Install Debian on Existing encrypted LVM

Help with issues regarding installation of Debian

Install Debian on Existing encrypted LVM

Postby carachi » 2014-03-06 21:10

Hello,
I am trying to install Debian 7 64bits on my computer on existing encrypted LVM.
My Hard Disk Configuration is:

sda1 /boot
sda5 encrypted partition that contain the LVM
|--- / Debian 7 OS partition
|--- /home home partition
|--- /swap partition

I did the installation of the operating system from a Live Debian CD unlocking the encrypted partition from the Desktop enviroment.
However, when I reboot the laptop I am not able to run Debian because, after that I decided to run Debian from grub, it replies to me that it is not able to find the root partition with the operating system.
I think that debian didn't compile the initramfs with the crypto instruction... is it possible?

Searching online I found that I need to created a new file called /etc/cryptab with the UUID of the partition and after regenerate the initramfs. I did it but... nothing changed... :(

How can I solve this problem?? There is a way to say in the installation process that I am using an encripted LVM partition instead a normal partition without format all the hard drive?
There is any command to recreate grub and all the other part in such way that it include also the crypto instruction??

Thank you very much.
carachi
 
Posts: 7
Joined: 2010-07-12 16:29

Re: Install Debian on Existing encrypted LVM

Postby dilberts_left_nut » 2014-03-06 23:33

Probably the installer doesn't know it is on an encrypted lvm partition.
I would just use the standard installer not the one from inside a live session.
AdrianTM wrote:There's no hacker in my grandma...
User avatar
dilberts_left_nut
 
Posts: 4957
Joined: 2009-10-05 07:54
Location: enzed

Re: Install Debian on Existing encrypted LVM

Postby carachi » 2014-03-07 09:34

Hello dilberts_left_nut,
Thank you very much for you interest.
I tried with the standard CD of Debian 7 but, using it, I am not able to decrypt my encrypted partition neither from the command line. I am only enable to create a new encrypted partition, but I don't want to do that because I will delete all the data in my /home partition.

There is a way to say to the Debian installer that this is an encryted LVM partition?
Or can I re-install Grub and all the other necessary stuff running the live cd-rom ?

Thank you very much
carachi
 
Posts: 7
Joined: 2010-07-12 16:29

Re: Install Debian on Existing encrypted LVM

Postby kiyop » 2014-03-07 16:04

Can you unlock (decrypt) the LVM after booting with the live debian?
If you can, you may be able to chroot to the installed debian and to generate initramfs which involves proper module to enable decryption.

carachi wrote:I did the installation of the operating system from a Live Debian CD unlocking the encrypted partition from the Desktop enviroment.
However, when I reboot the laptop I am not able to run Debian because, after that I decided to run Debian from grub, it replies to me that it is not able to find the root partition with the operating system.
I think that debian didn't compile the initramfs with the crypto instruction... is it possible?

Searching online I found that I need to created a new file called /etc/cryptab with the UUID of the partition and after regenerate the initramfs. I did it but... nothing changed... :(

Write concretely what you did and what error messages you got.
Openbox, JWM: Jessie, Sid, Arch / Win XP (on VirtualBox), 10
http://kiyoandkei.bbs.fc2.com/
User avatar
kiyop
 
Posts: 3984
Joined: 2011-05-05 15:16
Location: Where persons without desire to improve themselves fear to tread, in Japan

Re: Install Debian on Existing encrypted LVM

Postby carachi » 2014-03-07 21:37

Hello kiyop,
I am sorry if I am not explained well. This is what I did:
- run live Debian CD rom
- I unlock the encrypted partition and the LVM
- I install the new version of debian on the correct partition and selecting also the home directory.
- I reboot the machine

However, the new installation of debian doesn't start correctly becuase it say that it is not able to find the OS/root (the / partition inside the LVM ).
The strange thing is that it doesn't ask me the password to unlock the encrypted LVM.

So, running again the Live Debian CD rom, I mounted the partitions and entered in chroot mode and I tried to recreate the initramfs (because I think that this is the problem, but I am not sure), I reboot but nothing change. It countinue to say to me that it is not able to find the partition where there is the operatin system.

I don't know what else to do or how I can recreate the initramfs including the proper modules to decrypt the partition and how to say that this is an encrypted LVM partition.

Thank you very much for your help.
Bye
carachi
 
Posts: 7
Joined: 2010-07-12 16:29

Re: Install Debian on Existing encrypted LVM

Postby kiyop » 2014-03-08 03:06

Hi! carachi :)
carachi wrote:- run live Debian CD rom

Could you please write the concrete URL where you downloaded the image?
carachi wrote:However, the new installation of debian doesn't start correctly becuase it say that it is not able to find the OS/root (the / partition inside the LVM ).
The strange thing is that it doesn't ask me the password to unlock the encrypted LVM.

So, running again the Live Debian CD rom, I mounted the partitions and entered in chroot mode and I tried to recreate the initramfs (because I think that this is the problem, but I am not sure), I reboot but nothing change.

As dilberts_left_nut suggested, it may be due to that you started installation of debian after decrypting the encrypted LVM.
I am not sure if the following solves your problem:

AFAIK, you can add module names to /etc/initramfs-tools/modules, so that they are involved in initramfs. After inserting the names of the modules to it, regenerate initramfs.

Furthermore, you can modify init script in initramfs by extracting the initramfs (/boot/initrd.img-* ) to current directory by
Code: Select all
gzip -dc /boot/initrd.img-PROPER_VERSION_WORDS |cpio -i

and modifying some and regenerating to new initramfs by
Code: Select all
find .|cpio -H newc -o|gzip -9 > NEW_INITRAMFS_FILE_NAME


If kernel and initramfs files are loaded (started), and if / partition is not detected, busybox may start. At busybox, can you decrypt the LVM?
Openbox, JWM: Jessie, Sid, Arch / Win XP (on VirtualBox), 10
http://kiyoandkei.bbs.fc2.com/
User avatar
kiyop
 
Posts: 3984
Joined: 2011-05-05 15:16
Location: Where persons without desire to improve themselves fear to tread, in Japan

Re: Install Debian on Existing encrypted LVM

Postby fsmithred » 2014-03-11 02:28

Try rebuilding the initrd in chroot with
Code: Select all
update-initramfs.orig.initramfs-tools -u
instead of just using update-initramfs. The live-tools package replaces (disables) update-initramfs, and you need to use the original version to be able to boot an encrypted partition. I ran into a similar problem with a live installer I maintain. Here's a discussion - no lvm, just encrypted partitions, but maybe something here is helpful - http://refracta.freeforums.org/encrypte ... -t308.html
fsmithred
 
Posts: 1867
Joined: 2008-01-02 14:52

Re: Install Debian on Existing encrypted LVM

Postby carachi » 2014-03-18 17:37

Hi Everyone,
Thank you for your interest and suggestions.
I tried to do in these days what you suggest but however I didn't have success :(

fsmithred wrote:Try rebuilding the initrd in chroot with
Code: Select all
update-initramfs.orig.initramfs-tools -u
instead of just using update-initramfs. The live-tools package replaces (disables) update-initramfs, and you need to use the original version to be able to boot an encrypted partition. I ran into a similar problem with a live installer I maintain. Here's a discussion - no lvm, just encrypted partitions, but maybe something here is helpful - http://refracta.freeforums.org/encrypte ... -t308.html

I tried to recreate the initramfs but .... it creates the some initramfs file... as the previous one...

So I tried to unzip it as suggest here:
kiyop wrote:Furthermore, you can modify init script in initramfs by extracting the initramfs (/boot/initrd.img-* ) to current directory by
Code: Select all
gzip -dc /boot/initrd.img-PROPER_VERSION_WORDS |cpio -i

and modifying some and regenerating to new initramfs by
Code: Select all
find .|cpio -H newc -o|gzip -9 > NEW_INITRAMFS_FILE_NAME


If kernel and initramfs files are loaded (started), and if / partition is not detected, busybox may start. At busybox, can you decrypt the LVM?


And I analysed the content of this file. I also compared it with an other machine (created in virtual box) and I saw that all the file related to the crypto, the crypto library and the configuration file to the encrypted partition are missing. I tried to copy and paste those file in my initramfs and change the configuration file, but ... It doesn't work... Probably I missed to change something I don't know where.

So... What can I do??
How can I force Debian to include the crytpo library, the configuration file and all the other stuff inside the initramfs file?

There is a way during the installation process to say to the installer that this is an encrypted partition?

Thank you
Bye
carachi
 
Posts: 7
Joined: 2010-07-12 16:29

Re: Install Debian on Existing encrypted LVM

Postby kiyop » 2014-03-18 23:00

carachi wrote:How can I force Debian to include the crytpo library, the configuration file and all the other stuff inside the initramfs file?

I do not konw well but, you can include modules into initramfs (/boot/initrd.img-.*) by adding the modules names into /etc/initramfs-tools/modules and executing "update-initramfs -u". "linux-headers-.*" package and so on may be necessary.
The following may be useful, although I do not know well:
https://wiki.debian.org/ModuleAssistant
https://wiki.debian.org/Modules
Also, read
Code: Select all
man lsmod
man modprobe

to know how to show the currently-used modules and how to enable modules.
Openbox, JWM: Jessie, Sid, Arch / Win XP (on VirtualBox), 10
http://kiyoandkei.bbs.fc2.com/
User avatar
kiyop
 
Posts: 3984
Joined: 2011-05-05 15:16
Location: Where persons without desire to improve themselves fear to tread, in Japan

Re: Install Debian on Existing encrypted LVM

Postby fsmithred » 2014-03-19 13:27

Make sure that cryptsetup is installed in the installed system. (check for /sbin/cryptsetup). I'm not sure if the debian installer adds everything that's on the live-CD or if it just installs the same things as the regular installation CD.

Make sure dm-mod is in the initrd - in mine, it's lib/modules/3.2.0-4-amd64/kernel/drivers/md/dm-mod.ko.
fsmithred
 
Posts: 1867
Joined: 2008-01-02 14:52

Re: Install Debian on Existing encrypted LVM

Postby carachi » 2014-03-22 19:54

Hi all
thank you for your help! I really appriciate that.
In order:
kiyop wrote:I do not konw well but, you can include modules into initramfs (/boot/initrd.img-.*) by adding the modules names into /etc/initramfs-tools/modules and executing "update-initramfs -u". "linux-headers-.*" package and so on may be necessary.
The following may be useful, although I do not know well:
https://wiki.debian.org/ModuleAssistant
https://wiki.debian.org/Modules
Also, read
Code: Select all
man lsmod
man modprobe

to know how to show the currently-used modules and how to enable modules.

I started the live Debian CD-Rom and I installed lvm2 (to open the LVM after decrypt the partition) and module-assistant . I followed the instruction reported on the Debian website but in the module-assistant menu there are nothing about the crypto or lvm modules....

After that I followed the fsmithred suggestion:
fsmithred wrote:Make sure that cryptsetup is installed in the installed system. (check for /sbin/cryptsetup). I'm not sure if the debian installer adds everything that's on the live-CD or if it just installs the same things as the regular installation CD.

Make sure dm-mod is in the initrd - in mine, it's lib/modules/3.2.0-4-amd64/kernel/drivers/md/dm-mod.ko.

I checked that the live Debian cointatins the cryptsetup, with success. After I checked if the initramfs cointains the dm-mod.ko modules. However It doesn't contain it.
So I included the following modules inside the /etc/initramfs-tools/modules and I recreated the initramfs:

Code: Select all
 echo "aes" >> /etc/initramfs-tools/modules
  echo "aes_x86_64" >> /etc/initramfs-tools/modules
  echo "aes_generic" >> /etc/initramfs-tools/modules
  echo "dm-crypt" >> /etc/initramfs-tools/modules
  echo "dm-mod" >> /etc/initramfs-tools/modules
  echo "sha256" >> /etc/initramfs-tools/modules
  echo "sha256_generic" >> /etc/initramfs-tools/modules
  echo "lrw" >> /etc/initramfs-tools/modules
  echo "xts" >> /etc/initramfs-tools/modules
  echo "crypto_blkcipher" >> /etc/initramfs-tools/modules
  echo "gf128mul" >> /etc/initramfs-tools/modules
  echo "dm-crypt" >> /etc/modules
  update-initramfs.orig.initramfs-tools  -u -k all


I re-checked if it cointants all tha crypto packages, and fortunatelly now there are!!! :)
So, I reboot the system, but unforunatelly now I have an other error messages:
Code: Select all
modprobe: can't load module padlock_aes (kernel/drivers/crypto/padlock-aes.ko) No such device
modprobe: can't load module aesni_intel (kernel/drivers/crypto/aesni-intel.ko) No such device
Volume group "OS" not found
Skypping volume group OS
Unable to find LVM volume OS/root


I checked and the padlock_aes and aesni_intel files are cointained in the initramfs file....
Do you have any idea about these errors?

Thank you very much
Bye
carachi
 
Posts: 7
Joined: 2010-07-12 16:29

Re: Install Debian on Existing encrypted LVM

Postby kiyop » 2014-03-22 23:58

I do not know the command "update-initramfs.orig.initramfs-tools".
How do you confirm that the necessary modules are in the used initramfs?
Where in the initramfs root directory are they?
You do not explicitly echo'ed "padlock_aes" nor "aesni_intel" to /etc/initramfs-tools/modules.

And in one of my debian wheezy, there is not aes-ni.intel.ko in /lib/modules/3.2.0-4-686-pae/kernel/crypto/
Code: Select all
$ find /lib/modules -iname aes*
/lib/modules/3.2.0-4-686-pae/kernel/crypto/aes_generic.ko
/lib/modules/3.2.0-4-686-pae/kernel/arch/x86/crypto/aes-i586.ko
/lib/modules/3.2.0-4-686-pae/kernel/arch/x86/crypto/aesni-intel.ko


"-" and "_" seems to be recognized interchangeably by modprobe.
Last edited by kiyop on 2014-03-23 00:15, edited 1 time in total.
Openbox, JWM: Jessie, Sid, Arch / Win XP (on VirtualBox), 10
http://kiyoandkei.bbs.fc2.com/
User avatar
kiyop
 
Posts: 3984
Joined: 2011-05-05 15:16
Location: Where persons without desire to improve themselves fear to tread, in Japan

Re: Install Debian on Existing encrypted LVM

Postby carachi » 2014-03-23 00:11

Finally I solved the problem in this way.
I ran that commands:

Code: Select all
cp /usr/share/initramfs-tools/hooks/cryptroot /etc/initramfs-tools/hooks/cryptroot
cp /usr/share/initramfs-tools/scripts/local-top/cryptroot /etc/initramfs-tools/scripts/local-top/cryptroot


I created this file in /etc/initramfs-tools/conf.d/cryptroot with:
Code: Select all
target=sda5_crypt,source=UUID=ee0a6525-c864-283d-969b-6be334c8f35c,key=none,rootdev,lvm=OS-root


And I had regenerate the initramfs file:
Code: Select all
update-initramfs.orig.initramfs-tools -u -k all

I reboot and now seems works!!! :D :D

Thank you very much to all for the help. I hope that this information could help also some other persons.
Bye
carachi
 
Posts: 7
Joined: 2010-07-12 16:29

Re: Install Debian on Existing encrypted LVM

Postby kiyop » 2014-03-23 00:17

Great! Congratulations! :D
Openbox, JWM: Jessie, Sid, Arch / Win XP (on VirtualBox), 10
http://kiyoandkei.bbs.fc2.com/
User avatar
kiyop
 
Posts: 3984
Joined: 2011-05-05 15:16
Location: Where persons without desire to improve themselves fear to tread, in Japan

Debianinstaller doesn't install lvm2, and lacks some cryptro

Postby narcisgarcia » 2014-05-22 08:31

I had a similar issue (but also with RAID), and wanted to know how DebianInstaller does a good job.
Installing Debian 7.5 I needed to put the following layers order:

    > /boot in a traditional partition
    > Physical volume for RAID, on each disk
      >>Physical volume for LVM
        >>>Physical volume for encryption
          >>>>Physical volume for LVM

Yes, to LVM+Crypt work without manual patches, there must be a LVM layer outside LUKS layer.
Once the system is installed, then it's enough with installing package lvm2 in a chroot session.

I believe that there is a bug in DebianInstaller because it doesn't install lvm2 package when necessary, and some other issue in initramfs/cryptsetup configuration that avoids the unlock prompt when LVM layer is only inside the encrypted one.
narcisgarcia
 
Posts: 5
Joined: 2010-10-14 11:02

Next

Return to Installation

Who is online

Users browsing this forum: No registered users and 9 guests

fashionable