /etc/default/grub

Erin Schoonover

Posted 2015-05-30T19:55:51.317

Reputation: 280

You are missing /etc/crypttab the cpio hooks are pointing to a partition the OS is un-awares of

/etc/crypttab

%{UUID of /dev/mapper/cryptroot} / ext4 rw,relatime,data=ordered,discard,luks - 0 1

then rerun grub update

linuxdev2013

Posted 2015-05-30T19:55:51.317

Reputation: 1 051

the ' - ' is intentional and forces password interogation short of a valid keyfile for a valid active keySlot – linuxdev2013 – 2015-05-30T20:04:27.663

1Thank you, but crypttab contains a comment "do not list your root (/) partition here, it must be set up beforehand by the initramfs (/etc/mkinitcpio.conf)" which I understand to be the reference to the fact that you have to add a hook. Do I misunderstand this comment? – alisianoi – 2015-05-30T20:05:39.690

By the way, your current answer uses some hybrid of /etc/fstab and /etc/crypttab syntax, see the example for /etc/crypttab here

– alisianoi – 2015-05-30T20:11:14.960

/etc/crypttab is located on the very root partition that fails to decrypt, so this can't be a solution to decrypt it. – regular – 2018-02-17T14:07:53.360