At this point, everything seems correct however my system boots, asks for the LUKS password for my root volume (sda3_crypt), I enter it, it works, and the system boots. My passwords for both volumes are the same FWIW. The new encrypted FS (/dev/mapper/beast--vg-home) is automounted and decrypted, and I am able to read and write to it with no issues. At this time however it provides no security because no password is required to decrypt it upon boot.
I did try running
Code: Select all
update-initramfs -u -a
/etc/crypttab:
Code: Select all
sda3_crypt UUID=d1caee94-d093-4f2e-a085-a893b439cdd1 none luks,discard
beast UUID=e0e9bc01-1eaa-409d-928d-c112b70b3eca none luks,discard
Code: Select all
# <file system> <mount point> <type> <options> <dump> <pass>
/dev/mapper/hoss--vg-root / ext4 errors=remount-ro 0 1
# /boot was on /dev/sda2 during installation
UUID=8c0c9835-8708-4348-96c2-5b9e10dad2a9 /boot ext2 defaults 0 2
# /boot/efi was on /dev/sda1 during installation
UUID=D480-8A29 /boot/efi vfat umask=0077 0 1
/dev/mapper/hoss--vg-home /home ext4 defaults 0 2
/dev/mapper/hoss--vg-swap_1 none swap sw 0 0
/dev/mapper/beast--vg-home /mnt/beast ext4 defaults 0 2
Code: Select all
❯ sudo cryptsetup luksDump /dev/md0p1
LUKS header information
Version: 2
Epoch: 3
Metadata area: 16384 [bytes]
Keyslots area: 16744448 [bytes]
UUID: e0e9bc01-1eaa-409d-928d-c112b70b3eca
Label: (no label)
Subsystem: (no subsystem)
Flags: (no flags)
Data segments:
0: crypt
offset: 16777216 [bytes]
length: (whole device)
cipher: aes-xts-plain64
sector: 512 [bytes]
Keyslots:
0: luks2
Key: 512 bits
Priority: normal
Cipher: aes-xts-plain64
Cipher key: 512 bits
PBKDF: argon2id
Time cost: 9
Memory: 1048576
Threads: 4
Salt: e9 4e 94 d8 a9 05 7d 93 1c 7e 69 bd 64 34 b2 ea
01 76 91 f9 6f ec 12 a3 5c 98 59 b0 71 32 7e 9b
AF stripes: 4000
AF hash: sha256
Area offset:32768 [bytes]
Area length:258048 [bytes]
Digest ID: 0
Tokens:
Digests:
0: pbkdf2
Hash: sha256
Iterations: 130031
Salt: 6b 8a 33 5d 16 74 40 bb ae 83 54 45 ce 6e 11 10
d3 cf cf 48 fe 9b 40 34 ac c3 ef 86 53 ca 73 8e
Digest: 26 a4 4f 10 e6 49 8e 84 09 ac 63 53 35 d5 18 0b
a8 f1 be 48 0e 32 1b 5d a2 ff b7 44 40 3f d4 cc
Code: Select all
NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINTS
sda 8:0 0 232.9G 0 disk
└─md0 9:0 0 232.8G 0 raid1
└─md0p1 259:0 0 190.7G 0 part
└─beast 253:4 0 190.7G 0 crypt
└─beast--vg-home 253:5 0 170G 0 lvm /mnt/beast
sdb 8:16 0 232.9G 0 disk
└─md0 9:0 0 232.8G 0 raid1
└─md0p1 259:0 0 190.7G 0 part
└─beast 253:4 0 190.7G 0 crypt
└─beast--vg-home 253:5 0 170G 0 lvm /mnt/beast
sdc 8:32 0 58.7G 0 disk
├─sdc1 8:33 0 512M 0 part /boot/efi
├─sdc2 8:34 0 488M 0 part /boot
└─sdc3 8:35 0 57.7G 0 part
└─sda3_crypt 253:0 0 57.7G 0 crypt
├─hoss--vg-root 253:1 0 19.5G 0 lvm /
├─hoss--vg-swap_1 253:2 0 976M 0 lvm [SWAP]
└─hoss--vg-home 253:3 0 37.2G 0 lvm /home
sdd 8:48 0 931.5G 0 disk
└─sdd1 8:49 0 931.5G 0 part
sde 8:64 1 0B 0 disk
Code: Select all
/dev/mapper/hoss--vg-root: UUID="ed9b20e6-d512-4da1-80ff-3aca5ce9beff" BLOCK_SIZE="4096" TYPE="ext4"
/dev/sdd1: LABEL="Data" BLOCK_SIZE="512" UUID="6448254648251876" TYPE="ntfs" PARTUUID="0000b13f-01"
/dev/sdb: UUID="db22b4e6-0ee4-41a7-aba1-a93fda826d3b" UUID_SUB="8328ad54-c53f-5af0-8404-7f0fb4490dea" LABEL="hoss:0" TYPE="linux_raid_member"
/dev/md0p1: UUID="e0e9bc01-1eaa-409d-928d-c112b70b3eca" TYPE="crypto_LUKS" PARTUUID="e30d6ba1-f943-b54b-9c2c-914593ad14ed"
/dev/mapper/hoss--vg-swap_1: UUID="9555abec-093b-4ed2-b211-be33e9cb2460" TYPE="swap"
/dev/mapper/sda3_crypt: UUID="kFrSyf-1waB-RzXQ-o9hI-BzII-wDsd-GGL5tT" TYPE="LVM2_member"
/dev/sdc2: UUID="8c0c9835-8708-4348-96c2-5b9e10dad2a9" BLOCK_SIZE="1024" TYPE="ext2" PARTUUID="24d21558-e68e-4b5d-b323-fb88750e137b"
/dev/sdc3: UUID="d1caee94-d093-4f2e-a085-a893b439cdd1" TYPE="crypto_LUKS" PARTUUID="61326100-cb6a-4ef8-94b8-70b0748d2d4e"
/dev/sdc1: UUID="D480-8A29" BLOCK_SIZE="512" TYPE="vfat" PARTUUID="f6d051e3-fd1f-46b9-ae6a-bd5da09a584f"
/dev/sda: UUID="db22b4e6-0ee4-41a7-aba1-a93fda826d3b" UUID_SUB="afde4a35-f0e0-7129-ef50-6f7570f97f0f" LABEL="hoss:0" TYPE="linux_raid_member"
/dev/mapper/hoss--vg-home: UUID="aa2e5d9f-0c2e-48f0-a4e1-416b6e0ffe48" BLOCK_SIZE="4096" TYPE="ext4"
/dev/mapper/beast: UUID="Q3GvpK-98sw-b79l-S20v-W8jV-Y9eY-st7R9w" TYPE="LVM2_member"
/dev/mapper/beast--vg-home: UUID="44dd3c0e-44c4-4463-812d-a8ea10873098" BLOCK_SIZE="4096" TYPE="ext4"
Code: Select all
Filesystem Size Used Avail Use% Mounted on
udev 16G 0 16G 0% /dev
tmpfs 3.2G 2.4M 3.2G 1% /run
/dev/mapper/hoss--vg-root 20G 15G 4.0G 78% /
tmpfs 16G 1.7M 16G 1% /dev/shm
tmpfs 5.0M 16K 5.0M 1% /run/lock
/dev/sdc2 456M 196M 235M 46% /boot
/dev/sdc1 511M 17M 495M 4% /boot/efi
/dev/mapper/hoss--vg-home 37G 20G 15G 57% /home
/dev/mapper/beast--vg-home 167G 32K 158G 1% /mnt/beast
tmpfs 3.2G 100K 3.2G 1% /run/user/1000
Code: Select all
[ 0.684651] ERST: Error Record Serialization Table (ERST) support is initialized.
[ 0.707875] i8042: Warning: Keylock active
[ 1.232436] pci 10000:00:02.0: BAR 13: failed to assign [io size 0xb000]
[ 1.232441] pci 10000:00:03.0: BAR 13: failed to assign [io size 0xc000]
[ 1.232448] pci 10000:00:02.0: BAR 13: failed to assign [io size 0xb000]
[ 1.232453] pci 10000:00:03.0: BAR 13: failed to assign [io size 0xc000]
[ 16.607484] iwlwifi 0000:b3:00.0: firmware: failed to load iwl-debug-yoyo.bin (-2)
[ 16.607566] iwlwifi 0000:b3:00.0: firmware: failed to load iwl-debug-yoyo.bin (-2)
[ 16.793598] thermal thermal_zone0: failed to read out thermal zone (-61)
Code: Select all
# If you change this file, run 'update-grub' afterwards to update
# /boot/grub/grub.cfg.
# For full documentation of the options in this file, see:
# info -f grub -n 'Simple configuration'
GRUB_DEFAULT=0
GRUB_TIMEOUT=5
GRUB_DISTRIBUTOR=`lsb_release -i -s 2> /dev/null || echo Debian`
GRUB_CMDLINE_LINUX_DEFAULT="quiet"
GRUB_CMDLINE_LINUX=""
# If your computer has multiple operating systems installed, then you
# probably want to run os-prober. However, if your computer is a host
# for guest OSes installed via LVM or raw disk devices, running
# os-prober can cause damage to those guest OSes as it mounts
# filesystems to look for things.
GRUB_DISABLE_OS_PROBER=false
# Uncomment to enable BadRAM filtering, modify to suit your needs
# This works with Linux (no patch required) and with any kernel that obtains
# the memory map information from GRUB (GNU Mach, kernel of FreeBSD ...)
#GRUB_BADRAM="0x01234567,0xfefefefe,0x89abcdef,0xefefefef"
# Uncomment to disable graphical terminal
#GRUB_TERMINAL=console
# The resolution used on graphical terminal
# note that you can use only modes which your graphic card supports via VBE
# you can see them in real GRUB with the command `vbeinfo'
#GRUB_GFXMODE=640x480
# Uncomment if you don't want GRUB to pass "root=UUID=xxx" parameter to Linux
#GRUB_DISABLE_LINUX_UUID=true
# Uncomment to disable generation of recovery mode menu entries
#GRUB_DISABLE_RECOVERY="true"
# Uncomment to get a beep at grub start
#GRUB_INIT_TUNE="480 440 1"
Code: Select all
#
# DO NOT EDIT THIS FILE
#
# It is automatically generated by grub-mkconfig using templates
# from /etc/grub.d and settings from /etc/default/grub
#
### BEGIN /etc/grub.d/00_header ###
if [ -s $prefix/grubenv ]; then
set have_grubenv=true
load_env
fi
if [ "${next_entry}" ] ; then
set default="${next_entry}"
set next_entry=
save_env next_entry
set boot_once=true
else
set default="0"
fi
if [ x"${feature_menuentry_id}" = xy ]; then
menuentry_id_option="--id"
else
menuentry_id_option=""
fi
export menuentry_id_option
if [ "${prev_saved_entry}" ]; then
set saved_entry="${prev_saved_entry}"
save_env saved_entry
set prev_saved_entry=
save_env prev_saved_entry
set boot_once=true
fi
function savedefault {
if [ -z "${boot_once}" ]; then
saved_entry="${chosen}"
save_env saved_entry
fi
}
function load_video {
if [ x$feature_all_video_module = xy ]; then
insmod all_video
else
insmod efi_gop
insmod efi_uga
insmod ieee1275_fb
insmod vbe
insmod vga
insmod video_bochs
insmod video_cirrus
fi
}
if [ x$feature_default_font_path = xy ] ; then
font=unicode
else
insmod part_gpt
insmod ext2
set root='hd0,gpt2'
if [ x$feature_platform_search_hint = xy ]; then
search --no-floppy --fs-uuid --set=root --hint-bios=hd0,gpt2 --hint-efi=hd0,gpt2 --hint-baremetal=ahci0,gpt2 8c0c9835-8708-4348-96c2-5b9e10dad2a9
else
search --no-floppy --fs-uuid --set=root 8c0c9835-8708-4348-96c2-5b9e10dad2a9
fi
font="/grub/unicode.pf2"
fi
if loadfont $font ; then
set gfxmode=auto
load_video
insmod gfxterm
set locale_dir=$prefix/locale
set lang=en_US
insmod gettext
fi
terminal_output gfxterm
if [ "${recordfail}" = 1 ] ; then
set timeout=30
else
if [ x$feature_timeout_style = xy ] ; then
set timeout_style=menu
set timeout=5
# Fallback normal timeout code in case the timeout_style feature is
# unavailable.
else
set timeout=5
fi
fi
### END /etc/grub.d/00_header ###
### BEGIN /etc/grub.d/05_debian_theme ###
insmod part_gpt
insmod ext2
set root='hd0,gpt2'
if [ x$feature_platform_search_hint = xy ]; then
search --no-floppy --fs-uuid --set=root --hint-bios=hd0,gpt2 --hint-efi=hd0,gpt2 --hint-baremetal=ahci0,gpt2 8c0c9835-8708-4348-96c2-5b9e10dad2a9
else
search --no-floppy --fs-uuid --set=root 8c0c9835-8708-4348-96c2-5b9e10dad2a9
fi
insmod png
if background_image /grub/.background_cache.png; then
set color_normal=white/black
set color_highlight=black/white
else
set menu_color_normal=cyan/blue
set menu_color_highlight=white/blue
fi
### END /etc/grub.d/05_debian_theme ###
### BEGIN /etc/grub.d/10_linux ###
function gfxmode {
set gfxpayload="${1}"
}
set linux_gfx_mode=
export linux_gfx_mode
menuentry 'Debian GNU/Linux' --class debian --class gnu-linux --class gnu --class os $menuentry_id_option 'gnulinux-simple-ed9b20e6-d512-4da1-80ff-3aca5ce9beff' {
load_video
insmod gzio
if [ x$grub_platform = xxen ]; then insmod xzio; insmod lzopio; fi
insmod part_gpt
insmod ext2
set root='hd0,gpt2'
if [ x$feature_platform_search_hint = xy ]; then
search --no-floppy --fs-uuid --set=root --hint-bios=hd0,gpt2 --hint-efi=hd0,gpt2 --hint-baremetal=ahci0,gpt2 8c0c9835-8708-4348-96c2-5b9e10dad2a9
else
search --no-floppy --fs-uuid --set=root 8c0c9835-8708-4348-96c2-5b9e10dad2a9
fi
echo 'Loading Linux 6.1.0-20-amd64 ...'
linux /vmlinuz-6.1.0-20-amd64 root=/dev/mapper/hoss--vg-root ro quiet
echo 'Loading initial ramdisk ...'
initrd /initrd.img-6.1.0-20-amd64
}
submenu 'Advanced options for Debian GNU/Linux' $menuentry_id_option 'gnulinux-advanced-ed9b20e6-d512-4da1-80ff-3aca5ce9beff' {
menuentry 'Debian GNU/Linux, with Linux 6.1.0-20-amd64' --class debian --class gnu-linux --class gnu --class os $menuentry_id_option 'gnulinux-6.1.0-20-amd64-advanced-ed9b20e6-d512-4da1-80ff-3aca5ce9beff' {
load_video
insmod gzio
if [ x$grub_platform = xxen ]; then insmod xzio; insmod lzopio; fi
insmod part_gpt
insmod ext2
set root='hd0,gpt2'
if [ x$feature_platform_search_hint = xy ]; then
search --no-floppy --fs-uuid --set=root --hint-bios=hd0,gpt2 --hint-efi=hd0,gpt2 --hint-baremetal=ahci0,gpt2 8c0c9835-8708-4348-96c2-5b9e10dad2a9
else
search --no-floppy --fs-uuid --set=root 8c0c9835-8708-4348-96c2-5b9e10dad2a9
fi
echo 'Loading Linux 6.1.0-20-amd64 ...'
linux /vmlinuz-6.1.0-20-amd64 root=/dev/mapper/hoss--vg-root ro quiet
echo 'Loading initial ramdisk ...'
initrd /initrd.img-6.1.0-20-amd64
}
menuentry 'Debian GNU/Linux, with Linux 6.1.0-20-amd64 (recovery mode)' --class debian --class gnu-linux --class gnu --class os $menuentry_id_option 'gnulinux-6.1.0-20-amd64-recovery-ed9b20e6-d512-4da1-80ff-3aca5ce9beff' {
load_video
insmod gzio
if [ x$grub_platform = xxen ]; then insmod xzio; insmod lzopio; fi
insmod part_gpt
insmod ext2
set root='hd0,gpt2'
if [ x$feature_platform_search_hint = xy ]; then
search --no-floppy --fs-uuid --set=root --hint-bios=hd0,gpt2 --hint-efi=hd0,gpt2 --hint-baremetal=ahci0,gpt2 8c0c9835-8708-4348-96c2-5b9e10dad2a9
else
search --no-floppy --fs-uuid --set=root 8c0c9835-8708-4348-96c2-5b9e10dad2a9
fi
echo 'Loading Linux 6.1.0-20-amd64 ...'
linux /vmlinuz-6.1.0-20-amd64 root=/dev/mapper/hoss--vg-root ro single
echo 'Loading initial ramdisk ...'
initrd /initrd.img-6.1.0-20-amd64
}
menuentry 'Debian GNU/Linux, with Linux 6.1.0-18-amd64' --class debian --class gnu-linux --class gnu --class os $menuentry_id_option 'gnulinux-6.1.0-18-amd64-advanced-ed9b20e6-d512-4da1-80ff-3aca5ce9beff' {
load_video
insmod gzio
if [ x$grub_platform = xxen ]; then insmod xzio; insmod lzopio; fi
insmod part_gpt
insmod ext2
set root='hd0,gpt2'
if [ x$feature_platform_search_hint = xy ]; then
search --no-floppy --fs-uuid --set=root --hint-bios=hd0,gpt2 --hint-efi=hd0,gpt2 --hint-baremetal=ahci0,gpt2 8c0c9835-8708-4348-96c2-5b9e10dad2a9
else
search --no-floppy --fs-uuid --set=root 8c0c9835-8708-4348-96c2-5b9e10dad2a9
fi
echo 'Loading Linux 6.1.0-18-amd64 ...'
linux /vmlinuz-6.1.0-18-amd64 root=/dev/mapper/hoss--vg-root ro quiet
echo 'Loading initial ramdisk ...'
initrd /initrd.img-6.1.0-18-amd64
}
menuentry 'Debian GNU/Linux, with Linux 6.1.0-18-amd64 (recovery mode)' --class debian --class gnu-linux --class gnu --class os $menuentry_id_option 'gnulinux-6.1.0-18-amd64-recovery-ed9b20e6-d512-4da1-80ff-3aca5ce9beff' {
load_video
insmod gzio
if [ x$grub_platform = xxen ]; then insmod xzio; insmod lzopio; fi
insmod part_gpt
insmod ext2
set root='hd0,gpt2'
if [ x$feature_platform_search_hint = xy ]; then
search --no-floppy --fs-uuid --set=root --hint-bios=hd0,gpt2 --hint-efi=hd0,gpt2 --hint-baremetal=ahci0,gpt2 8c0c9835-8708-4348-96c2-5b9e10dad2a9
else
search --no-floppy --fs-uuid --set=root 8c0c9835-8708-4348-96c2-5b9e10dad2a9
fi
echo 'Loading Linux 6.1.0-18-amd64 ...'
linux /vmlinuz-6.1.0-18-amd64 root=/dev/mapper/hoss--vg-root ro single
echo 'Loading initial ramdisk ...'
initrd /initrd.img-6.1.0-18-amd64
}
}
### END /etc/grub.d/10_linux ###
### BEGIN /etc/grub.d/20_linux_xen ###
### END /etc/grub.d/20_linux_xen ###
### BEGIN /etc/grub.d/30_os-prober ###
### END /etc/grub.d/30_os-prober ###
### BEGIN /etc/grub.d/30_uefi-firmware ###
menuentry 'UEFI Firmware Settings' $menuentry_id_option 'uefi-firmware' {
fwsetup
}
### END /etc/grub.d/30_uefi-firmware ###
### BEGIN /etc/grub.d/35_fwupd ###
### END /etc/grub.d/35_fwupd ###
### BEGIN /etc/grub.d/40_custom ###
# This file provides an easy way to add custom menu entries. Simply type the
# menu entries you want to add after this comment. Be careful not to change
# the 'exec tail' line above.
### END /etc/grub.d/40_custom ###
### BEGIN /etc/grub.d/41_custom ###
if [ -f ${config_directory}/custom.cfg ]; then
source ${config_directory}/custom.cfg
elif [ -z "${config_directory}" -a -f $prefix/custom.cfg ]; then
source $prefix/custom.cfg
fi
### END /etc/grub.d/41_custom ###