Hello, I am attempting to set up an mdadm RAID1 volume encrypted with LUKS2 using LVM and ext4 for /home storage. It has not gone well.
At this point, everything seems correct however my system boots, asks for the LUKS password for my root volume (sda3_crypt), I enter it, it works, and the system boots. My passwords for both volumes are the same FWIW. The new encrypted FS (/dev/mapper/beast--vg-home) is automounted and decrypted, and I am able to read and write to it with no issues. At this time however it provides no security because no password is required to decrypt it upon boot.
I did try running to no avail.
/etc/crypttab:/etc/fstab:cryptsetup luksDump /dev/md0p1:lsblk:blkid:df -h:dmesg | grep -i "error\|warn\|fail"cat /etc/default/grub:/boot/grub/grub.cfg
At this point, everything seems correct however my system boots, asks for the LUKS password for my root volume (sda3_crypt), I enter it, it works, and the system boots. My passwords for both volumes are the same FWIW. The new encrypted FS (/dev/mapper/beast--vg-home) is automounted and decrypted, and I am able to read and write to it with no issues. At this time however it provides no security because no password is required to decrypt it upon boot.
I did try running
Code:
update-initramfs -u -a/etc/crypttab:
Code:
sda3_crypt UUID=d1caee94-d093-4f2e-a085-a893b439cdd1 none luks,discardbeast UUID=e0e9bc01-1eaa-409d-928d-c112b70b3eca none luks,discardCode:
# <file system> <mount point> <type> <options> <dump> <pass>/dev/mapper/hoss--vg-root / ext4 errors=remount-ro 0 1# /boot was on /dev/sda2 during installationUUID=8c0c9835-8708-4348-96c2-5b9e10dad2a9 /boot ext2 defaults 0 2# /boot/efi was on /dev/sda1 during installationUUID=D480-8A29 /boot/efi vfat umask=0077 0 1/dev/mapper/hoss--vg-home /home ext4 defaults 0 2/dev/mapper/hoss--vg-swap_1 none swap sw 0 0/dev/mapper/beast--vg-home/mnt/beastext4defaults02Code:
❯ sudo cryptsetup luksDump /dev/md0p1 LUKS header informationVersion: 2Epoch: 3Metadata area: 16384 [bytes]Keyslots area: 16744448 [bytes]UUID: e0e9bc01-1eaa-409d-928d-c112b70b3ecaLabel: (no label)Subsystem: (no subsystem)Flags: (no flags)Data segments: 0: cryptoffset: 16777216 [bytes]length: (whole device)cipher: aes-xts-plain64sector: 512 [bytes]Keyslots: 0: luks2Key: 512 bitsPriority: normalCipher: aes-xts-plain64Cipher key: 512 bitsPBKDF: argon2idTime cost: 9Memory: 1048576Threads: 4Salt: e9 4e 94 d8 a9 05 7d 93 1c 7e 69 bd 64 34 b2 ea 01 76 91 f9 6f ec 12 a3 5c 98 59 b0 71 32 7e 9b AF stripes: 4000AF hash: sha256Area offset:32768 [bytes]Area length:258048 [bytes]Digest ID: 0Tokens:Digests: 0: pbkdf2Hash: sha256Iterations: 130031Salt: 6b 8a 33 5d 16 74 40 bb ae 83 54 45 ce 6e 11 10 d3 cf cf 48 fe 9b 40 34 ac c3 ef 86 53 ca 73 8e Digest: 26 a4 4f 10 e6 49 8e 84 09 ac 63 53 35 d5 18 0b a8 f1 be 48 0e 32 1b 5d a2 ff b7 44 40 3f d4 ccCode:
NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINTSsda 8:0 0 232.9G 0 disk └─md0 9:0 0 232.8G 0 raid1 └─md0p1 259:0 0 190.7G 0 part └─beast 253:4 0 190.7G 0 crypt └─beast--vg-home 253:5 0 170G 0 lvm /mnt/beastsdb 8:16 0 232.9G 0 disk └─md0 9:0 0 232.8G 0 raid1 └─md0p1 259:0 0 190.7G 0 part └─beast 253:4 0 190.7G 0 crypt └─beast--vg-home 253:5 0 170G 0 lvm /mnt/beastsdc 8:32 0 58.7G 0 disk ├─sdc1 8:33 0 512M 0 part /boot/efi├─sdc2 8:34 0 488M 0 part /boot└─sdc3 8:35 0 57.7G 0 part └─sda3_crypt 253:0 0 57.7G 0 crypt ├─hoss--vg-root 253:1 0 19.5G 0 lvm / ├─hoss--vg-swap_1 253:2 0 976M 0 lvm [SWAP] └─hoss--vg-home 253:3 0 37.2G 0 lvm /homesdd 8:48 0 931.5G 0 disk └─sdd1 8:49 0 931.5G 0 part sde 8:64 1 0B 0 diskCode:
/dev/mapper/hoss--vg-root: UUID="ed9b20e6-d512-4da1-80ff-3aca5ce9beff" BLOCK_SIZE="4096" TYPE="ext4"/dev/sdd1: LABEL="Data" BLOCK_SIZE="512" UUID="6448254648251876" TYPE="ntfs" PARTUUID="0000b13f-01"/dev/sdb: UUID="db22b4e6-0ee4-41a7-aba1-a93fda826d3b" UUID_SUB="8328ad54-c53f-5af0-8404-7f0fb4490dea" LABEL="hoss:0" TYPE="linux_raid_member"/dev/md0p1: UUID="e0e9bc01-1eaa-409d-928d-c112b70b3eca" TYPE="crypto_LUKS" PARTUUID="e30d6ba1-f943-b54b-9c2c-914593ad14ed"/dev/mapper/hoss--vg-swap_1: UUID="9555abec-093b-4ed2-b211-be33e9cb2460" TYPE="swap"/dev/mapper/sda3_crypt: UUID="kFrSyf-1waB-RzXQ-o9hI-BzII-wDsd-GGL5tT" TYPE="LVM2_member"/dev/sdc2: UUID="8c0c9835-8708-4348-96c2-5b9e10dad2a9" BLOCK_SIZE="1024" TYPE="ext2" PARTUUID="24d21558-e68e-4b5d-b323-fb88750e137b"/dev/sdc3: UUID="d1caee94-d093-4f2e-a085-a893b439cdd1" TYPE="crypto_LUKS" PARTUUID="61326100-cb6a-4ef8-94b8-70b0748d2d4e"/dev/sdc1: UUID="D480-8A29" BLOCK_SIZE="512" TYPE="vfat" PARTUUID="f6d051e3-fd1f-46b9-ae6a-bd5da09a584f"/dev/sda: UUID="db22b4e6-0ee4-41a7-aba1-a93fda826d3b" UUID_SUB="afde4a35-f0e0-7129-ef50-6f7570f97f0f" LABEL="hoss:0" TYPE="linux_raid_member"/dev/mapper/hoss--vg-home: UUID="aa2e5d9f-0c2e-48f0-a4e1-416b6e0ffe48" BLOCK_SIZE="4096" TYPE="ext4"/dev/mapper/beast: UUID="Q3GvpK-98sw-b79l-S20v-W8jV-Y9eY-st7R9w" TYPE="LVM2_member"/dev/mapper/beast--vg-home: UUID="44dd3c0e-44c4-4463-812d-a8ea10873098" BLOCK_SIZE="4096" TYPE="ext4"Code:
Filesystem Size Used Avail Use% Mounted onudev 16G 0 16G 0% /devtmpfs 3.2G 2.4M 3.2G 1% /run/dev/mapper/hoss--vg-root 20G 15G 4.0G 78% /tmpfs 16G 1.7M 16G 1% /dev/shmtmpfs 5.0M 16K 5.0M 1% /run/lock/dev/sdc2 456M 196M 235M 46% /boot/dev/sdc1 511M 17M 495M 4% /boot/efi/dev/mapper/hoss--vg-home 37G 20G 15G 57% /home/dev/mapper/beast--vg-home 167G 32K 158G 1% /mnt/beasttmpfs 3.2G 100K 3.2G 1% /run/user/1000Code:
[ 0.684651] ERST: Error Record Serialization Table (ERST) support is initialized.[ 0.707875] i8042: Warning: Keylock active[ 1.232436] pci 10000:00:02.0: BAR 13: failed to assign [io size 0xb000][ 1.232441] pci 10000:00:03.0: BAR 13: failed to assign [io size 0xc000][ 1.232448] pci 10000:00:02.0: BAR 13: failed to assign [io size 0xb000][ 1.232453] pci 10000:00:03.0: BAR 13: failed to assign [io size 0xc000][ 16.607484] iwlwifi 0000:b3:00.0: firmware: failed to load iwl-debug-yoyo.bin (-2)[ 16.607566] iwlwifi 0000:b3:00.0: firmware: failed to load iwl-debug-yoyo.bin (-2)[ 16.793598] thermal thermal_zone0: failed to read out thermal zone (-61)Code:
# If you change this file, run 'update-grub' afterwards to update# /boot/grub/grub.cfg.# For full documentation of the options in this file, see:# info -f grub -n 'Simple configuration'GRUB_DEFAULT=0GRUB_TIMEOUT=5GRUB_DISTRIBUTOR=`lsb_release -i -s 2> /dev/null || echo Debian`GRUB_CMDLINE_LINUX_DEFAULT="quiet"GRUB_CMDLINE_LINUX=""# If your computer has multiple operating systems installed, then you# probably want to run os-prober. However, if your computer is a host# for guest OSes installed via LVM or raw disk devices, running# os-prober can cause damage to those guest OSes as it mounts# filesystems to look for things.GRUB_DISABLE_OS_PROBER=false# Uncomment to enable BadRAM filtering, modify to suit your needs# This works with Linux (no patch required) and with any kernel that obtains# the memory map information from GRUB (GNU Mach, kernel of FreeBSD ...)#GRUB_BADRAM="0x01234567,0xfefefefe,0x89abcdef,0xefefefef"# Uncomment to disable graphical terminal#GRUB_TERMINAL=console# The resolution used on graphical terminal# note that you can use only modes which your graphic card supports via VBE# you can see them in real GRUB with the command `vbeinfo'#GRUB_GFXMODE=640x480# Uncomment if you don't want GRUB to pass "root=UUID=xxx" parameter to Linux#GRUB_DISABLE_LINUX_UUID=true# Uncomment to disable generation of recovery mode menu entries#GRUB_DISABLE_RECOVERY="true"# Uncomment to get a beep at grub start#GRUB_INIT_TUNE="480 440 1"Code:
## DO NOT EDIT THIS FILE## It is automatically generated by grub-mkconfig using templates# from /etc/grub.d and settings from /etc/default/grub#### BEGIN /etc/grub.d/00_header ###if [ -s $prefix/grubenv ]; then set have_grubenv=true load_envfiif [ "${next_entry}" ] ; then set default="${next_entry}" set next_entry= save_env next_entry set boot_once=trueelse set default="0"fiif [ x"${feature_menuentry_id}" = xy ]; then menuentry_id_option="--id"else menuentry_id_option=""fiexport menuentry_id_optionif [ "${prev_saved_entry}" ]; then set saved_entry="${prev_saved_entry}" save_env saved_entry set prev_saved_entry= save_env prev_saved_entry set boot_once=truefifunction savedefault { if [ -z "${boot_once}" ]; then saved_entry="${chosen}" save_env saved_entry fi}function load_video { if [ x$feature_all_video_module = xy ]; then insmod all_video else insmod efi_gop insmod efi_uga insmod ieee1275_fb insmod vbe insmod vga insmod video_bochs insmod video_cirrus fi}if [ x$feature_default_font_path = xy ] ; then font=unicodeelseinsmod part_gptinsmod ext2set root='hd0,gpt2'if [ x$feature_platform_search_hint = xy ]; then search --no-floppy --fs-uuid --set=root --hint-bios=hd0,gpt2 --hint-efi=hd0,gpt2 --hint-baremetal=ahci0,gpt2 8c0c9835-8708-4348-96c2-5b9e10dad2a9else search --no-floppy --fs-uuid --set=root 8c0c9835-8708-4348-96c2-5b9e10dad2a9fi font="/grub/unicode.pf2"fiif loadfont $font ; then set gfxmode=auto load_video insmod gfxterm set locale_dir=$prefix/locale set lang=en_US insmod gettextfiterminal_output gfxtermif [ "${recordfail}" = 1 ] ; then set timeout=30else if [ x$feature_timeout_style = xy ] ; then set timeout_style=menu set timeout=5 # Fallback normal timeout code in case the timeout_style feature is # unavailable. else set timeout=5 fifi### END /etc/grub.d/00_header ###### BEGIN /etc/grub.d/05_debian_theme ###insmod part_gptinsmod ext2set root='hd0,gpt2'if [ x$feature_platform_search_hint = xy ]; then search --no-floppy --fs-uuid --set=root --hint-bios=hd0,gpt2 --hint-efi=hd0,gpt2 --hint-baremetal=ahci0,gpt2 8c0c9835-8708-4348-96c2-5b9e10dad2a9else search --no-floppy --fs-uuid --set=root 8c0c9835-8708-4348-96c2-5b9e10dad2a9fiinsmod pngif background_image /grub/.background_cache.png; then set color_normal=white/black set color_highlight=black/whiteelse set menu_color_normal=cyan/blue set menu_color_highlight=white/bluefi### END /etc/grub.d/05_debian_theme ###### BEGIN /etc/grub.d/10_linux ###function gfxmode {set gfxpayload="${1}"}set linux_gfx_mode=export linux_gfx_modemenuentry 'Debian GNU/Linux' --class debian --class gnu-linux --class gnu --class os $menuentry_id_option 'gnulinux-simple-ed9b20e6-d512-4da1-80ff-3aca5ce9beff' {load_videoinsmod gzioif [ x$grub_platform = xxen ]; then insmod xzio; insmod lzopio; fiinsmod part_gptinsmod ext2set root='hd0,gpt2'if [ x$feature_platform_search_hint = xy ]; then search --no-floppy --fs-uuid --set=root --hint-bios=hd0,gpt2 --hint-efi=hd0,gpt2 --hint-baremetal=ahci0,gpt2 8c0c9835-8708-4348-96c2-5b9e10dad2a9else search --no-floppy --fs-uuid --set=root 8c0c9835-8708-4348-96c2-5b9e10dad2a9fiecho'Loading Linux 6.1.0-20-amd64 ...'linux/vmlinuz-6.1.0-20-amd64 root=/dev/mapper/hoss--vg-root ro quietecho'Loading initial ramdisk ...'initrd/initrd.img-6.1.0-20-amd64}submenu 'Advanced options for Debian GNU/Linux' $menuentry_id_option 'gnulinux-advanced-ed9b20e6-d512-4da1-80ff-3aca5ce9beff' {menuentry 'Debian GNU/Linux, with Linux 6.1.0-20-amd64' --class debian --class gnu-linux --class gnu --class os $menuentry_id_option 'gnulinux-6.1.0-20-amd64-advanced-ed9b20e6-d512-4da1-80ff-3aca5ce9beff' {load_videoinsmod gzioif [ x$grub_platform = xxen ]; then insmod xzio; insmod lzopio; fiinsmod part_gptinsmod ext2set root='hd0,gpt2'if [ x$feature_platform_search_hint = xy ]; then search --no-floppy --fs-uuid --set=root --hint-bios=hd0,gpt2 --hint-efi=hd0,gpt2 --hint-baremetal=ahci0,gpt2 8c0c9835-8708-4348-96c2-5b9e10dad2a9else search --no-floppy --fs-uuid --set=root 8c0c9835-8708-4348-96c2-5b9e10dad2a9fiecho'Loading Linux 6.1.0-20-amd64 ...'linux/vmlinuz-6.1.0-20-amd64 root=/dev/mapper/hoss--vg-root ro quietecho'Loading initial ramdisk ...'initrd/initrd.img-6.1.0-20-amd64}menuentry 'Debian GNU/Linux, with Linux 6.1.0-20-amd64 (recovery mode)' --class debian --class gnu-linux --class gnu --class os $menuentry_id_option 'gnulinux-6.1.0-20-amd64-recovery-ed9b20e6-d512-4da1-80ff-3aca5ce9beff' {load_videoinsmod gzioif [ x$grub_platform = xxen ]; then insmod xzio; insmod lzopio; fiinsmod part_gptinsmod ext2set root='hd0,gpt2'if [ x$feature_platform_search_hint = xy ]; then search --no-floppy --fs-uuid --set=root --hint-bios=hd0,gpt2 --hint-efi=hd0,gpt2 --hint-baremetal=ahci0,gpt2 8c0c9835-8708-4348-96c2-5b9e10dad2a9else search --no-floppy --fs-uuid --set=root 8c0c9835-8708-4348-96c2-5b9e10dad2a9fiecho'Loading Linux 6.1.0-20-amd64 ...'linux/vmlinuz-6.1.0-20-amd64 root=/dev/mapper/hoss--vg-root ro single echo'Loading initial ramdisk ...'initrd/initrd.img-6.1.0-20-amd64}menuentry 'Debian GNU/Linux, with Linux 6.1.0-18-amd64' --class debian --class gnu-linux --class gnu --class os $menuentry_id_option 'gnulinux-6.1.0-18-amd64-advanced-ed9b20e6-d512-4da1-80ff-3aca5ce9beff' {load_videoinsmod gzioif [ x$grub_platform = xxen ]; then insmod xzio; insmod lzopio; fiinsmod part_gptinsmod ext2set root='hd0,gpt2'if [ x$feature_platform_search_hint = xy ]; then search --no-floppy --fs-uuid --set=root --hint-bios=hd0,gpt2 --hint-efi=hd0,gpt2 --hint-baremetal=ahci0,gpt2 8c0c9835-8708-4348-96c2-5b9e10dad2a9else search --no-floppy --fs-uuid --set=root 8c0c9835-8708-4348-96c2-5b9e10dad2a9fiecho'Loading Linux 6.1.0-18-amd64 ...'linux/vmlinuz-6.1.0-18-amd64 root=/dev/mapper/hoss--vg-root ro quietecho'Loading initial ramdisk ...'initrd/initrd.img-6.1.0-18-amd64}menuentry 'Debian GNU/Linux, with Linux 6.1.0-18-amd64 (recovery mode)' --class debian --class gnu-linux --class gnu --class os $menuentry_id_option 'gnulinux-6.1.0-18-amd64-recovery-ed9b20e6-d512-4da1-80ff-3aca5ce9beff' {load_videoinsmod gzioif [ x$grub_platform = xxen ]; then insmod xzio; insmod lzopio; fiinsmod part_gptinsmod ext2set root='hd0,gpt2'if [ x$feature_platform_search_hint = xy ]; then search --no-floppy --fs-uuid --set=root --hint-bios=hd0,gpt2 --hint-efi=hd0,gpt2 --hint-baremetal=ahci0,gpt2 8c0c9835-8708-4348-96c2-5b9e10dad2a9else search --no-floppy --fs-uuid --set=root 8c0c9835-8708-4348-96c2-5b9e10dad2a9fiecho'Loading Linux 6.1.0-18-amd64 ...'linux/vmlinuz-6.1.0-18-amd64 root=/dev/mapper/hoss--vg-root ro single echo'Loading initial ramdisk ...'initrd/initrd.img-6.1.0-18-amd64}}### END /etc/grub.d/10_linux ###### BEGIN /etc/grub.d/20_linux_xen ###### END /etc/grub.d/20_linux_xen ###### BEGIN /etc/grub.d/30_os-prober ###### END /etc/grub.d/30_os-prober ###### BEGIN /etc/grub.d/30_uefi-firmware ###menuentry 'UEFI Firmware Settings' $menuentry_id_option 'uefi-firmware' {fwsetup}### END /etc/grub.d/30_uefi-firmware ###### BEGIN /etc/grub.d/35_fwupd ###### END /etc/grub.d/35_fwupd ###### BEGIN /etc/grub.d/40_custom #### This file provides an easy way to add custom menu entries. Simply type the# menu entries you want to add after this comment. Be careful not to change# the 'exec tail' line above.### END /etc/grub.d/40_custom ###### BEGIN /etc/grub.d/41_custom ###if [ -f ${config_directory}/custom.cfg ]; then source ${config_directory}/custom.cfgelif [ -z "${config_directory}" -a -f $prefix/custom.cfg ]; then source $prefix/custom.cfgfi### END /etc/grub.d/41_custom ###Statistics: Posted by dingletron — 2024-04-24 18:53 — Replies 0 — Views 22