# [SOLVED] initrd with luks partitions, lvm2, and systemd

## Tatsh

See third post.

I have been searching all over and have not found a lot of help when things go wrong here. I am using Dracut to generate a host-only initrd that should make the following kind of layout:

```

NAME           FSTYPE      LABEL                       UUID                                   MOUNTPOINT

sda

├─sda1         vfat        EFI                         FF0B-C552                              /boot/efi

├─sda2         ext2        boot                        cc9cb75b-7153-44bd-a520-f8072add4bba   /boot

└─sda3         crypto_LUKS                             5d4fa557-d643-4220-b4fd-0662eba8783a

  └─root       LVM2_member                             7k9Kix-LHvZ-qy60-eluo-20vr-N5nf-LJuzXe

    ├─vg0-root ext4        root                        6c32e104-186c-4e38-86d5-baa5ef08c8f7   /

    └─vg0-home ext4                                    0cbbd0d3-5844-43ad-83ef-d434d2a58f48   /home/tatsh

sdb            crypto_LUKS                             78091943-1099-48c5-b1d7-6ec3a611bd8a

└─home         LVM2_member                             44qXdW-Y7f5-rUDX-oOm8-7azb-oryc-7d0p4R

  └─vg0-home   ext4                                    0cbbd0d3-5844-43ad-83ef-d434d2a58f48   /home/tatsh

```

Basically:

1. Unlock 5d4fa557 (dev/sda3)

2. Unlock 78091943 (/dev/sdb)

3. lvm scan and enable vg0

4. Mount root (/dev/mapper/vg0-root)

5. Mount /home/tatsh from /dev/mapper/vg0-home

What happens right now is I can begin the boot but dracut-initqueue (its own module) does not run the cryptsetup generator (systemd) properly that would generate a service for each LUKS encrypted disk, and unlock them based on options given. I am almost certain this is caused by Dracut not copying my /etc/crypttab to its own image because that file is required for the generator to work. When I use lsinitrd I see a 0 byte /etc/crypttab in the image.

Has anyone succeeded with this combination? The only reason I am able to boot is because I followed Dracut wiki's instructions on how to manually boot with their debug shell. https://www.kernel.org/pub/linux/utils/boot/dracut/dracut.html#_troubleshooting

/etc/default/grub : http://dpaste.com/34E3VB4

/etc/dracut.conf : http://dpaste.com/0GQV0WD

Last Dracut log (during generation): https://gist.github.com/1da4028d91492a747110

```

DRACUT_MODULES="crypt crypt-gpg crypt-loop gensplash lvm ssh-client systemd"

systemd USE flags = "acl cryptsetup gudev idn introspection kmod lz4 pam (policykit) seccomp ssl -apparmor -audit -curl -doc -elfutils -gcrypt -http -importd (-kdbus) -lzma -nat -python -qrcode (-selinux) -sysv-utils -terminal -test -vanilla -xkb"

```

Note that I tried using genkernel-next but it does not support systemd enough as far as I can tell, regaring LUKS. It only copies the binary but not any of the other necessary files (services, etc).Last edited by Tatsh on Wed Apr 15, 2015 1:10 am; edited 1 time in total

----------

## croutch

Take a look if this guide could help you ->   http://www.hivestream.de/gentoo-installation-with-raid-lvm-luks-and-systemd.html

----------

## Tatsh

 *croutch wrote:*   

> Take a look if this guide could help you ->   http://www.hivestream.de/gentoo-installation-with-raid-lvm-luks-and-systemd.html

 

Thanks for the link. It was useful for a few things. I am looking into using pam_mount instead of fstab to mount my $HOME but I am not finding that necessary.

I have resolved this issue, so I want to take notes for anyone else who might want to achieve the same thing. What I have is a system now that will not boot unless my flash drive with the key is in.

My setup is 2 SSDs combined linearly with LVM, both encrypted separately, but with the same key to make life a little easier.

So you need this in your /etc/crypttab:

```

diskX UUID=5d4fa557-d643-4220-b4fd-0662eba8783a /file/path-to-key luks

diskY UUID=78091943-1099-48c5-b1d7-6ec3a611bd8a /file/path-to-key luks

```

Where diskX and diskY are what you used originally to create the LVM volume group (/dev/mapper/diskX, etc). If you put none instead of the path you will just get prompted for every drive.

Do not use quotes on the UUID like in fstab!

Here is something that might be a bug. Basically, when dracut does its analysis to figure out which drives are okay from your /etc/crypttab to add to its own, it does not want to take in any that are in use *except* root. This is a problem if you are using LVM to merge 2 drives and create a 'linear RAID0' (please make backups somewhere else!). So what you need to do is remove some checks in the crypt module that comes with Dracut. This is with Dracut version 041-r2:

```

  66     if [[ $hostonly ]] && [[ -f /etc/crypttab ]]; then

  67         # filter /etc/crypttab for the devices we need

  68         while read _mapper _dev _rest; do

  69             [[ $_mapper = \#* ]] && continue

  70             [[ $_dev ]] || continue

  71 

  72             [[ $_dev == UUID=* ]] && \

  73                 _dev="/dev/disk/by-uuid/${_dev#UUID=}"

  74 

  75             for _hdev in "${!host_fs_types[@]}"; do

  76                 #[[ ${host_fs_types[$_hdev]} == "crypto_LUKS" ]] || continue

  77                 #if [[ $_hdev -ef $_dev ]] || [[ /dev/block/$_hdev -ef $_dev ]]; then

  78                     echo "$_mapper $_dev $_rest"

  79                     break

  80                 #fi

  81             done

  82         done < /etc/crypttab > $initdir/etc/crypttab

```

The checks for busy or if its the disk is part of LVM volume group have been commented out in the for loop (3 lines commented out). This will just make the initrd /etc/crypttab the same as system so be sure that is what you want.

In order for the initrd to know about the mount point where your USB or other device with the key will be located (the path referenced in /etc/crypttab), you need to add a custom fstab entry via Dracut's configuration:

```

# fstab

add_fstab+="/usr/src/initrd-fstab"

```

My /usr/src/initrd-fstab:

```

UUID="BD3B-03BD" /file vfat noatime 1 2

```

Add this same entry to your /etc/fstab to ensure that post-switch root, the decryption can occur again if necessary.

In /etc/dracut.conf you should basically have this, at minimum (unless you want to specify on the command line):

```

logfile=/var/log/dracut.log

fileloglvl=10 # Useful for debugging later

add_dracutmodules+="crypt crypt-gpg dm systemd crypt-loop lvm"

# fstab

add_fstab+="/usr/src/initrd-fstab"

# build initrd only to boot current hardware

hostonly="yes"

```

And you'll notice that lsinitrd does not show /file being created in the image. It will be created at boot time. Any mount point that does not exist and is not used for something will be used, and if the directory does not exist it will be created.

Now, you can regenerate your Grub configuration. My /etc/default/grub only has these items enabled:

```

GRUB_PRELOAD_MODULES=lvm  # Maybe unnecessary?

GRUB_CMDLINE_LINUX="init=/usr/lib/systemd/systemd video=uvesafb:2560x1600-32,mtrr:3,ywrap"

GRUB_GFXPAYLOAD_LINUX="keep" # For EFI FB

```

Regenerating, especially if you are on live CD/USB (where -limelight is the suffix you gave in kernel configuration, otherwise remove it):

```

$ dracut --force --kver 3.18.11-gentoo-limelight -k /lib/modules/3.18.11-gentoo-limelight

$ grub2-mkconfig -o /boot/grub/grub.cfg

```

Now make sure you have everything about Grub correct for you (UEFI, etc). Plug in the required flash drive or other device containing the key and reboot.

After rebooting, if you are using something like KDE, after you log in you can open up the devices widget, and unmount the flash drive there. Because it is not mounted by you, you will be asked for your root password.

----------

