How do I get Grub to automatically run cryptomount to load its config file (encrypted boot)

grub2 grub luks disk-encryption
12,217

Turns out on Gentoo/Funtoo, the device mapper for grub isn't enabled by default. I added the following to /etc/portage/package.use:

sys-boot/grub device-mapper

Then I re-emerged grub, ran grub-install --target=x86_64-efi --efi-directory=/boot/efi --bootloader-id="Funtoo Linux [GRUB]" --recheck and rebooted to find a luks password request screen. After typing it in, everything booted perfectly.

Special thanks to frostschutz who provided the solution in this thread:

https://forums.gentoo.org/viewtopic.php?p=7972812#7972812

Share:
12,217

Related videos on Youtube

Karl Baum
Author by

Karl Baum

Updated on September 18, 2022

Comments

  • Karl Baum
    Karl Baum over 1 year

    So I'm trying to get a fully encrypted boot partition going. I'm running Funtoo, but mostly drawing from the Arch wiki for help.

    So I decided to do something crazy/controversial: not separate boot/root partitions. My setup looks like so:

    /dev/nvme0n1p1  - EFI parition
/dev/nvme0n1p2  - Swap
/dev/nvme0n1p3  - Encrypted /

    In my /etc/default/grub I have the following:

    GRUB_ENABLE_CRYPTODISK=y
GRUB_PRELOAD_MODULES="luks cryptodisk"
GRUB_CMDLINE_LINUX="luks enc_root=/dev/nvme0n1p3 root=/dev/mapper/enc_root"

    All the linux arguments are for better-initramfs. I include a key to the file system within the ramdisk so it doesn't prompt me for my password twice.

    I installed Grub using the following:

    grub-install --target=x86_64-efi --efi-directory=/boot/efi --bootloader-id="Funtoo Linux [GRUB]" --recheck --boot-directory=/boot/efi/EFI

    So in its current state, I get a Grub rescue prompt. It can't find its configuration file (it's on the encrypted boot/root disk). So I run the following commands:

    insmod luks
cryptomount (hd1,gpt3)
set root=(crypto0)
configfile (crypto)/boot/grub/grub.cfg

    ..and I have a fully booting/working system! :)

    So my question is: how to I configure the Grub EFI loader to attempt automatically load the encrypted partition to (crypt0) and read its configuration file?

    Note: Grub identifies the disk as (hd1,gpt3) most likely because my USB stick is still plugged in. That should change to (hd0,gpt3) if I unplug it and reboot.

  • shaheen
    shaheen over 2 years
    what would be a similar solution for ubuntu? it's unclear to me what Gentoo's device-mapper does here. how does it impact grub's early boot sequence?

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

Grub cryptdevice with changing device names?
Update grub in a chroot environment with root on a luks encrypted volume
LUKS initramfs boot problem: "/dev/mapper/ubuntu-root does not exist." How can I fix it using a backup?
How do I get Grub2 to boot a Truecrypt-encrypted MBR?
How to get grub to boot from a newly encrypted partition
GRUB2 failed with 'No video mode activated'
Convert from EFI to BIOS boot mode
Can I install grub2 on a flash drive to boot both BIOS and UEFI
Linux Mint failed to install in UEFI mode
How to safely use grub rescue> in Fedora 16? System does not boot anymore