-
Notifications
You must be signed in to change notification settings - Fork 28
Case: Plymouth
based on issue #59
When using plymouth, you can unlock the LUKS partition remotely, but you cannot unlock it locally because you cannot type your passphrase well.
- Arch-based distribution
- Use plymouth
- Use grub as boot loader
- Use systemd based hooks with mkinitcpio
- Use different LUKS volumes for / and /home with the same passphrase
- Allows LUKS volumes to be unlocked locally and remotely
- Use Btrf as file system
- Use Btrfs subvolume
- Allow hibernate with Btrfs swap file
My system layout is as follows.
| Device | Type | FS | UUID | Mounted |
|---|---|---|---|---|
| /dev/nvme0n1p1 | "/boot" partition | vfat | 122C-3173 | /boot |
| /dev/nvme0n1p2 | LUKS | 92887f53-a4f9-45d0-93a2-1c74261c1229 | /dev/mapper/cryptroot | |
| Btrfs subvolume "cryptroot" | btrfs | dbd2e7e5-ec01-47c8-b998-eec2dd1c5ea5 | / (subvol @), /swap (subvol @swap) | |
| /dev/sda1 | LUKS | 130f1594-6caa-4584-a8de-181ba8030d19 | /dev/mapper/crypthome | |
| Btrfs subvolume "crypthome" | btrfs | 1da94d84-c272-4230-92a2-e5099f4a0292 | /home (subvol @home) |
Install required packages and enable required services. You need to use initrd-plymouth.path instead of initrd-cryptsetup.path. And also, register the SSH key used for remote authentication. It's a good idea to edit initrd-debug-progs.service to comment out unnecessary binaries or add the required binaries.
# pacman -S busybox tinyssh tinyssh-convert mkinitcpio-systemd-tool mc
# systemctl enable initrd-plymouth.path
# systemctl enable initrd-tinysshd.service
# systemctl enable initrd-debug-progs.service
# systemctl enable initrd-sysroot-mount.service
# mkdir /root/.ssh
# chmod 700 /root/.ssh
# cat /etc/ssh/ssh_host_ed25519_key.pub >> /root/.ssh/authorized_keys
# chmod 600 /root/.ssh/authorized_keys
The contents of each setting file are shown below.
cryptroot UUID=92887f53-a4f9-45d0-93a2-1c74261c1229 none luks,discard
Leave /etc/mkinitcpio-systemd-tool/config/fstab empty as it conflicts with kernel command line.
See: https://github.com/random-archer/mkinitcpio-systemd-tool/wiki/Root-vs-Fstab
The sd-encrypt hook is not needed as it can be replaced by the systemd-tool hook.
MODULES=()
BINARIES=("/usr/bin/btrfs")
FILES=()
HOOKS=(base systemd sd-plymouth autodetect keyboard sd-vconsole modconf block filesystems btrfs systemd-tool)
Set the value of the resume_offset parameter to the value calculated according to https://wiki.archlinux.org/index.php/Power_management/Suspend_and_hibernate#Hibernation_into_swap_file_on_Btrfs.
...
GRUB_CMDLINE_LINUX_DEFAULT="quiet loglevel=3 splash resume=UUID=dbd2e7e5-ec01-47c8-b998-eec2dd1c5ea5 resume_offset=16400"
GRUB_CMDLINE_LINUX=""
...
crypthome UUID=130f1594-6caa-4584-a8de-181ba8030d19 none luks
# /dev/mapper/cryptroot
UUID=dbd2e7e5-ec01-47c8-b998-eec2dd1c5ea5 0 0 btrfs rw,relatime,compress=lzo,ssd,s
# /dev/nvme0n1p1
UUID=122C-3173 /boot vfat rw,nosuid,nodev,noexec,relatime,fmask=0022,dmask=0022,codepage=437,iocharset=iso8859-1,shortname=mixed,utf8,errors=remount-ro 0 2
# /dev/mapper/crypthome
UUID=1da94d84-c272-4230-92a2-e5099f4a0292 /home 0 0fs rw,nosuid,nodev,relatime,compr
# /dev/mapper/cryptroot
UUID=dbd2e7e5-ec01-47c8-b998-eec2dd1c5ea5 /swap btrfs 0 0 rw,nosuid,nodev,noexec,relatim
/swap/swapfile none swap defaults 0 0
If you use systemd-boot as your boot loader, it's almost the same, but you need to add the root option to your kernel parameters or add the setting to /etc/mkinitcpio-systemd-tool/config/fstab.