LUKS + LVM root filesystem cannot be unlocked with password during boot

sidcha · July 9, 2024, 7:39pm

I’m following the steps outlined in this issue (with adjustments for the suggested fix) almost exactly using the latest ISO installer. nixos-install succeeds and when I reboot I see this:

<<< NixOS Stage 1 >>>

loading module dm-snapshot...
loading module dm_mod....
running udev...
Starting systemd-udevd version 255.6
Waiting 10 seconds for device /dev/disks/by-uuid/<UUID> to appear....... - failure
/dev/disks/by-uuid/<UUID> is unavailable

An error occurred in sage 1 of the boot process, which mount the
root filesystem on '/mnt-root' and then start stage 2. Press one
of the following keys:
[...]

Basically there is no opportunity for me to enter the password during boot.

TLATER · July 10, 2024, 8:58am

You’re following a 4 year old guide there, things have probably changed a fair bit.

What you’re seeing is that your bootloader is trying to wait for a drive that doesn’t exist. This would happen if you did not configure it to try and unlock your luks first. What’s in your configuration.nix?

sidcha · July 10, 2024, 9:24am

I believe the relevant sections are:

hardware-configuration.nix:

  [...]
  boot.initrd.availableKernelModules = [ "xhci_pci" "ahci" "nvme" "usbhid" "usb_storage" "sd_mod" ];
  boot.initrd.kernelModules = [ "dm-snapshot" ];
  boot.kernelModules = [ "kvm-intel" ];
  boot.extraModulePackages = [ ];

  fileSystems."/" =
    { device = "/dev/disk/by-uuid/1460e15b-603d-4b62-ba11-07ef55d29302";
      fsType = "ext4";
    };

  fileSystems."/boot" =
    { device = "/dev/disk/by-uuid/58A7-278D";
      fsType = "vfat";
      options = [ "fmask=0022" "dmask=0022" ];
    };

  swapDevices =
    [ { device = "/dev/disk/by-uuid/94c27444-c81e-4757-803d-344b7e3fb1de"; }
    ];
  [...]

configuration.nix:

  [...]
  boot = {
    # Use the systemd-boot EFI boot loader.
    loader = {
      systemd-boot.enable = true;
      efi.canTouchEfiVariables = true;
    };

    # Open encrypted disk before mounting root filesystem
    initrd = {
      # suggested workaround 1
      luks.cryptoModules = lib.mkOptionDefault [
        "hmac"
        "rng"
        "encrypted_keys"
      ];
      luks.devices."nixos" = {
        device = "/dev/disks/by-uuid/1460e15b-603d-4b62-ba11-07ef55d29302";
        preLVM = true;  # suggested workaround 2
      };
    };

    kernelParams = [
      "boot.shell_on_fail"
    ];
  };
  [...]

TLATER · July 10, 2024, 9:44am

Note that these two UUIDs are the same:

This cannot be correct, because the LUKS partition has to be unlocked before the partition with the UUID of the root partition can even exist. They must be different in a correct configuration.

Reboot into the install medium, and then check for the UUID of the LUKS partition (without mounting anything) with blkid. When you have the correct UUID, just update the luks.devices."nixos" device.

Since you use a UUID, I don’t think preLVM is relevant at all.

sidcha · July 10, 2024, 11:46am

Nice catch. I updated the configuration.nix to have the UUID of the LUKS partition. After the update, same issue appears but this time loader waits for the right UUID and fails the same way.

I entered the interactive shell and verified that the /dev/disks/by-uuid/<UUID> actually exits.

PS. I removed both the workarounds listed in my last comment to keep things clean.

TLATER · July 10, 2024, 1:41pm

Hm, odd! Can you try cryptsetup luksOpen-ing the drive manually in that shell? Maybe need to use systemd’s variant of it.

sidcha · July 10, 2024, 2:48pm

I actually tried that and was able to decrypt the disk. After that, I tried to mount it to /mnt but that fails complaining: /mnt no such file or directory.

hans4687 · July 10, 2024, 3:44pm

Hi,
I have a quite similar configuration of a luks encryped device with lvm containing a root and swap device. So the configuration.nix and hardware-configuration seems in order.

I think you should be able to mount the root device when booting with a capable distribution on usb or dvd.

TLATER · July 10, 2024, 10:26pm

That directory won’t exist, yeah. Instead of mounting it, just quit the shell, systemd should pick up from there and try mounting stuff for you.

Are you certain the UUIDs are both correct, no character slightly wrong or such?

sidcha · July 11, 2024, 8:14am

I found the issue: the path to the disk in the configuration.nix has “disks” instead of “disk”. When I was trying out the path, tab completion made me overlook this issue and I was busy verifying just the UUID part of the sting :facepalm:

Thanks for your help with the LUKS partition UUID issue.