Home > Configuration > Debian: luks cryptoroot and the change of boot device

Debian: luks cryptoroot and the change of boot device

Hello,

some days ago I installed my incredibly cheap, powerful and nice new mainboard, CPU and RAM (AMD AthlonII X4 620, Biostar TA785G3, 4GB DDR3-1333 (7-7-7-20)).

Having used my old hardware for quite some time now (AMD Athlon XP 2500+ @ 2100, DFI AD77 Infinity) I decided to get new hardware. Basically the decision was not driven by the need for speed but rather by the nifty virtualization features current CPUs provide.

Checking the market revealed that for no obvious reason Intel decided against the users and all CPUs not costing the rough equivalent of a small car are out of scope. So I was with AMD, again. That’s a good thing because AMD thought that it is a good choice to have only 1 basic CPU layout and sell the partially broken chips with deactivated broken parts for less money under different names.

This means that next to every CPU they sell right now whether it is named Athlon X2, Athlon X3 or Phenom or even Sempron is in fact a complete Phenom II with deactivated parts. The parameters for deactivation are AMDs secrets…

So I bought a 4core CPU with a deactivated 3rd level Cache: AthlonII X4 620

I wanted to keep my old hard drives and the rest of the machine, at least for now.

So I thought I’d rip out the old stuff, tighten the screws of the new stuff boot up and be ready!

No… that was not the thing that was about to happen… After having everything put in the right place the machine tried to boot but was unable to find the right logical volume (lvm) because the new boards PATA/IDE device was now called /dev/hdc instead of /dev/hda!

GREAT. No documentation at all. Only one wiki entry (Ubuntu…) telling the world that the lack of luks management is a problem. Surprise…

OK, now the solution.

Wait until the initial ram disk is unable to find the volume and drops out to a shell (busybox). This can take several minutes but you can speed things up by setting the boot parameter rootdelay=15 in your bootloader.

Edit the file /conf/conf.d/cryptroot to reflect your new set up.

In my case change from:

target=hda2_crypt,source=/dev/hda2,key=none,lvm=calimero-root
target=hda2_crypt,source=/dev/hda2,key=none,lvm=calimero-swap_1

to

~ # cat /conf/conf.d/cryptroot
target=hda2_crypt,source=/dev/hdc2,key=none,lvm=calimero-root
target=hda2_crypt,source=/dev/hdc2,key=none,lvm=calimero-swap_1

You can do this using

# vi /conf/conf.d/cryptroot

But you should be familiar with basic vi commands (HINT: type “i”, change the definition, hit “<ESC>”, type “:wq!”)

Next is to unlock the crypted filesystem by typing in the passphrase:

~ # unlock
Enter passphrase to unlock the disk /dev/hdc2 (hda2_crypt):
key slot 0 unlocked.
Command successful.
File descriptor 3 left open
File descriptor 5 left open
2 logical volume(s) in volume group “calimero” now active
cryptsetup: hda2_crypt setup successfully

Now you have booted the machine using the new path to the harddrive.

It is time to change the paths in the OS and make the changes permanent. Here you see the result of the changes necessary:

# cat /etc/crypttab
hda2_crypt /dev/hdc2 none luks

# cat /etc/fstab
# /etc/fstab: static file system information.
#
# <file system> <mount point>   <type>  <options>       <dump>  <pass>
proc            /proc           proc    defaults        0       0
none            /proc/bus/usb   usbfs   devgid=121,devmode=664  0       0
/dev/mapper/calimero-root /               ext3    noatime,errors=remount-ro 0       1
/dev/hdc1       /boot           ext3    defaults        0       2
/dev/mapper/calimero-swap_1 none            swap    sw              0       0

This is still not good enough because the initrd is not yet rebuild.

To do this now you should run the following command:

update-initramfs -k all -u

which should build new ramdisks for all kernels configured.

In my case I had to list the network modules so I could unlock my system remotely in

/etc/initramfs-tools/modules

Good luck !

Yours sincerely

Cardiano

  1. No comments yet.
You must be logged in to post a comment.