How to manually setup grub on a seperate boot partition with LVM over LUKS full disk encryption?
I usually recover grub
from within chroot
. So, boot from a live distro and...
Open the LUKS volume:
# cryprsetup open /dev/sdc2 luks-mint
Activate LVM volumes:
# vgscan
# vgchange -a y vg_mint
# lvscan
Mount Mint and get ready for chroot
:
# mount /dev/mapper/vg_mint-root /mnt
# mount /dev/sdc1 /mnt/boot
# mount --rbind /dev /mnt/dev
# mount --rbind /sys /mnt/sys
# mount -t proc none /mnt/proc
chroot
into Mint:
# env -i HOME=/root TERM=$TERM chroot /mnt bash -l
Configure and install grub
, exit chroot
:
(chroot)# grub2-mkconfig > /boot/grub2/grub.cfg
(chroot)# grub2-install /dev/sdc
(chroot)# exit
Reboot.
P.S.: replace VG and LV names accordingly.
P.P.S: i assumed Linux Minut uses grub2
, if not, remove the '2' from both grub
commands.
Related videos on Youtube
Nick
Updated on September 18, 2022Comments
-
Nick over 1 year
I've installed Linux Mint 17.2, with a hard drive partitioned as follows:
sdc1 - 100MB ext2 for boot sdc2 - rest of disk as LUKS -> Physical Volume -> LVM Volume
The logical volumes are:
/ /home swap
The installer seemed to work correctly except it couldn't install the bootloader, and I was forced to choose the "install bootloader manually later" option.
I have the LiveCD running, have the LUKS volume opened and have mounted the root logical volume at /mnt.
Question: How do I install the bootloader?
Most instructions say something like:
# grub-install --root-directory=/mnt/ /dev/sdc
But this produces:
grub-probe: error: failed to get canonical path of `/cow'. Installing for i386-pc platform. grub-install.real: error: attempt to install to encrypted disk without cryptodisk enabled. Set `GRUB_ENABLE_CRYPTODISK=1' in file `/etc/default/grub'..
I have edited both
/etc/default/grub
and/mnt/etc/default/grub
and addedGRUB_ENABLE_CRYPTODISK=1
to both, but the error still occurs.What is the proper way to set this up so that grub gets installed on the unencrypted sdc1, prompts for the password, then boots the system once unlocked?
UPDATE
Grub loads at boot now, but it's not asking for the password or decrypting properly. By adding the following options to
/etc/default/grub
I can make it prompt for a password, but it won't decrypt when the right password is entered:GRUB_DEFAULT=0 #GRUB_HIDDEN_TIMEOUT=0 #GRUB_HIDDEN_TIMEOUT_QUIET=true GRUB_TIMEOUT=10 GRUB_DISTRIBUTOR=`lsb_release -i -s 2> /dev/null || echo Debian` GRUB_CMDLINE_LINUX_DEFAULT="cryptopts=target=lvmbase,source=/dev/disk/by-uuid/f7ddbdb6-51c3-4c59-9d1e-7751b0438431,lvm=vg0_root" GRUB_CMDLINE_LINUX=""
-
Nick over 8 yearsThanks for your answer. Grub starts now at boot and shows the Kernel list, but I think there is still a piece missing- the part that tells grub to decrypt the volume before attempting to boot. It says, "giving up looking for root partition" or something like that rather than prompting for a password. Somehow you need to tell it to prompt for a password and decrypt
/dev/sdc2
before continuing, and I'm not finding the right way to do that. (And it is grub 1 on Mint 17). -
Vincent Yu over 8 years@NRahl That's the initramfs, not grub, having issues finding the root partition because it's encrypted. You probably need to
chroot
in again and runupdate-initramfs -uk all
, which should update the initramfs and include the appropriate LUKS decryption hooks. To have that do its job correctly, make sure that/etc/fstab
and/etc/crypttab
have correct entries before updating the initramfs. -
Nick over 5 yearsIf you get
env: ‘chroot’: No such file or directory
, you might need to use/usr/sbin/chroot
(usewhich chroot
to find the path) in place ofchroot
. -
Nick over 5 yearsFor more on fixing the crypttab setup, see: unix.stackexchange.com/questions/345898/…