The problem during the installation of Plasma Desktop

Support
, ,
1

I want to install PLASMA DESKTOP but with tricky encryption. I ran into a problem, I can not solve it myself, please help :scream: :cry: :scream: :exploding_head:

The algorithm is as follows:

  1. Launch the live USB of Manjaro KDE Plasma version 5.26.5 from the boot menu.

  2. Launch Konsole and install Architect by running the command “sudo pacman -Sy manjaro-architect.”

  3. Enter the command “lsblk” to check for connected storage devices. Determine that the disk on which Manjaro will be installed is called “sda,” and the USB drive on which the Grub bootloader and the encrypted boot partition with kernels, initramfs, LUKS header, and keys for /dev/sda will be located is called “sdc.”

  4. Enter the command “sudo cfdisk /dev/sdc” to create a partition for storing /boot, which will be encrypted later.

  5. Enter the command “sudo fdisk -l /dev/sdc” to check the Disklabel - dos and the device /dev/sdc1.

  6. Enter the command “sudo cryptsetup benchmark” to find out which algorithms with hashes can be applied and what read/write speeds will be when using them. Only PBKDF2-whirlpool and serpent-xts are of interest here.

  7. Enter the command “sudo cryptsetup --cipher=serpent-xts-plain64 --key-size=512 --hash=whirlpool luksFormat --type luks1 /dev/sdc1” to encrypt the USB drive using the LUKS1 header format, as otherwise the GRUB bootloader will not be able to boot the system. For this reason, LUKS1 will be applied to the USB drive, and LUKS2 format will be used for the /dev/sda partition.

  8. Enter the command “sudo cryptsetup luksDump /dev/sdc1” to check the applied encryption parameters for the /dev/sdc1 partition. Cipher name: serpent, Hash spec: whirlpool.

  9. Enter the command “sudo cryptsetup open /dev/sdc1 cryptboot” to open the encrypted partition on the USB drive and assign it the name “cryptboot.”

  10. Enter the command “lsblk” to check if the cryptboot partition appears in the sdc1 tree.

  11. Enter the command “sudo mount /dev/mapper/cryptboot /mnt” to mount the cryptboot device to the /mnt folder.

  12. Enter the command “sudo dd if=/dev/urandom of=/mnt/key.img bs=100M count=1” to create a 100MB key for the future container, knowing that Cryptsetup will not be able to use it entirely. Next, specify where to start reading and how many bytes of the key to read.

  13. Enter the command “ls /mnt” to check for the existence of the key.

  14. Enter the command “cd /mnt” to enter the /mnt directory.

  15. Enter the command “sudo cryptsetup --align-payload=1 --cipher=twofish-xts-plain64 --key-size=512 --hash=sha512 luksFormat key.img” to encrypt the file key with a password intended for the /dev/sda hard drive.

  16. Enter the command “sudo cryptsetup open key.img lukskey” to open the key and assign it the name “lukskey,” as it will be used to encrypt sda.

  17. Enter the command “sudo dd if=/dev/zero of=header.img bs=16M count=1” to create a separate header for the sda disk that will be located on the flash drive. The header size is 16MB, which is exactly what is required for LUKS2.

  18. Enter the command “sudo cryptsetup --cipher=aes-xts-plain64 --key-size=512 --hash=sha512 --key-file=/dev/mapper/lukskey --keyfile-offset=9437 --keyfile-size=8192 luksFormat /dev/sda --type luks2 --offset 32768 --header header.img” to encrypt the /dev/sda hard drive with a password using the file key. The --key-file option specifies where to get the encryption key, the --keyfile-offset option specifies where to start reading the key in bytes within 100MB, and the --keyfile-size option specifies how many bytes to read. The --type option specifies the type of LUKS header, which is LUKS2 in this case. The --header option specifies where to get the header (header.img) from the /dev/sda disk, since an external header will be stored on the encrypted USB drive.

  19. Enter the command “sudo cryptsetup luksDump header.img” to check the applied encryption parameters for the /dev/sda hard drive. The header type is LUKS2, the encryption is aes-xts-plain64, the PBKDF is argon2id, and the AF hash is sha512.

  20. Enter the command “sudo cryptsetup open --header /mnt/header.img --key-file=/dev/mapper/lukskey --keyfile-offset=9437 --keyfile-size=8192 /dev/sda cryptroot” to open the disk for system installation and assign it the name “cryptroot.”

  21. Enter the command “lsblk” to check for the existence of cryptroot in the sda tree.

  22. Enter the command “cd /” to enter the root directory.

  23. Enter the command “sudo cryptsetup close lukskey” to close the lukskey key.

  24. Enter the command “sudo umount /mnt” to unmount the USB drive from the /mnt directory.

  25. Enter the command “sudo pvcreate /dev/mapper/cryptroot.”

  26. Enter the command “sudo vgcreate store /dev/mapper/cryptroot” to create a logical volume group named “store.”

  27. Enter the command “sudo lvcreate -L 85G store -n root” to create a logical partition for the root directory on the /dev/sda disk and assign it the name “root.”

  28. Enter the command “sudo lvcreate -l 100%FREE store -n home” to create a logical partition for the home directory on the /dev/sda disk and assign it the name “home.” Using 100%FREE ensures that the remaining space on the disk after creating root is allocated to the current directory.

  29. Enter the command “lsblk” to check if two new logical volumes, store-root and store-home, appear inside cryptroot.

  30. Enter the command “sudo mkfs.ext4 /dev/store/root.” Formatting logical partition

  31. Enter the command “sudo mkfs.ext4 /dev/store/home” formatting logical partition

  32. Enter the command “sudo mount /dev/store/root /mnt” to mount the logical partition store-root to /mnt

  33. Enter the command “sudo mkdir /mnt/home” to create a home folder in the directory /mnt

  34. Enter the command “sudo mount /dev/store/home /mnt/home” to mount the logical partition store-home to the folder /mnt/home

  35. Enter the command “sudo mkdir /mnt/boot” to create a boot folder in the directory /mnt

  36. Enter the command “sudo mount /dev/mapper/cryptboot /mnt/boot” to mount the /boot folder on the USB drive

  37. Enter the command “lsblk” to verify that the devices are mounted correctly: store-root is mounted to /mnt, store-home is mounted to /mnt/home, and cryptboot is mounted to /mnt/boot

  38. Close konsole and open manjaro-architect

  39. Verify that it is running in BIOS mode

  40. In the “select language” menu, select English

  41. In the “main menu,” select Prepare installation, then select list devices (optional) and verify the correctness of the connected devices: store-root is mounted to /mnt, store-home is mounted to /mnt/home, and cryptboot is mounted to /mnt/boot

  42. In the “prepare installation” menu, select configure installer mirrorlist

  43. In the “mirrorlist” menu, select rank mirrors by speed (all) , then select stable

  44. In the “manjaro mirrors by response time” window, randomly select 8 servers from different countries

  45. In the “prepare installation” menu, select refresh pacman keys. Wait for synchronization to complete, then press back

  46. In the “main menu,” select install desktop system, then select install manjaro desktop, linux63, and kde. In the “extra packages” window, select no, and in the “full or minimal” window, select full

  47. In the “install display driver” menu, select auto-install free drivers

  48. Skip the bootloader installation and jump to the “Configure base” menu

  49. In the “configure base” menu, select Generate FSTAB, then select Device UUID

  50. In the “configure base” menu, select “set hostname,” and leave everything as default with the name manjaro

  51. In the “configure base” menu, select “set system locale,” then select en_US.UTF-8

  52. In the “configure base” menu, select “set timezone and clock,” then select Europe and Kyiv

  53. In the “set timezone and clock” menu, agree to the question “set time zone: Europe/Kyiv” by pressing yes

  54. In the “set timezone and clock” menu, select utc and agree by pressing ok

  55. In the “configure base” menu, select set root password and add a password

  56. In the “configure base” menu, select “add new user(s) ,” add a user, then in the “create new user” menu, select fish. Wait, then enter the password for the newly created user “user”

  57. In the “install desktop systems” menu, select “Chroot Into Installation”.

  58. Enter the command “ls -l /dev/disk/by-id”. Here is the full output of the command.

    [manjaro /]# ls -l /dev/disk/by-id
total 0
lrwxrwxrwx 1 root root  9 Apr 23 23:03 ata-Samsung_SSD_860_EVO_M.2_1TB_S415NW0NB05334T -> ../../sda
lrwxrwxrwx 1 root root 10 Apr 23 23:03 ata-Samsung_SSD_860_EVO_M.2_1TB_S415NW0NB05334T-part1 -> ../../sda1
lrwxrwxrwx 1 root root 10 Apr 23 22:59 dm-name-cryptboot -> ../../dm-0
lrwxrwxrwx 1 root root 10 Apr 23 23:05 dm-name-cryptroot -> ../../dm-2
lrwxrwxrwx 1 root root 10 Apr 23 23:06 dm-name-store-home -> ../../dm-3
lrwxrwxrwx 1 root root 10 Apr 23 23:06 dm-name-store-root -> ../../dm-1
lrwxrwxrwx 1 root root 10 Apr 23 22:59 dm-uuid-CRYPT-LUKS1-fa9889df6f0a436f8aa4cc18d1704c7f-cryptboot -> ../../dm-0
lrwxrwxrwx 1 root root 10 Apr 23 23:05 dm-uuid-CRYPT-LUKS2-1a7a6cd9c90d4337b9dc00223e5b40d7-cryptroot -> ../../dm-2
lrwxrwxrwx 1 root root 10 Apr 23 23:06 dm-uuid-LVM-MgVex3By72s8qOHcmKRFgkPqDryEJee1opPVzD6qWbnvR7Eqtr1aAqgh2816tgQP -> ../../dm-3
lrwxrwxrwx 1 root root 10 Apr 23 23:06 dm-uuid-LVM-MgVex3By72s8qOHcmKRFgkPqDryEJee1xbeQajCaOcf6g5edBRZQNCaw85UGJ4mq -> ../../dm-1
lrwxrwxrwx 1 root root 10 Apr 23 23:05 lvm-pv-uuid-SlTcqs-7MnZ-2hLM-zSaG-qOEw-pnJ7-yliEU0 -> ../../dm-2
lrwxrwxrwx 1 root root 13 Apr 23 22:45 nvme-KXG6AZNV1T02_TOSHIBA_29GS117QTMGQ -> ../../nvme0n1
lrwxrwxrwx 1 root root 15 Apr 23 22:45 nvme-KXG6AZNV1T02_TOSHIBA_29GS117QTMGQ-part1 -> ../../nvme0n1p1
lrwxrwxrwx 1 root root 15 Apr 23 22:45 nvme-KXG6AZNV1T02_TOSHIBA_29GS117QTMGQ-part2 -> ../../nvme0n1p2
lrwxrwxrwx 1 root root 15 Apr 23 22:45 nvme-KXG6AZNV1T02_TOSHIBA_29GS117QTMGQ-part3 -> ../../nvme0n1p3
lrwxrwxrwx 1 root root 13 Apr 23 22:45 nvme-eui.8ce38e0200033e22 -> ../../nvme0n1
lrwxrwxrwx 1 root root 15 Apr 23 22:45 nvme-eui.8ce38e0200033e22-part1 -> ../../nvme0n1p1
lrwxrwxrwx 1 root root 15 Apr 23 22:45 nvme-eui.8ce38e0200033e22-part2 -> ../../nvme0n1p2
lrwxrwxrwx 1 root root 15 Apr 23 22:45 nvme-eui.8ce38e0200033e22-part3 -> ../../nvme0n1p3
lrwxrwxrwx 1 root root  9 Apr 23 22:45 usb-Kingston_DataTraveler_2.0_08606E6D413FE370E7139096-0:0 -> ../../sdb
lrwxrwxrwx 1 root root 10 Apr 23 22:45 usb-Kingston_DataTraveler_2.0_08606E6D413FE370E7139096-0:0-part1 -> ../../sdb1
lrwxrwxrwx 1 root root 10 Apr 23 22:45 usb-Kingston_DataTraveler_2.0_08606E6D413FE370E7139096-0:0-part2 -> ../../sdb2
lrwxrwxrwx 1 root root  9 Apr 23 22:53 usb-Netac_OnlyDisk_3913901201390027250-0:0 -> ../../sdc
lrwxrwxrwx 1 root root 10 Apr 23 22:57 usb-Netac_OnlyDisk_3913901201390027250-0:0-part1 -> ../../sdc1
lrwxrwxrwx 1 root root  9 Apr 23 23:03 usb-StoreJet_Transcend_S415NW0NB05334T-0:0 -> ../../sda
lrwxrwxrwx 1 root root 10 Apr 23 23:03 usb-StoreJet_Transcend_S415NW0NB05334T-0:0-part1 -> ../../sda1
lrwxrwxrwx 1 root root  9 Apr 23 23:03 wwn-0x5002538e70b1a929 -> ../../sda
lrwxrwxrwx 1 root root 10 Apr 23 23:03 wwn-0x5002538e70b1a929-part1 -> ../../sda1
[manjaro /]#

  59. Next, enter the command “nano /etc/initcpio/hooks/customencrypthook” and paste the following text into it:

    #!/usr/bin/ash
run_hook() {
modprobe -a -q dm-crypt >/dev/null 2>&1
modprobe loop
[ "${quiet}" = "y" ] && CSQUIET=">/dev/null"
while [ ! -L '/dev/disk/by-id/usb-Netac_OnlyDisk_3913901201390027250-0:0-part1' ]; do
echo 'Waiting for USB'
sleep 1
done
cryptsetup open /dev/disk/by-id/usb-Netac_OnlyDisk_3913901201390027250-0:0-part1 cryptboot
mkdir -p /mnt
mount /dev/mapper/cryptboot /mnt
cd /mnt
cryptsetup open key.img lukskey
cryptsetup --header header.img --key-file=/dev/mapper/lukskey --keyfile-offset=9437 --keyfile- size=8192 open /dev/disk/by-id/ata-Samsung_SSD_860_EVO_M.2_1TB_S415NW0NB05334T cryptroot
cd /
cryptsetup close lukskey
umount /mnt
}

  60. After that, save with the key combination CTRL + O and exit with CTRL + X

  61. Next, enter the command “cp /usr/lib/initcpio/install/encrypt /etc/initcpio/install/customencrypthook”

  62. Then, enter the command ‘nano /etc/initcpio/install/customencrypthook’ and delete the ‘help’ section from the file. Save with CTRL + O and exit with CTRL + X

  63. Enter the command “nano /etc/mkinitcpio.conf”. In the ‘MODULES’ line, add the value ‘loop’ so that it reads 'MODULES=(loop) '. In the ‘HOOKS’ line, remove the ‘encrypt’ module and replace it with ‘customencrypthook’ (example: 'MODULES=(loop) , HOOKS=(base udev autodetect modconf kms keyboard keymap consolefont block customencrypthook lvm2 filesystems) ’

  64. Finally, enter the command ‘mkinitcpio -p /etc/mkinitcpio.d/linux63.preset’. Check to ensure that the added hook appears during the generation of the initramfs. Also, verify that the message ‘Image generation successful’ appears after executing the command.

  65. Next, enter the command “exit” and close the terminal window

  66. Open a new terminal window and enter the command ‘sudo mkdir /mnt/hostlvm’

  67. Then, enter the command “sudo mount –bind /run/lvm /mnt/hostlvm”

  68. Next, enter the command “sudo manjaro-chroot /mnt”

  69. Enter the command “ln -s /hostlvm /run/lvm”

  70. Enter the command “ls” to verify that you are in the chroot environment

  71. Execute the command “ln -s /hostlvm /run/lvm” within the chroot environment

  72. Install the grub bootloader with the command “sudo pacman -S grub”

  73. Then, enter the command “nano /etc/default/grub” and remove the comment ‘#’ in front of ‘Grub_Enable_Cryptodisk=y’ so that the bootloader can open the encrypted container

  74. Save with the key combination CTRL + O and exit with CTRL + X

  75. Enter the command “grub-install –recheck /dev/sdc” to install the bootloader into the main boot record of the USB

  76. Enter the command “grub-mkconfig -o /boot/grub/grub.cfg” to generate the ‘grub.cfg’ file

  77. Reboot the computer, enter the password for the encrypted USB partition, and enter the password for the LUKS key file

I am entering everything correctly, I have checked multiple times, but I am still getting this error (( Could you please advise me on what I am doing wrong?

Here is the error

setfont: KDFONTOP: Function not implemented Waiting for USB Enter passphrase for /dev/disk/by-id/usb-Netac_OnlyDisk_3913901201390027250-0:0-part1: Enter passphrase for key.ing: No key available with this passphrase. Enter passphrase for key.ing: Usage: cryptsetup [-?UqrvyN] [-?-help] [-usage] [-VI-version] [-active-name=STRING] [--align-payload-SECTORS] [--allow-discards] [-ql--batch-mode] [--cancel-deferred] [-cl-cipher-STRING] [-debug] [-debug-json] [--deferred] [--device-size-bytes] [--decrypt] [--disable-external-tokens] [-disable-keyring] [-disable-locks] [--disable-veracrypt] [-dump-json-metadata] [-dump-volume-key] [--encrypt] [-force-password] [--force-offline-reencrypt] [-hl--hash-STRING] [-header-STRING] [-header-backup-file-STRING] [-hotzone-size-bytes] [-init-only] [-11-integrity-STRING] [--integrity-legacy-padding] [-integrity-no-journal] [--integrity-no-wipe] [-il--iter-time-msecs] [-iv-large-sectors] [-json-file-STRING] [-keep-key] [-key-description=STRING] [-dl-key-file-STRING] [-sl-key-size-BITS] [-SI-key-slot-INT] [-keyfile-offset=bytes] [-11-keyfile-size-bytes] [--keys lot-cipher-STRING] [--keys lot-key-size=BITS] [-label-STRING] [-luks2-keys lots-size-bytes] [-luks2-metadata-size-bytes] [-volume-key-file-STRING] [-new-keyfile-STRING] [--new-key-slot=INT] [-new-keyfile-offset-bytes] [--new-keyfile-size-bytes] [-new-token-id-INT] [-ol-offset-SECTORS] [--pbkdf-STRING] [-pbkdf-force-iterations-LONG] [--pbkdf-memory-kilobytes] [-pbkdf-parallel-thre [--perf-no_read_workqueue] [--perf-no_write_workqueue] [-perf-same_cpu_crypt] [-perf-submit_from_crypt_cpus] [-persistent] [-priority-STRING] [-progress-json] [-progress-frequency-secs] [-rl-readonly] [--reduce-device-size-bytes] [--refresh] [--resilience-STRING] [-resilience-hash-STRING] [-resume-only] [-sector-size=INT] [-serialize-memory-hard-pbkdf] [--shared] [-bl-size-SECTORS] [-pl--skip-SECTORS] [--subsystem-STRING] [--tcrypt-backup] [--tcrypt-hidden] [-tcrypt-system] [-test-args] [-test-passphrase] [-tl-timeout-secs] [-token-id-INT] [-token-only] [-token-replace] [-token-type-STRING] [-TI-tries=INT] [-MI-type-STRING] [--unbound] [-use-randon] [-use-urandon] [-uuid=STRING] [-veracrypt] [-veracrypt-pin=INT] [-veracrypt-query-pin] [-ul-verbose] [-yl-verify-passphrase] [-BI-block-size-MiB] [-NI-new] [--use-directio] [-use-fsync] [--write-log] [-dump-master-key] [-master-key-file-STRING] [OPTION...] <action> <action-specific> --keyfile-: unknown option mount: /neu root: special device /dev/mapper/store-root does not exist. dmesg (1) may have more information after failed mount system call. You are now being dropped into an emergency shell. sh; can't access tty: job control turned off [rootfs

:face_with_spiral_eyes:

Moderator edit: In the future, please use proper formatting: [HowTo] Post command output and file content as formatted text

2

This might need a proper formatting edit, so will not feel like sitting under some rocks avalanche while reading it.

One thing i noticed, you use the USB installer to also store the encryption keys on? That will never work. Is a Live System if you write the ISO on it and there will be no modifications stored, plus while mounted, partition table will not be touched.

Use one USB stick for the Live System you install from, use your HDD/SSD to install the system, and another USB stick to store your keys and the bootloader. Once done, you should remove the Live System USB and proceed from your other USB stick.

1 Like
3

Holy incomprehensible block of text, Batman! :scream:

@Sat89 Please use the Formatting toolbar next time. In this case, the Numbered List and Preformatted text buttons.

Where did you copy and paste that from?

1 Like
4

Ok, i went ahead and checked for grammar errors …
This might need a proper formatting edit

image

I know my English is flawed, but my intentions are good! :nerd_face:

Using This might need to be changed would have been more comprehensive?

5

Perhaps incomprehensible was the wrong word. Maybe unintelligible or undecipherable is better? Either, way, it’s none of those things now.

6

:exploding_head:

What are you trying to do?

I mean what is the goal of your exercise in manual installation?

Please explain your goal using - say - 50 words …

7

The setfont problem is independent and not caused from your install. it’s still a bug from plasma/packaging and can be solved as explained in this link

1 Like