Ask your questions here.
Post a reply

[solved] Encrypted install won't boot

Sat Aug 24, 2013 8:10 pm

Yesterday, I installed refracta-7-amd64 on my hard drive, using the graphical refracta installer. I made a separate /boot partition on /dev/sdb1 and an encrypted root filesystem on /dev/sdb2. When I tried to boot into the new system, I got dropped to the busybox initramfs prompt, with an error message about not finding the root filesystem. (Oops. I'm in the new system now, and the photo of the error message is on another partition. I'll have to add it later, when I reboot. Gotta write this all down now before I forget.)From the initramfs prompt, I was able to open the encrypted volume using
Code:
cryptsetup luksOpen /dev/sdb2 sdb2_crypt
but I could not mount /dev/mapper/sdb2_crypt.

One odd thing about the original error message (gone now) is that it made reference to "root/fs" instead of the "root-fs" that the installer is supposed to use when creating /etc/fstab and /etc/crypttab. First thing I tried was to install again, and I edited the installer script to use "rootfs" instead of "root-fs". It still wouldn't boot, but the extra slash in the path that the error message showed was gone.

Then I rebooted into my usual installation, mounted the encrypted partition and edited fstab and crypttab. Tried to reboot into the new system again, but no luck. Also tried using an older image that I'm pretty sure I used before to successfully do an encrypted install, but that didn't work, either. Installing without encrypting the partition did work correctly.

After some hair-pulling and some googling, I tried to run "update-initramfs -u" on the mounted encrypted partition from my regular installation, but that didn't work, maybe because of improper mount options or maybe because I was running i386 and not amd64. Also tried it from the refracta live-usb that I used for the installation, but update-initramfs is disabled on the live system, even when you try to do it in chroot on a read/write filesystem.

I ended up using a debian-7.0-amd64-netinstall iso (imaged onto a usb stick). When it got to the part where it asked me what to use as the root filesystem, I chose /dev/mapper/sdb2_crypt. Also had to mount /dev/sdb1 on /boot. Ran "update-initramfs -u" and it worked. I'm not sure if that's the whole solution or if the script needs to be changed. I'll have to do some testing in virtualbox and return to this thread later, but I wanted to get this up here in case someone else has the same problem.

Re: Encrypted install won't boot

Sun Aug 25, 2013 9:07 pm

Got the same errors when I installed in virtualbox. See both screenshots to get it all, since the top scrolled off the screen. I can open the encrypted volume, but I can't mount it. System says that /mnt does not exist, even after I created it and 'ls' shows it. Or am I reading that error message wrong? I used TAB to complete /dev/mapper/root_fs, so the shell knows it's there. WTF?

http://distro.ibiblio.org/refracta/misc/lvm_error.png
http://distro.ibiblio.org/refracta/misc/mount_error.png

Re: Encrypted install won't boot

Mon Aug 26, 2013 3:24 am

There are two problems. One is in the script - if you choose encrypted install, fstab and crypttab don't get written correctly. Until I fix the installer and make new deb files, you can hack the script before running the installer. In refractainstaller-yad 9.0.8-2 at line 1031 add a test to the section beginning at line 1031 so that this
Code:
# add entry for root filesystem
if [[ $use_uuid = yes ]]; then
   install_part="$(blkid -s UUID $install_dev | awk '{ print $2 }' | sed 's/\"//g')"
elif [[ $use_labels = yes ]]; then
   rootfslabel=$(yad  --entry --title="Filesystem Label"  --text="Enter a disk label for $install_dev")
   e2label $install_dev  $rootfslabel
   install_part="LABEL=$rootfslabel"
else
   install_part="$install_dev"
fi
looks like this:
Code:
# add entry for root filesystem
if ! [[ $encrypt_os = "yes" ]]; then
if [[ $use_uuid = yes ]]; then
   install_part="$(blkid -s UUID $install_dev | awk '{ print $2 }' | sed 's/\"//g')"
elif [[ $use_labels = yes ]]; then
   rootfslabel=$(yad  --entry --title="Filesystem Label"  --text="Enter a disk label for $install_dev")
   e2label $install_dev  $rootfslabel
   install_part="LABEL=$rootfslabel"
else
   install_part="$install_dev"
fi
fi


Then run the installer. When it's done, boot a debian install disk (I used the netinstall, but CD1 or DVD1 should also work.)

Choose "/dev/mapper/root-fs" when it asks what to use as the root filesystem, and choose the same when it asks where to open the shell.

Then mount your boot partition at /boot. In my test, /boot was sdb1 and the root filesystem (/) was sdb2. Change the device names if yours are different. Then update the initrd. I got errors but ignored them. See this screenshot. http://distro.ibiblio.org/refracta/misc/initrd_fix.png
Code:
mount /dev/sdb1 /boot
update-initramfs -u


Reboot into the installed system. It should now boot correctly.

Note: If you have a separate /home partition that's encrypted, also edit the section of the script that starts at line 1047 so that it looks like this:
Code:
# add entry for /home to fstab if needed
if ! [[ -z $home_dev ]] ; then
if ! [[ $encrypt_home = "yes" ]] then
   if [[ $use_uuid = yes ]]; then
      home_part="$(blkid -s UUID $home_dev | awk '{ print $2 }' | sed 's/\"//g')"
   elif [[ $use_labels = yes ]]; then
      homefslabel=$(yad  --entry --title="Filesystem Label"  --text="Enter a disk label for $home_dev")
      e2label $home_dev  $homefslabel
      home_part="LABEL=$homefslabel"
   else
      home_part="$home_dev"
   fi
fi

Re: Encrypted install won't boot

Mon Aug 26, 2013 6:07 pm

From the cli installer:
I: update-initramfs is disabled (live system is running on read-only media).

It shouldn't matter that it's running on a read-only system, because I'm trying to run update-initramfs in a chroot on a mounted read/write system.

This used to work. Will have to revisit dzz's hack to make the live system read/write. That would require using live-* packages from sid.

Re: Encrypted install won't boot

Tue Aug 27, 2013 1:54 pm

Got it!

The live system uses /usr/sbin/update-initramfs, which is a symlink to /bin/live-update-initramfs, which is disabled in a live, read-only system. The original update-initramfs can be found at /usr/sbin/update-initramfs.orig.initramfs-tools, and that works in a live session. I need to edit the installer scripts to use the latter. Until I do that, if you install to an encrypted partition, you'll need to fix it manually or edit the script before doing the install. There's no need to use a stock debian install disk.

To edit the script, in refractainstaller-yad around line 1170, make it look like this:
Code:
# Run update-initramfs to include dm-mod if using encryption
if [[ $encrypt_os = yes ]] || [[ $encrypt_home = yes ]] ; then
#    chroot /target update-initramfs -u >> "$error_log"
    chroot /target /usr/sbin/update-initramfs.orig.initramfs-tools -u >> "$error_log"
fi


To do it manually after the installation and before you reboot into the new system (or after you figure out that the new system won't reboot and you boot the live system again):
Code:
# Open and mount the encrypted root partition:
cryptsetup luksOpen /dev/sdXn some-label
mount /dev/sdXn /mnt

# Mount the /boot partition
mount /dev/sdXy /mnt/boot

# Edit /etc/fstab and /etc/crypttab as shown in one of the posts above

# Mount other stuff so the following commands work correctly in chroot
mount --bind  /dev /mnt/dev
mount --bind  /proc /mnt/proc
mount --bind  /sys /mnt/sys

# Run the original update-initramfs
chroot /mnt /usr/sbin/update-initramfs.orig.initramfs-tools

# Update the boot menu
chroot /mnt update-grub

Then you can reboot into the new installation.

Note: I'll probably edit the scripts to use root_fs and home_fs as labels, instead of the root-fs and home-fs currently being used. It seems that the hypen confuses lvm, and cases it to spit out an error message at boot. I don't think it stops anything from working, but it might be confusing or annoying to get the error message.
Post a reply