Full disk encryption & external bootloader

Installer Issues via Installer -- Not for global upgrades or upgrading individual packages -- ONLY ISSUES WITH INSTALLATION OF THE OS -- Can't get Sabayon installed, than post here, otherwise use correct forums

Moderator: Moderators

Post Reply
SabayonEncrypted
Baby Hen
Posts: 12
Joined: Sat Mar 03, 2012 21:38

Full disk encryption & external bootloader

Post by SabayonEncrypted » Sat Mar 03, 2012 22:26

Goal:
  • Full disk encryption of internal laptop hdd (/dev/sda - uuid: ec6a4dbd-2fe0-423b-b832-8f3c0c0a0f83)
  • Bootloader on a 256 MB partition on a usb-stick (/dev/sdb1 - uuid: 68d5916e-ea95-47b2-a5f8-fd767071c3f2)
Hardware:
  • Laptop ThinkPad T61P - Intel Core 2 Duo T7700 @ 2.40GHz - 4GB RAM - HDD Sata 320GB
  • USB-Stick LaCie iamaKey 4GB
Approach so far:
Using the sabayon 8 live dvd for amd64 and KDE (md5sum is fine) and the installation gui anaconda I configure the partition table as follows:
DeviceSize (MB)Mount Point/RAID/VolumeTypeFormatting
LVM
- vg_box305216
-- lv_var6016/varext4OK
-- lv_root30016/ext4OK
-- lv_home259168/homeext4OK
-- lv_swap6016swapOK
-- lv_tmp4000/tmpext4OK
Harddrives
- sda (/dev/sda)
-- sda1305244vg_boxphysical volume (LVM)ENCRYPTED
- sdb (/dev/sdb)
-- sdb1256/bootext4OK
-- free3599
When asked where the bootloader is to be installed I choose /dev/sdb1.
Installation works just fine and doesn't show any errors, but after rebooting and booting Grub off the usb-stick I get the following output:
error: no such device: 5671bade-970c-4b8b-a2f5-77e2429dd1c1
Entering rescue mode...
grub rescue>
What has to be done to get the intended setup working?

Further information:
(hd0) /dev/disk/by-id/ata-ST9320421AS_5TJ0F3DL
(hd1) /dev/disk/by-id/usb-LaCie_iamaKey_8d4249314c7342-0:0

grub.cfg:

Code: Select all

#
# DO NOT EDIT THIS FILE
#
# It is automatically generated by grub-mkconfig using templates
# from /etc/grub.d and settings from /etc/default/grub
#

### BEGIN /etc/grub.d/00_fonts ###
### END /etc/grub.d/00_fonts ###

### BEGIN /etc/grub.d/00_header ###
if [ -s $prefix/grubenv ]; then
  load_env
fi
set default="${saved_entry}"
if [ "${prev_saved_entry}" ]; then
  set saved_entry="${prev_saved_entry}"
  save_env saved_entry
  set prev_saved_entry=
  save_env prev_saved_entry
  set boot_once=true
fi

function savedefault {
  if [ -z "${boot_once}" ]; then
    saved_entry="${chosen}"
    save_env saved_entry
  fi
}

function load_video {
  insmod vbe
  insmod vga
  insmod video_bochs
  insmod video_cirrus
}

insmod part_msdos
insmod ext2
set root='(hd1,msdos1)'
search --no-floppy --fs-uuid --set=root 68d5916e-ea95-47b2-a5f8-fd767071c3f2
if loadfont /grub/unifont.pf2 ; then
  set gfxmode=1024x768
  load_video
  # vga= is deprecated, grub2 handles this just fine
  # making grub2 res == linux fb res
  set gfxpayload=keep
  insmod gfxterm
fi
terminal_output gfxterm
if sleep --interruptible 0 ; then
  set timeout=5
fi
### END /etc/grub.d/00_header ###

### BEGIN /etc/grub.d/05_distro_theme ###
insmod part_msdos
insmod ext2
set root='(hd1,msdos1)'
search --no-floppy --fs-uuid --set=root 68d5916e-ea95-47b2-a5f8-fd767071c3f2
insmod png
if background_image /grub/default-splash.png ; then
  set color_normal=white/black
  set color_highlight=magenta/black
else
  set menu_color_normal=cyan/blue
  set menu_color_highlight=white/blue
fi
### END /etc/grub.d/05_distro_theme ###

### BEGIN /etc/grub.d/10_linux ###
menuentry 'Sabayon GNU/Linux, with Linux x86_64-3.2.0-sabayon' --class sabayon --class gnu-linux --class gnu --class os {
 load_video
 insmod gzio
 insmod part_msdos
 insmod ext2
 set root='(hd1,msdos1)'
 search --no-floppy --fs-uuid --set=root 68d5916e-ea95-47b2-a5f8-fd767071c3f2
 echo 'Loading Linux x86_64-3.2.0-sabayon ...'
 linux /kernel-genkernel-x86_64-3.2.0-sabayon ro  init=/linuxrc splash=verbose,theme:sabayon video=vesafb:ywrap,mtrr:3 vga=791 console=tty1 quiet domdadm resume=swap:/dev/mapper/vg_blackbox-lv_swap real_resume=/dev/mapper/vg_blackbox-lv_swap dolvm root=/dev/mapper/vg_blackbox-lv_root crypt_root=UUID=ec6a4dbd-2fe0-423b-b832-8f3c0c0a0f83 docrypt 
 echo 'Loading initial ramdisk ...'
 initrd /initramfs-genkernel-x86_64-3.2.0-sabayon
}
menuentry 'Sabayon GNU/Linux, with Linux x86_64-3.2.0-sabayon (recovery mode)' --class sabayon --class gnu-linux --class gnu --class os {
 load_video
 insmod gzio
 insmod part_msdos
 insmod ext2
 set root='(hd1,msdos1)'
 search --no-floppy --fs-uuid --set=root 68d5916e-ea95-47b2-a5f8-fd767071c3f2
 echo 'Loading Linux x86_64-3.2.0-sabayon ...'
 linux /kernel-genkernel-x86_64-3.2.0-sabayon ro single init_opts=single  init=/linuxrc splash=verbose,theme:sabayon video=vesafb:ywrap,mtrr:3 vga=791 console=tty1 quiet domdadm resume=swap:/dev/mapper/vg_blackbox-lv_swap real_resume=/dev/mapper/vg_blackbox-lv_swap dolvm root=/dev/mapper/vg_blackbox-lv_root crypt_root=UUID=ec6a4dbd-2fe0-423b-b832-8f3c0c0a0f83 docrypt
 echo 'Loading initial ramdisk ...'
 initrd /initramfs-genkernel-x86_64-3.2.0-sabayon
}
### END /etc/grub.d/10_linux ###

### BEGIN /etc/grub.d/20_linux_xen ###
### END /etc/grub.d/20_linux_xen ###

### BEGIN /etc/grub.d/30_os-prober ###
### END /etc/grub.d/30_os-prober ###

### BEGIN /etc/grub.d/40_custom ###
# This file provides an easy way to add custom menu entries.  Simply type the
# menu entries you want to add after this comment.  Be careful not to change
# the 'exec tail' line above.
### END /etc/grub.d/40_custom ###

### BEGIN /etc/grub.d/41_custom ###
if [ -f  $prefix/custom.cfg ]; then
  source $prefix/custom.cfg;
fi
### END /etc/grub.d/41_custom ### 

SabayonEncrypted
Baby Hen
Posts: 12
Joined: Sat Mar 03, 2012 21:38

Re: Full disk encryption & external bootloader

Post by SabayonEncrypted » Sun Oct 27, 2013 10:34

What I did so far:
Using anaconda I configured the partition table as shown above, but when asked where the bootloader is to be installed I chose /dev/sda instead. This resulted in the bootloader being on my internal harddrive while /boot is on the USB-stick. In order to boot my system I need to plug in my USB-Stick before switching on my computer which is almost what I wanted.

What I actually wanted is having the bootloader on the USB-Stick together with /boot and therefore only being able to boot my system solely off the USB-Stick and leaving my internal harddrive completely encrypted.

Any ideas how this could be done?

Post Reply