Installing Grub with LUKS encryption

Linode Staff

I'm installing Arch-linux with disk encryption (LUKS) from scratch. Following this guide:
https://linuxhint.com/setup-luks-encryption-on-arch-linux/
I get the following error when executing:

$ grub-install --boot-directory=/boot --efi-directory=/boot/efi /dev/sda2

grub-install: warning: File system `ext2' doesn't support embedding.
grub-install: warning: Embedding is not possible.  GRUB can only be installed in this setup by using blocklists.  However, blocklists are UNRELIABLE and their use is discouraged..
grub-install: error: will not proceed with blocklists.

In gparted I set /dev/sda2 to be BIOS Boot type and format it with mkfs.ext2
I followed all the steps in the guide above with the following change. According to these:
https://wiki.archlinux.org/index.php/GRUB#BIOS_systems
https://wiki.archlinux.org/index.php/Arch_boot_process#Boot_loader

grub supports luks1. Therefore, when initializing disk encryption on /dev/sda3 I deviated from the guide and did this:
$ cryptsetup luksFormat --type luk1 -v -s 512 -h sha512 /dev/sda3

4 Replies

The error that you are seeing looks to be caused by specifying the partition number when installing GRUB, and was a mistake made by the author of that guide. Even if a disk has multiple partitions, just the bare disk should be specified like so:

$ grub-install --boot-directory=/boot --efi-directory=/boot/efi /dev/sda

Additionally, I do not think that you should be following the aforementioned guide as it is intended for UEFI systems, while Linodes use traditional BIOS booting. If you would like to set up Arch Linux on a partitioned disk using LUKS encryption on a Linode, I would recommend using the guide provided on the official Arch Wiki.

Even after I removed the partition number, I could not succeed despite numerous tries. The system would not boot. I think it's for the reason you said. I'll give your guide a try. Thank you.

Did this get sorted out? Having the same problem. Arch Wiki says it is due to this: https://wiki.archlinux.org/index.php/GRUB#msdos-style_error_message

Also, is there a way to get a newer cryptsetup? This one is pretty old:
cryptsetup --version
cryptsetup 1.6.6

Actually, this was before this fix was even out, which is a very important fix (2016):
http://hmarco.org/bugs/CVE-2016-4484/CVE-2016-4484_cryptsetup_initrd_shell.html

While it seems 1.6.6 was well before 2015.
Thanks!

Reply

Please enter an answer
Tips:

You can mention users to notify them: @username

You can use Markdown to format your question. For more examples see the Markdown Cheatsheet.

> I’m a blockquote.

I’m a blockquote.

[I'm a link] (https://www.google.com)

I'm a link

**I am bold** I am bold

*I am italicized* I am italicized

Community Code of Conduct