I want to install PLASMA DESKTOP but with tricky encryption. I ran into a problem, I can not solve it myself, please help
The algorithm is as follows:
-
Launch the live USB of Manjaro KDE Plasma version 5.26.5 from the boot menu.
-
Launch Konsole and install Architect by running the command “sudo pacman -Sy manjaro-architect.”
-
Enter the command “lsblk” to check for connected storage devices. Determine that the disk on which Manjaro will be installed is called “sda,” and the USB drive on which the Grub bootloader and the encrypted boot partition with kernels, initramfs, LUKS header, and keys for /dev/sda will be located is called “sdc.”
-
Enter the command “sudo cfdisk /dev/sdc” to create a partition for storing /boot, which will be encrypted later.
-
Enter the command “sudo fdisk -l /dev/sdc” to check the Disklabel - dos and the device /dev/sdc1.
-
Enter the command “sudo cryptsetup benchmark” to find out which algorithms with hashes can be applied and what read/write speeds will be when using them. Only PBKDF2-whirlpool and serpent-xts are of interest here.
-
Enter the command “sudo cryptsetup --cipher=serpent-xts-plain64 --key-size=512 --hash=whirlpool luksFormat --type luks1 /dev/sdc1” to encrypt the USB drive using the LUKS1 header format, as otherwise the GRUB bootloader will not be able to boot the system. For this reason, LUKS1 will be applied to the USB drive, and LUKS2 format will be used for the /dev/sda partition.
-
Enter the command “sudo cryptsetup luksDump /dev/sdc1” to check the applied encryption parameters for the /dev/sdc1 partition. Cipher name: serpent, Hash spec: whirlpool.
-
Enter the command “sudo cryptsetup open /dev/sdc1 cryptboot” to open the encrypted partition on the USB drive and assign it the name “cryptboot.”
-
Enter the command “lsblk” to check if the cryptboot partition appears in the sdc1 tree.
-
Enter the command “sudo mount /dev/mapper/cryptboot /mnt” to mount the cryptboot device to the /mnt folder.
-
Enter the command “sudo dd if=/dev/urandom of=/mnt/key.img bs=100M count=1” to create a 100MB key for the future container, knowing that Cryptsetup will not be able to use it entirely. Next, specify where to start reading and how many bytes of the key to read.
-
Enter the command “ls /mnt” to check for the existence of the key.
-
Enter the command “cd /mnt” to enter the /mnt directory.
-
Enter the command “sudo cryptsetup --align-payload=1 --cipher=twofish-xts-plain64 --key-size=512 --hash=sha512 luksFormat key.img” to encrypt the file key with a password intended for the /dev/sda hard drive.
-
Enter the command “sudo cryptsetup open key.img lukskey” to open the key and assign it the name “lukskey,” as it will be used to encrypt sda.
-
Enter the command “sudo dd if=/dev/zero of=header.img bs=16M count=1” to create a separate header for the sda disk that will be located on the flash drive. The header size is 16MB, which is exactly what is required for LUKS2.
-
Enter the command “sudo cryptsetup --cipher=aes-xts-plain64 --key-size=512 --hash=sha512 --key-file=/dev/mapper/lukskey --keyfile-offset=9437 --keyfile-size=8192 luksFormat /dev/sda --type luks2 --offset 32768 --header header.img” to encrypt the /dev/sda hard drive with a password using the file key. The --key-file option specifies where to get the encryption key, the --keyfile-offset option specifies where to start reading the key in bytes within 100MB, and the --keyfile-size option specifies how many bytes to read. The --type option specifies the type of LUKS header, which is LUKS2 in this case. The --header option specifies where to get the header (header.img) from the /dev/sda disk, since an external header will be stored on the encrypted USB drive.
-
Enter the command “sudo cryptsetup luksDump header.img” to check the applied encryption parameters for the /dev/sda hard drive. The header type is LUKS2, the encryption is aes-xts-plain64, the PBKDF is argon2id, and the AF hash is sha512.
-
Enter the command “sudo cryptsetup open --header /mnt/header.img --key-file=/dev/mapper/lukskey --keyfile-offset=9437 --keyfile-size=8192 /dev/sda cryptroot” to open the disk for system installation and assign it the name “cryptroot.”
-
Enter the command “lsblk” to check for the existence of cryptroot in the sda tree.
-
Enter the command “cd /” to enter the root directory.
-
Enter the command “sudo cryptsetup close lukskey” to close the lukskey key.
-
Enter the command “sudo umount /mnt” to unmount the USB drive from the /mnt directory.
-
Enter the command “sudo pvcreate /dev/mapper/cryptroot.”
-
Enter the command “sudo vgcreate store /dev/mapper/cryptroot” to create a logical volume group named “store.”
-
Enter the command “sudo lvcreate -L 85G store -n root” to create a logical partition for the root directory on the /dev/sda disk and assign it the name “root.”
-
Enter the command “sudo lvcreate -l 100%FREE store -n home” to create a logical partition for the home directory on the /dev/sda disk and assign it the name “home.” Using 100%FREE ensures that the remaining space on the disk after creating root is allocated to the current directory.
-
Enter the command “lsblk” to check if two new logical volumes, store-root and store-home, appear inside cryptroot.
-
Enter the command “sudo mkfs.ext4 /dev/store/root.” Formatting logical partition
-
Enter the command “sudo mkfs.ext4 /dev/store/home” formatting logical partition
-
Enter the command “sudo mount /dev/store/root /mnt” to mount the logical partition store-root to /mnt
-
Enter the command “sudo mkdir /mnt/home” to create a home folder in the directory /mnt
-
Enter the command “sudo mount /dev/store/home /mnt/home” to mount the logical partition store-home to the folder /mnt/home
-
Enter the command “sudo mkdir /mnt/boot” to create a boot folder in the directory /mnt
-
Enter the command “sudo mount /dev/mapper/cryptboot /mnt/boot” to mount the /boot folder on the USB drive
-
Enter the command “lsblk” to verify that the devices are mounted correctly: store-root is mounted to /mnt, store-home is mounted to /mnt/home, and cryptboot is mounted to /mnt/boot
-
Close konsole and open manjaro-architect
-
Verify that it is running in BIOS mode
-
In the “select language” menu, select English
-
In the “main menu,” select Prepare installation, then select list devices (optional) and verify the correctness of the connected devices: store-root is mounted to /mnt, store-home is mounted to /mnt/home, and cryptboot is mounted to /mnt/boot
-
In the “prepare installation” menu, select configure installer mirrorlist
-
In the “mirrorlist” menu, select rank mirrors by speed (all) , then select stable
-
In the “manjaro mirrors by response time” window, randomly select 8 servers from different countries
-
In the “prepare installation” menu, select refresh pacman keys. Wait for synchronization to complete, then press back
-
In the “main menu,” select install desktop system, then select install manjaro desktop, linux63, and kde. In the “extra packages” window, select no, and in the “full or minimal” window, select full
-
In the “install display driver” menu, select auto-install free drivers
-
Skip the bootloader installation and jump to the “Configure base” menu
-
In the “configure base” menu, select Generate FSTAB, then select Device UUID
-
In the “configure base” menu, select “set hostname,” and leave everything as default with the name manjaro
-
In the “configure base” menu, select “set system locale,” then select en_US.UTF-8
-
In the “configure base” menu, select “set timezone and clock,” then select Europe and Kyiv
-
In the “set timezone and clock” menu, agree to the question “set time zone: Europe/Kyiv” by pressing yes
-
In the “set timezone and clock” menu, select utc and agree by pressing ok
-
In the “configure base” menu, select set root password and add a password
-
In the “configure base” menu, select “add new user(s) ,” add a user, then in the “create new user” menu, select fish. Wait, then enter the password for the newly created user “user”
-
In the “install desktop systems” menu, select “Chroot Into Installation”.
-
Enter the command “ls -l /dev/disk/by-id”. Here is the full output of the command.
[manjaro /]# ls -l /dev/disk/by-id total 0 lrwxrwxrwx 1 root root 9 Apr 23 23:03 ata-Samsung_SSD_860_EVO_M.2_1TB_S415NW0NB05334T -> ../../sda lrwxrwxrwx 1 root root 10 Apr 23 23:03 ata-Samsung_SSD_860_EVO_M.2_1TB_S415NW0NB05334T-part1 -> ../../sda1 lrwxrwxrwx 1 root root 10 Apr 23 22:59 dm-name-cryptboot -> ../../dm-0 lrwxrwxrwx 1 root root 10 Apr 23 23:05 dm-name-cryptroot -> ../../dm-2 lrwxrwxrwx 1 root root 10 Apr 23 23:06 dm-name-store-home -> ../../dm-3 lrwxrwxrwx 1 root root 10 Apr 23 23:06 dm-name-store-root -> ../../dm-1 lrwxrwxrwx 1 root root 10 Apr 23 22:59 dm-uuid-CRYPT-LUKS1-fa9889df6f0a436f8aa4cc18d1704c7f-cryptboot -> ../../dm-0 lrwxrwxrwx 1 root root 10 Apr 23 23:05 dm-uuid-CRYPT-LUKS2-1a7a6cd9c90d4337b9dc00223e5b40d7-cryptroot -> ../../dm-2 lrwxrwxrwx 1 root root 10 Apr 23 23:06 dm-uuid-LVM-MgVex3By72s8qOHcmKRFgkPqDryEJee1opPVzD6qWbnvR7Eqtr1aAqgh2816tgQP -> ../../dm-3 lrwxrwxrwx 1 root root 10 Apr 23 23:06 dm-uuid-LVM-MgVex3By72s8qOHcmKRFgkPqDryEJee1xbeQajCaOcf6g5edBRZQNCaw85UGJ4mq -> ../../dm-1 lrwxrwxrwx 1 root root 10 Apr 23 23:05 lvm-pv-uuid-SlTcqs-7MnZ-2hLM-zSaG-qOEw-pnJ7-yliEU0 -> ../../dm-2 lrwxrwxrwx 1 root root 13 Apr 23 22:45 nvme-KXG6AZNV1T02_TOSHIBA_29GS117QTMGQ -> ../../nvme0n1 lrwxrwxrwx 1 root root 15 Apr 23 22:45 nvme-KXG6AZNV1T02_TOSHIBA_29GS117QTMGQ-part1 -> ../../nvme0n1p1 lrwxrwxrwx 1 root root 15 Apr 23 22:45 nvme-KXG6AZNV1T02_TOSHIBA_29GS117QTMGQ-part2 -> ../../nvme0n1p2 lrwxrwxrwx 1 root root 15 Apr 23 22:45 nvme-KXG6AZNV1T02_TOSHIBA_29GS117QTMGQ-part3 -> ../../nvme0n1p3 lrwxrwxrwx 1 root root 13 Apr 23 22:45 nvme-eui.8ce38e0200033e22 -> ../../nvme0n1 lrwxrwxrwx 1 root root 15 Apr 23 22:45 nvme-eui.8ce38e0200033e22-part1 -> ../../nvme0n1p1 lrwxrwxrwx 1 root root 15 Apr 23 22:45 nvme-eui.8ce38e0200033e22-part2 -> ../../nvme0n1p2 lrwxrwxrwx 1 root root 15 Apr 23 22:45 nvme-eui.8ce38e0200033e22-part3 -> ../../nvme0n1p3 lrwxrwxrwx 1 root root 9 Apr 23 22:45 usb-Kingston_DataTraveler_2.0_08606E6D413FE370E7139096-0:0 -> ../../sdb lrwxrwxrwx 1 root root 10 Apr 23 22:45 usb-Kingston_DataTraveler_2.0_08606E6D413FE370E7139096-0:0-part1 -> ../../sdb1 lrwxrwxrwx 1 root root 10 Apr 23 22:45 usb-Kingston_DataTraveler_2.0_08606E6D413FE370E7139096-0:0-part2 -> ../../sdb2 lrwxrwxrwx 1 root root 9 Apr 23 22:53 usb-Netac_OnlyDisk_3913901201390027250-0:0 -> ../../sdc lrwxrwxrwx 1 root root 10 Apr 23 22:57 usb-Netac_OnlyDisk_3913901201390027250-0:0-part1 -> ../../sdc1 lrwxrwxrwx 1 root root 9 Apr 23 23:03 usb-StoreJet_Transcend_S415NW0NB05334T-0:0 -> ../../sda lrwxrwxrwx 1 root root 10 Apr 23 23:03 usb-StoreJet_Transcend_S415NW0NB05334T-0:0-part1 -> ../../sda1 lrwxrwxrwx 1 root root 9 Apr 23 23:03 wwn-0x5002538e70b1a929 -> ../../sda lrwxrwxrwx 1 root root 10 Apr 23 23:03 wwn-0x5002538e70b1a929-part1 -> ../../sda1 [manjaro /]#
-
Next, enter the command “nano /etc/initcpio/hooks/customencrypthook” and paste the following text into it:
#!/usr/bin/ash run_hook() { modprobe -a -q dm-crypt >/dev/null 2>&1 modprobe loop [ "${quiet}" = "y" ] && CSQUIET=">/dev/null" while [ ! -L '/dev/disk/by-id/usb-Netac_OnlyDisk_3913901201390027250-0:0-part1' ]; do echo 'Waiting for USB' sleep 1 done cryptsetup open /dev/disk/by-id/usb-Netac_OnlyDisk_3913901201390027250-0:0-part1 cryptboot mkdir -p /mnt mount /dev/mapper/cryptboot /mnt cd /mnt cryptsetup open key.img lukskey cryptsetup --header header.img --key-file=/dev/mapper/lukskey --keyfile-offset=9437 --keyfile- size=8192 open /dev/disk/by-id/ata-Samsung_SSD_860_EVO_M.2_1TB_S415NW0NB05334T cryptroot cd / cryptsetup close lukskey umount /mnt }
-
After that, save with the key combination CTRL + O and exit with CTRL + X
-
Next, enter the command “cp /usr/lib/initcpio/install/encrypt /etc/initcpio/install/customencrypthook”
-
Then, enter the command ‘nano /etc/initcpio/install/customencrypthook’ and delete the ‘help’ section from the file. Save with CTRL + O and exit with CTRL + X
-
Enter the command “nano /etc/mkinitcpio.conf”. In the ‘MODULES’ line, add the value ‘loop’ so that it reads 'MODULES=(loop) '. In the ‘HOOKS’ line, remove the ‘encrypt’ module and replace it with ‘customencrypthook’ (example: 'MODULES=(loop) , HOOKS=(base udev autodetect modconf kms keyboard keymap consolefont block customencrypthook lvm2 filesystems) ’
-
Finally, enter the command ‘mkinitcpio -p /etc/mkinitcpio.d/linux63.preset’. Check to ensure that the added hook appears during the generation of the initramfs. Also, verify that the message ‘Image generation successful’ appears after executing the command.
-
Next, enter the command “exit” and close the terminal window
-
Open a new terminal window and enter the command ‘sudo mkdir /mnt/hostlvm’
-
Then, enter the command “sudo mount –bind /run/lvm /mnt/hostlvm”
-
Next, enter the command “sudo manjaro-chroot /mnt”
-
Enter the command “ln -s /hostlvm /run/lvm”
-
Enter the command “ls” to verify that you are in the chroot environment
-
Execute the command “ln -s /hostlvm /run/lvm” within the chroot environment
-
Install the grub bootloader with the command “sudo pacman -S grub”
-
Then, enter the command “nano /etc/default/grub” and remove the comment ‘#’ in front of ‘Grub_Enable_Cryptodisk=y’ so that the bootloader can open the encrypted container
-
Save with the key combination CTRL + O and exit with CTRL + X
-
Enter the command “grub-install –recheck /dev/sdc” to install the bootloader into the main boot record of the USB
-
Enter the command “grub-mkconfig -o /boot/grub/grub.cfg” to generate the ‘grub.cfg’ file
-
Reboot the computer, enter the password for the encrypted USB partition, and enter the password for the LUKS key file
I am entering everything correctly, I have checked multiple times, but I am still getting this error (( Could you please advise me on what I am doing wrong?
Here is the error
setfont: KDFONTOP: Function not implemented Waiting for USB Enter passphrase for /dev/disk/by-id/usb-Netac_OnlyDisk_3913901201390027250-0:0-part1: Enter passphrase for key.ing: No key available with this passphrase. Enter passphrase for key.ing: Usage: cryptsetup [-?UqrvyN] [-?-help] [-usage] [-VI-version] [-active-name=STRING] [--align-payload-SECTORS] [--allow-discards] [-ql--batch-mode] [--cancel-deferred] [-cl-cipher-STRING] [-debug] [-debug-json] [--deferred] [--device-size-bytes] [--decrypt] [--disable-external-tokens] [-disable-keyring] [-disable-locks] [--disable-veracrypt] [-dump-json-metadata] [-dump-volume-key] [--encrypt] [-force-password] [--force-offline-reencrypt] [-hl--hash-STRING] [-header-STRING] [-header-backup-file-STRING] [-hotzone-size-bytes] [-init-only] [-11-integrity-STRING] [--integrity-legacy-padding] [-integrity-no-journal] [--integrity-no-wipe] [-il--iter-time-msecs] [-iv-large-sectors] [-json-file-STRING] [-keep-key] [-key-description=STRING] [-dl-key-file-STRING] [-sl-key-size-BITS] [-SI-key-slot-INT] [-keyfile-offset=bytes] [-11-keyfile-size-bytes] [--keys lot-cipher-STRING] [--keys lot-key-size=BITS] [-label-STRING] [-luks2-keys lots-size-bytes] [-luks2-metadata-size-bytes] [-volume-key-file-STRING] [-new-keyfile-STRING] [--new-key-slot=INT] [-new-keyfile-offset-bytes] [--new-keyfile-size-bytes] [-new-token-id-INT] [-ol-offset-SECTORS] [--pbkdf-STRING] [-pbkdf-force-iterations-LONG] [--pbkdf-memory-kilobytes] [-pbkdf-parallel-thre [--perf-no_read_workqueue] [--perf-no_write_workqueue] [-perf-same_cpu_crypt] [-perf-submit_from_crypt_cpus] [-persistent] [-priority-STRING] [-progress-json] [-progress-frequency-secs] [-rl-readonly] [--reduce-device-size-bytes] [--refresh] [--resilience-STRING] [-resilience-hash-STRING] [-resume-only] [-sector-size=INT] [-serialize-memory-hard-pbkdf] [--shared] [-bl-size-SECTORS] [-pl--skip-SECTORS] [--subsystem-STRING] [--tcrypt-backup] [--tcrypt-hidden] [-tcrypt-system] [-test-args] [-test-passphrase] [-tl-timeout-secs] [-token-id-INT] [-token-only] [-token-replace] [-token-type-STRING] [-TI-tries=INT] [-MI-type-STRING] [--unbound] [-use-randon] [-use-urandon] [-uuid=STRING] [-veracrypt] [-veracrypt-pin=INT] [-veracrypt-query-pin] [-ul-verbose] [-yl-verify-passphrase] [-BI-block-size-MiB] [-NI-new] [--use-directio] [-use-fsync] [--write-log] [-dump-master-key] [-master-key-file-STRING] [OPTION...] <action> <action-specific> --keyfile-: unknown option mount: /neu root: special device /dev/mapper/store-root does not exist. dmesg (1) may have more information after failed mount system call. You are now being dropped into an emergency shell. sh; can't access tty: job control turned off [rootfs
Moderator edit: In the future, please use proper formatting: [HowTo] Post command output and file content as formatted text