Installing Grub with LUKS encryption
I'm installing Arch-linux with disk encryption (LUKS) from scratch. Following this guide:
https://linuxhint.com/setup-luks-encryption-on-arch-linux/
I get the following error when executing:
$ grub-install --boot-directory=/boot --efi-directory=/boot/efi /dev/sda2
grub-install: warning: File system `ext2' doesn't support embedding.
grub-install: warning: Embedding is not possible. GRUB can only be installed in this setup by using blocklists. However, blocklists are UNRELIABLE and their use is discouraged..
grub-install: error: will not proceed with blocklists.
In gparted I set /dev/sda2 to be BIOS Boot type and format it with mkfs.ext2
I followed all the steps in the guide above with the following change. According to these:
https://wiki.archlinux.org/index.php/GRUB#BIOS_systems
https://wiki.archlinux.org/index.php/Arch_boot_process#Boot_loader
grub supports luks1. Therefore, when initializing disk encryption on /dev/sda3 I deviated from the guide and did this:
$ cryptsetup luksFormat --type luk1 -v -s 512 -h sha512 /dev/sda3
4 Replies
The error that you are seeing looks to be caused by specifying the partition number when installing GRUB, and was a mistake made by the author of that guide. Even if a disk has multiple partitions, just the bare disk should be specified like so:
$ grub-install --boot-directory=/boot --efi-directory=/boot/efi /dev/sda
Additionally, I do not think that you should be following the aforementioned guide as it is intended for UEFI systems, while Linodes use traditional BIOS booting. If you would like to set up Arch Linux on a partitioned disk using LUKS encryption on a Linode, I would recommend using the guide provided on the official Arch Wiki.
Even after I removed the partition number, I could not succeed despite numerous tries. The system would not boot. I think it's for the reason you said. I'll give your guide a try. Thank you.
Did this get sorted out? Having the same problem. Arch Wiki says it is due to this: https://wiki.archlinux.org/index.php/GRUB#msdos-style_error_message
Also, is there a way to get a newer cryptsetup? This one is pretty old:
cryptsetup --version
cryptsetup 1.6.6
Actually, this was before this fix was even out, which is a very important fix (2016):
http://hmarco.org/bugs/CVE-2016-4484/CVE-2016-4484_cryptsetup_initrd_shell.html
While it seems 1.6.6 was well before 2015.
Thanks!