[Solved] Unable to boot from encrypted root partition

lurqur · 2010-06-26 08:11:40

I used the debian text installer to install statler alpha 2 to my acer aspire one when I hit a snag. It hangs on bootup when attempting to mount the root partition ("Begin: Waiting for root file system..."). I get dropped to an initramfs prompt, and when I look do an `ls /dev/mapper`, it doesn't exist (the root partition should be located at /dev/mapper/sda4_crypt.) Normally what happens with Debian is it will prompt you for a password to mount the encrypted partition, but I'm not getting that.

I don't see AES in /proc/crypto either. Is it possible that the relevant modules just weren't enabled when the kernel was compiled or the relevant modules aren't being inserted? If so, what can I do to remedy the situation? This being an ultra-portable computer, security is very important to me.

Last edited by lurqur (2010-06-27 04:13:51)

mig5 · 2010-06-26 09:35:48

I don't have a solution, but if it's any consolation you aren't the only one (I reproduced exactly as you say re: no encryption password)

http://crunchbanglinux.org/forums/topic … -of-death/
http://crunchbanglinux.org/forums/topic … -of-death/

Sadly no news from the developer(s) yet. I was unable to reproduce it with a vanilla Debian Squeeze install, so it seems Crunchbang-specific.

lurqur · 2010-06-26 10:07:28

mig5 wrote:

http://crunchbanglinux.org/forums/topic … -of-death/
Sadly no news from the developer(s) yet. I was unable to reproduce it with a vanilla Debian Squeeze install, so it seems Crunchbang-specific.

So it didn't work for you when you used the guided partitioning with LVM, but it worked with guided partitioning without LVM?

What it's looking like is the aes and dm-crypt (or in your case, just dm-mod) modules aren't getting loaded during the bootup sequence. When I boot into the live cd, there is no /dev/mapper directory, but after I've done a modprobe dm-crypt and aes-i586, and then installed cryptsetup to test the mounting of the encrypted volumes, everything seems to work just fine.

If I'm right, you should just have to switch to a tty after the install has completed or chroot into the install from another install and add a couple modules to your initrd and regenerate it before rebooting.

Edit: looks like that's not the case... I got it to create /dev/mapper, but not much else, might work with just LVM now though.

Edit #2: Think I've almost got it, got the prompt for the passphrase but got an error when trying to load a module, will update the post if it works.

Edit #3: by entering a shell after the installation, I was able to get cryptsetup installed and added the dm-mod and dm-crypt modules to the initramfs module list. That seems to take care of everything except for actually decrypting and mounting the volumes after the password has been entered, going to mess around with it a little more tonight.

Last edited by lurqur (2010-06-26 20:33:05)

lurqur · 2010-06-26 22:18:56

Looks like I was right about the initramfs stuff. For there to be encryption and LVM support out of the box in crunchbang, the following modules will need to be added to the initrd

dm_mod
dm_crypt
aes_generic (as well as aes-i586 or aes-x86_64 on their respective platforms)
sha256_generic

cryptsetup will also need to be installed whenever an encrypted volume is used.

However, before the next release of crunchbang, here's what you need to do:

1. Complete the install as normal, remembering to keep an unencrypted /boot.
2. When you're asked to restart, select "Go back", you will be dropped to a menu where you will be given several options, select execute shell.
3. type "chroot /target"

You are now effectively running inside your installed system, we can edit the necessary config files and generate the new initram image from here.

4. use nano (or your favorite command-line editor) to edit /etc/initramfs-tools/modules
5. for LVM, just add dm_mod, save the file, and then skip to step 8.
6. for encryption or LVM + encryption, add the following lines to the end of the file

dm_mod
dm_crypt
aes_generic
(as well as aes-i586 or aes-x86_64 on their respective platforms, if you are using the 486 image, you do not need to add anything else.)
sha256_generic

7. you will need networking to install cryptsetup from apt-get, or you can put it on another external disk and install it using dpkg. It will handle the updating of the initram image for you.
8. if you didn't install encryption support, you will need to run "update-initramfs -u" now. If it fails, well... you have issues.
9. type exit until you get back to the menu with the blue background and choose the option to finish the installation.
10. reboot, and hopefully you have a working crunchbang install!

let me know if I forgot anything, it wouldn't be the first time! big_smile

Last edited by lurqur (2010-06-26 22:21:12)

corenominal · 2010-06-27 03:22:03

@lurqur, thank you for the information and detailed instructions, they are really appreciated. I will try and get this sorted before the next build. smile

lurqur · 2010-06-27 03:56:03

corenominal wrote:

@lurqur, thank you for the information and detailed instructions, they are really appreciated. I will try and get this sorted before the next build.

You're quite welcome; I didn't know much about how linux's boot process worked until today, although the things I remembered from setting up dm-raid / dm-crypt on Arch helped!

Raubsau · 2010-07-16 20:38:26

May I ask to have a look at my thread?
http://crunchbanglinux.org/forums/topic … eate-swap/

CrunchBang Linux

SEARCH

#1 2010-06-26 08:11:40

[Solved] Unable to boot from encrypted root partition

#2 2010-06-26 09:35:48

Re: [Solved] Unable to boot from encrypted root partition

#3 2010-06-26 10:07:28

Re: [Solved] Unable to boot from encrypted root partition

#4 2010-06-26 22:18:56

Re: [Solved] Unable to boot from encrypted root partition

#5 2010-06-27 03:22:03

Re: [Solved] Unable to boot from encrypted root partition

#6 2010-06-27 03:56:03

Re: [Solved] Unable to boot from encrypted root partition

#7 2010-07-16 20:38:26

Re: [Solved] Unable to boot from encrypted root partition

Board footer