Skip to content
Andrei Pozolotin edited this page Apr 26, 2020 · 5 revisions

based on issue #59

The Problem

When using plymouth, you can unlock the LUKS partition remotely, but you cannot unlock it locally because you cannot type your passphrase well.

Features needed

  • Arch-based distribution
  • Use plymouth
  • Use grub as boot loader
  • Use systemd based hooks with mkinitcpio
  • Use different LUKS volumes for / and /home with the same passphrase
  • Allows LUKS volumes to be unlocked locally and remotely
  • Use Btrf as file system
  • Use Btrfs subvolume
  • Allow hibernate with Btrfs swap file

The solutions

System layout

My system layout is as follows.

Device Type FS UUID Mounted
/dev/nvme0n1p1 "/boot" partition vfat 122C-3173 /boot
/dev/nvme0n1p2 LUKS 92887f53-a4f9-45d0-93a2-1c74261c1229 /dev/mapper/cryptroot
Btrfs subvolume "cryptroot" btrfs dbd2e7e5-ec01-47c8-b998-eec2dd1c5ea5 / (subvol @), /swap (subvol @swap)
/dev/sda1 LUKS 130f1594-6caa-4584-a8de-181ba8030d19 /dev/mapper/crypthome
Btrfs subvolume "crypthome" btrfs 1da94d84-c272-4230-92a2-e5099f4a0292 /home (subvol @home)

Configuration

Install

Install required packages and enable required services. You need to use initrd-plymouth.path instead of initrd-cryptsetup.path. And also, register the SSH key used for remote authentication. It's a good idea to edit initrd-debug-progs.service to comment out unnecessary binaries or add the required binaries.

# pacman -S busybox tinyssh tinyssh-convert mkinitcpio-systemd-tool mc
# systemctl enable initrd-plymouth.path
# systemctl enable initrd-tinysshd.service
# systemctl enable initrd-debug-progs.service
# systemctl enable initrd-sysroot-mount.service
# mkdir /root/.ssh
# chmod 700 /root/.ssh
# cat /etc/ssh/ssh_host_ed25519_key.pub >> /root/.ssh/authorized_keys
# chmod 600 /root/.ssh/authorized_keys

Setting files

The contents of each setting file are shown below.

/etc/mkinitcpio-systemd-tool/config/crypttab

cryptroot      UUID=92887f53-a4f9-45d0-93a2-1c74261c1229    none     luks,discard

/etc/mkinitcpio-systemd-tool/config/fstab

Leave /etc/mkinitcpio-systemd-tool/config/fstab empty as it conflicts with kernel command line.
See: https://github.com/random-archer/mkinitcpio-systemd-tool/wiki/Root-vs-Fstab

/etc/mkinitcpio.conf

The sd-encrypt hook is not needed as it can be replaced by the systemd-tool hook.

MODULES=()
BINARIES=("/usr/bin/btrfs")
FILES=()
HOOKS=(base systemd sd-plymouth autodetect keyboard sd-vconsole modconf block filesystems btrfs systemd-tool)

/etc/default/grub

Set the value of the resume_offset parameter to the value calculated according to https://wiki.archlinux.org/index.php/Power_management/Suspend_and_hibernate#Hibernation_into_swap_file_on_Btrfs.

...
GRUB_CMDLINE_LINUX_DEFAULT="quiet loglevel=3 splash resume=UUID=dbd2e7e5-ec01-47c8-b998-eec2dd1c5ea5 resume_offset=16400"
GRUB_CMDLINE_LINUX=""
...

/etc/crypttab

crypthome      UUID=130f1594-6caa-4584-a8de-181ba8030d19        none           luks

/etc/fstab

# /dev/mapper/cryptroot
UUID=dbd2e7e5-ec01-47c8-b998-eec2dd1c5ea5       0 0             btrfs           rw,relatime,compress=lzo,ssd,s
# /dev/nvme0n1p1
UUID=122C-3173          /boot           vfat            rw,nosuid,nodev,noexec,relatime,fmask=0022,dmask=0022,codepage=437,iocharset=iso8859-1,shortname=mixed,utf8,errors=remount-ro 0 2

# /dev/mapper/crypthome
UUID=1da94d84-c272-4230-92a2-e5099f4a0292       /home           0 0fs           rw,nosuid,nodev,relatime,compr
# /dev/mapper/cryptroot
UUID=dbd2e7e5-ec01-47c8-b998-eec2dd1c5ea5       /swap           btrfs   0 0     rw,nosuid,nodev,noexec,relatim
/swap/swapfile          none            swap            defaults        0 0

If you use systemd-boot as your boot loader, it's almost the same, but you need to add the root option to your kernel parameters or add the setting to /etc/mkinitcpio-systemd-tool/config/fstab.