[unstable] Manjaro-architect beta testing

netinstall
manjaro-architect

#484

Let me find the post and I’ll tell you.

EDIT :

This line?

	echo	'Loading Linux 4.9.12-1-MANJARO x64 ...'
	linux	/boot/vmlinuz-4.9-x86_64 root=UUID=aa6c1e6f-cd2d-4a07-8596-acdcd189e815 rw  cryptdevice=UUID=1d960af2-3778-4745-9329-b09fb17a7fa0:cryptroot quiet
	echo	'Loading initial ramdisk ...'
$ sudo blkid | grep crypt
/dev/sdb1: UUID="1d960af2-3778-4745-9329-b09fb17a7fa0" TYPE="crypto_LUKS" PARTUUID="53eb94f9-b145-49b5-bb3b-ed31c9577a5a"
/dev/mapper/cryptroot: UUID="4d063ef5-38da-47a9-a9ef-fe756f5ca164" TYPE="ext4"

The /dev/mapper/cryptroot UUID will change each time I re-format decrypted /dev/sdb1 with an new ext4 file system, which I currently do each install.


#485

Click your face in my previous post, it links to that post.


#486

Didn’t know Discourse did that… nice.


#487

I also learned it just a few days ago.


#488

Before Base install

$ cd /mnt
[manjaro-kde-full mnt]$ ll
total 28
drwxr-xr-x  4 root root  4096 Feb 26 12:51 .
drwxr-xr-x 18 root root  4096 Feb 10 21:32 ..
drwxr-xr-x  3 root root  4096 Feb 26 12:51 boot
drwx------  2 root root 16384 Feb 26 12:51 lost+found

After Base Install, mkinitcpio.conf, no encrypt hook at this stage.

$ cd /mnt/etc
$ cat mkinitcpio.conf
# vim:set ft=sh
# MODULES
# The following modules are loaded before any boot hooks are
# run.  Advanced users may wish to specify all system modules
# in this array.  For instance:
#     MODULES="piix ide_disk reiserfs"
MODULES=""

# BINARIES
# This setting includes any additional binaries a given user may
# wish into the CPIO image.  This is run last, so it may be used to
# override the actual binaries included by a given hook
# BINARIES are dependency parsed, so you may safely ignore libraries
BINARIES=""

# FILES
# This setting is similar to BINARIES above, however, files are added
# as-is and are not parsed in any way.  This is useful for config files.
FILES=""

# HOOKS
# This is the most important setting in this file.  The HOOKS control the
# modules and scripts added to the image, and what happens at boot time.
# Order is important, and it is recommended that you do not change the
# order in which HOOKS are added.  Run 'mkinitcpio -H <hook name>' for
# help on a given hook.
# 'base' is _required_ unless you know precisely what you are doing.
# 'udev' is _required_ in order to automatically load modules
# 'filesystems' is _required_ unless you specify your fs modules in MODULES
# Examples:
##   This setup specifies all modules in the MODULES setting above.
##   No raid, lvm2, or encrypted root is needed.
#    HOOKS="base"
#
##   This setup will autodetect all modules for your system and should
##   work as a sane default
#    HOOKS="base udev autodetect block filesystems"
#
##   This setup will generate a 'full' image which supports most systems.
##   No autodetection is done.
#    HOOKS="base udev block filesystems"
#
##   This setup assembles a pata mdadm array with an encrypted root FS.
##   Note: See 'mkinitcpio -H mdadm' for more information on raid devices.
#    HOOKS="base udev block mdadm encrypt filesystems"
#
##   This setup loads an lvm2 volume group on a usb device.
#    HOOKS="base udev block lvm2 filesystems"
#
##   NOTE: If you have /usr on a separate partition, you MUST include the
#    usr, fsck and shutdown hooks.
HOOKS="base udev autodetect modconf block filesystems keyboard fsck"

# COMPRESSION
# Use this to compress the initramfs image. By default, gzip compression
# is used. Use 'cat' to create an uncompressed image.
#COMPRESSION="gzip"
#COMPRESSION="bzip2"
#COMPRESSION="lzma"
#COMPRESSION="xz"
#COMPRESSION="lzop"
#COMPRESSION="lz4"

# COMPRESSION_OPTIONS
# Additional options for the compressor
#COMPRESSION_OPTIONS=""

After Bootloader install, grub.cfg

http://pastebin.com/f7DmWFzs

Relevan’t sections containing the word “crypt”

### BEGIN /etc/grub.d/10_linux ###
menuentry 'Manjaro Linux' --class manjaro --class gnu-linux --class gnu --class os $menuentry_id_option 'gnulinux-simple-4d063ef5-38da-47a9-a9ef-fe756f5ca164' {
	savedefault
	load_video
	set gfxpayload=keep
	insmod gzio
	insmod part_gpt
	insmod cryptodisk
	insmod luks
	insmod gcry_rijndael
	insmod gcry_rijndael
	insmod gcry_sha256
	insmod ext2
	set root='cryptouuid/1d960af2377847459329b09fb17a7fa0'
	if [ x$feature_platform_search_hint = xy ]; then
	  search --no-floppy --fs-uuid --set=root --hint='cryptouuid/1d960af2377847459329b09fb17a7fa0'  4d063ef5-38da-47a9-a9ef-fe756f5ca164
	else
	  search --no-floppy --fs-uuid --set=root 4d063ef5-38da-47a9-a9ef-fe756f5ca164
	fi
	echo	'Loading Linux 4.9.12-1-MANJARO x64 ...'
	linux	/boot/vmlinuz-4.9-x86_64 root=UUID=4d063ef5-38da-47a9-a9ef-fe756f5ca164 rw  cryptdevice=UUID=1d960af2-3778-4745-9329-b09fb17a7fa0:cryptroot quiet
	echo	'Loading initial ramdisk ...'
	initrd	/boot/intel-ucode.img /boot/initramfs-4.9-x86_64.img
}
submenu 'Advanced options for Manjaro Linux' $menuentry_id_option 'gnulinux-advanced-4d063ef5-38da-47a9-a9ef-fe756f5ca164' {
	menuentry 'Manjaro Linux (Kernel: 4.9.12-1-MANJARO x64)' --class manjaro --class gnu-linux --class gnu --class os $menuentry_id_option 'gnulinux-4.9.12-1-MANJARO x64-advanced-4d063ef5-38da-47a9-a9ef-fe756f5ca164' {
	savedefault
		load_video
		set gfxpayload=keep
		insmod gzio
		insmod part_gpt
		insmod cryptodisk
		insmod luks
		insmod gcry_rijndael
		insmod gcry_rijndael
		insmod gcry_sha256
		insmod ext2
		set root='cryptouuid/1d960af2377847459329b09fb17a7fa0'
		if [ x$feature_platform_search_hint = xy ]; then
		  search --no-floppy --fs-uuid --set=root --hint='cryptouuid/1d960af2377847459329b09fb17a7fa0'  4d063ef5-38da-47a9-a9ef-fe756f5ca164
		else
		  search --no-floppy --fs-uuid --set=root 4d063ef5-38da-47a9-a9ef-fe756f5ca164
		fi
		echo	'Loading Linux 4.9.12-1-MANJARO x64 ...'
		linux	/boot/vmlinuz-4.9-x86_64 root=UUID=4d063ef5-38da-47a9-a9ef-fe756f5ca164 rw  cryptdevice=UUID=1d960af2-3778-4745-9329-b09fb17a7fa0:cryptroot quiet
		echo	'Loading initial ramdisk ...'
		initrd	/boot/intel-ucode.img /boot/initramfs-4.9-x86_64.img
	}
	menuentry 'Manjaro Linux (Kernel: 4.9.12-1-MANJARO x64 - fallback initramfs)' --class manjaro --class gnu-linux --class gnu --class os $menuentry_id_option 'gnulinux-4.9.12-1-MANJARO x64-fallback-4d063ef5-38da-47a9-a9ef-fe756f5ca164' {
		load_video
		set gfxpayload=keep
		insmod gzio
		insmod part_gpt
		insmod cryptodisk
		insmod luks
		insmod gcry_rijndael
		insmod gcry_rijndael
		insmod gcry_sha256
		insmod ext2
		set root='cryptouuid/1d960af2377847459329b09fb17a7fa0'
		if [ x$feature_platform_search_hint = xy ]; then
		  search --no-floppy --fs-uuid --set=root --hint='cryptouuid/1d960af2377847459329b09fb17a7fa0'  4d063ef5-38da-47a9-a9ef-fe756f5ca164
		else
		  search --no-floppy --fs-uuid --set=root 4d063ef5-38da-47a9-a9ef-fe756f5ca164
		fi
		echo	'Loading Linux 4.9.12-1-MANJARO x64 ...'
		linux	/boot/vmlinuz-4.9-x86_64 root=UUID=4d063ef5-38da-47a9-a9ef-fe756f5ca164 rw  cryptdevice=UUID=1d960af2-3778-4745-9329-b09fb17a7fa0:cryptroot quiet
		echo	'Loading initial ramdisk ...'
		initrd	/boot/intel-ucode.img /boot/initramfs-4.9-x86_64-fallback.img
	}
}

Looks okay.

Bootloader files, same grub issue here

$ cd /mnt/boot/efi/EFI

[manjaro-kde-full EFI]$ ll manjaro_grub
total 128
drwxr-xr-x 2 root root   4096 Feb 13 00:08 .
drwxr-xr-x 5 root root   4096 Feb 13 00:08 ..
-rwxr-xr-x 1 root root 122368 Feb 23 09:04 grubx64.efi

[manjaro-kde-full EFI]$ ll boot
total 368
drwxr-xr-x 2 root root   4096 Feb 25 19:28 .
drwxr-xr-x 5 root root   4096 Feb 13 00:08 ..
-rwxr-xr-x 1 root root 122368 Feb 26 13:13 bootx64.efi
-rwxr-xr-x 1 root root 122368 Feb 19 10:14 bootx64.efi.sda2

Big question is how can we determine which location this new bootx64.efi is attempting to read its grub config from at boot time?


#489

Does it get added in configure base stage when you run the mkinitcpio option?


#490

I assume so, I just want to include file contents at different stages to gain a better understanding of what is happening under the covers.

Waiting for minimal kde stable install to finish, then I’ll configure base.

EDIT : Be nice to be able to “press enter to continue” on mkinitcpio, but from the text that flashed by I saw the encrypt hook. That -p flag we briefly discussed would have been very handy in this situation.

Looks okay, encrypt hook present.

$ pwd
/mnt/etc

$ cat mkinitcpio.conf
# vim:set ft=sh
# MODULES
# The following modules are loaded before any boot hooks are
# run.  Advanced users may wish to specify all system modules
# in this array.  For instance:
#     MODULES="piix ide_disk reiserfs"
MODULES=""

# BINARIES
# This setting includes any additional binaries a given user may
# wish into the CPIO image.  This is run last, so it may be used to
# override the actual binaries included by a given hook
# BINARIES are dependency parsed, so you may safely ignore libraries
BINARIES=""

# FILES
# This setting is similar to BINARIES above, however, files are added
# as-is and are not parsed in any way.  This is useful for config files.
FILES=""

# HOOKS
# This is the most important setting in this file.  The HOOKS control the
# modules and scripts added to the image, and what happens at boot time.
# Order is important, and it is recommended that you do not change the
# order in which HOOKS are added.  Run 'mkinitcpio -H <hook name>' for
# help on a given hook.
# 'base' is _required_ unless you know precisely what you are doing.
# 'udev' is _required_ in order to automatically load modules
# 'filesystems' is _required_ unless you specify your fs modules in MODULES
# Examples:
##   This setup specifies all modules in the MODULES setting above.
##   No raid, lvm2, or encrypted root is needed.
#    HOOKS="base"
#
##   This setup will autodetect all modules for your system and should
##   work as a sane default
#    HOOKS="base udev autodetect block encrypt filesystems"
#
##   This setup will generate a 'full' image which supports most systems.
##   No autodetection is done.
#    HOOKS="base udev block encrypt filesystems"
#
##   This setup assembles a pata mdadm array with an encrypted root FS.
##   Note: See 'mkinitcpio -H mdadm' for more information on raid devices.
#    HOOKS="base udev block mdadm encrypt filesystems"
#
##   This setup loads an lvm2 volume group on a usb device.
#    HOOKS="base udev block lvm2 filesystems"
#
##   NOTE: If you have /usr on a separate partition, you MUST include the
#    usr, fsck and shutdown hooks.
HOOKS="base udev autodetect modconf block encrypt filesystems keyboard fsck"

# COMPRESSION
# Use this to compress the initramfs image. By default, gzip compression
# is used. Use 'cat' to create an uncompressed image.
#COMPRESSION="gzip"
#COMPRESSION="bzip2"
#COMPRESSION="lzma"
#COMPRESSION="xz"
#COMPRESSION="lzop"
#COMPRESSION="lz4"

# COMPRESSION_OPTIONS
# Additional options for the compressor
#COMPRESSION_OPTIONS=""

#491

From Review Configuration Files in manjaro-architect

fstab

  GNU nano 2.7.4                                                                                               File: /mnt/etc/fstab                                                                                                          

# /dev/mapper/cryptroot
UUID=4d063ef5-38da-47a9-a9ef-fe756f5ca164       /               ext4            rw,noatime,data=ordered 0 0

# /dev/sda1
UUID=3D80-9D0D          /boot/efi       vfat            rw,relatime,fmask=0022,dmask=0022,codepage=437,iocharset=iso8859-1,shortname=mixed,errors=remount-ro    0 0

# /dev/sda3
UUID=96bb786a-fdd6-4501-aab4-81eb38bb5e21       none            swap            defaults        0 0

crypttab

  GNU nano 2.7.4                                                                              File: /mnt/etc/crypttab                                                                                        

# crypttab: mappings for encrypted partitions
#
# Each mapped device will be created in /dev/mapper, so your /etc/fstab
# should use the /dev/mapper/<name> paths for encrypted devices.
#
# The Arch specific syntax has been deprecated, see crypttab(5) for the
# new supported syntax.
#
# NOTE: Do not list your root (/) partition here, it must be set up
#       beforehand by the initramfs (/etc/mkinitcpio.conf).

# <name>       <device>                                     <password>              <options>
# home         UUID=b8ad5c18-f445-495d-9095-c9ec4f9d2f37    /etc/mypassword1
# data1        /dev/sda3                                    /etc/mypassword2
# data2        /dev/sda5                                    /etc/cryptfs.key
# swap         /dev/sdx4                                    /dev/urandom            swap,cipher=aes-cbc-essiv:sha256,size=256
# vol          /dev/sdb7                                    none

Don’t understand this, why are password and key files randomly scattered across existing partitions?

grub

  GNU nano 2.7.4                                                                            File: /mnt/etc/default/grub                                                                                      

GRUB_DEFAULT=saved
GRUB_TIMEOUT=5
GRUB_DISTRIBUTOR="Manjaro"
GRUB_CMDLINE_LINUX_DEFAULT="quiet"
GRUB_CMDLINE_LINUX=" cryptdevice=UUID=1d960af2-3778-4745-9329-b09fb17a7fa0:cryptroot"

# If you want to enable the save default function, uncomment the following
# line, and set GRUB_DEFAULT to saved.
GRUB_SAVEDEFAULT=true

# Preload both GPT and MBR modules so that they are not missed
GRUB_PRELOAD_MODULES="part_gpt part_msdos"

# Uncomment to enable Hidden Menu, and optionally hide the timeout count
#GRUB_HIDDEN_TIMEOUT=5
#GRUB_HIDDEN_TIMEOUT_QUIET=true

# Uncomment to use basic console
GRUB_TERMINAL_INPUT=console

# Uncomment to disable graphical terminal
#GRUB_TERMINAL_OUTPUT=console

# The resolution used on graphical terminal
# note that you can use only modes which your graphic card supports via VBE
# you can see them in real GRUB with the command `vbeinfo'
GRUB_GFXMODE=auto

# Uncomment to allow the kernel use the same resolution used by grub
GRUB_GFXPAYLOAD_LINUX=keep

# Uncomment if you want GRUB to pass to the Linux kernel the old parameter
# format "root=/dev/xxx" instead of "root=/dev/disk/by-uuid/xxx"
#GRUB_DISABLE_LINUX_UUID=true

#492

Installation complete.

The encrypted grub looks fine to me.

The mkinitcpio looks fine to me.

The crypttab I don’t understand.

The default bootloader was replaced so a reboot will either work or I’ll get the normal.mod error.

Oh, I nearly forgot the m-a.log file.

All entries for the current install.

02/26/17 12:50:26 system: UEFI, init: systemd nw-client: nmtui 
02/26/17 12:50:31 set LANG=en_US.UTF-8 
02/26/17 12:51:10 luks pwd /dev/sdb1 cryptroot 
02/26/17 12:51:18 lvm_detect 
02/26/17 12:51:31 mount /dev/mapper/cryptroot as mkfs.ext4 -q. 
02/26/17 12:51:35 mount_current_partition 
02/26/17 12:51:40 Create swap partition: swapon 
02/26/17 12:51:47 mount /dev/sda1 /mnt/boot/efi 
02/26/17 13:05:13 install basepkgs ==> Creating install root at /mnt
02/26/17 13:05:13 use host branch \(Branch = unstable\) 
02/26/17 13:12:39 uefi_bootloader ==> Creating install root at /mnt
02/26/17 13:13:34 grub-mkconfig Generating grub configuration file ...
02/26/17 13:13:40 Install GRUB 
02/26/17 13:33:10 setup_graphics_card video-virtualbox 
02/26/17 13:33:16 manjaro_de_wm selected: kde
02/26/17 13:35:49 install pkgs: kde ==> Creating install root at /mnt
02/26/17 13:35:49 copy overlay 
02/26/17 13:35:49 copy root config 
02/26/17 13:35:49 enable sddm Created symlink /etc/systemd/system/display-manager.service -> /usr/lib/systemd/system/sddm.service.
02/26/17 13:36:02 basestrap -i /mnt manjaro-settings-manager pamac octopi pacli zsh zsh-completions manjaro-zsh-config mhwd-chroot bmenu ==> Creating install root at /mnt
02/26/17 13:36:26 generate_fstab 
02/26/17 13:36:31 set_hostname 
02/26/17 13:36:35 set_locale 
02/26/17 13:36:48 set_root_password New password: Retype new password: passwd: password updated successfully
02/26/17 13:37:01 add user to groups 
02/26/17 13:37:01 create user pwd New password: Retype new password: passwd: password updated successfully
02/26/17 13:37:12 run_mkinitcpio 
02/26/17 13:41:24 enable_nm 

These are the only grub entries

02/26/17 12:51:47 mount /dev/sda1 /mnt/boot/efi 
02/26/17 13:12:39 uefi_bootloader ==> Creating install root at /mnt
02/26/17 13:13:34 grub-mkconfig Generating grub configuration file ...
02/26/17 13:13:40 Install GRUB 

“Creating install root at /mnt”, I’m assuming that will install grub into /mnt/boot/efi?

The syntax use for the grub-install and grub-mkconfig commands we should be able to extract from the source code.


#493

Any other info you want before I reboot the VM?

Okay… bingo… same normal.mod error.

I’ll live boot into the VM, make a copy of the cryptroot bootx64.efi, replace it with the host bootx64.efi and reboot.


#494

http://www.pavelkogan.com/2014/05/23/luks-full-disk-encryption/

I assume GRUB_ENABLE_CRYPTODISK=y should be added to /etc/default/grub on /dev/mapper/cryptoroot.


#495

Success.

You were right originally, GRUB_ENABLE_CRYPTODISK=y was the missing piece, unfortunately without this all steps in the grub installation chain for an encrypted /boot directory fail.

I’ll list the manual steps I had to do to repair encypted grub and you can retrofit it back into manjaro-architect.

I de-crypted /dev/sdb1, and manjaro-chroot into it.

sudo cryptsetup open --type luks /dev/sdb1 cryptroot
sudo mount /dev/mapper/cryptroot /manjaro
sudo manjaro-chroot /manjaro

From here I had to add

GRUB_ENABLE_CRYPTODISK=y

to /etc/default/grub on cryptoroot.

=> This is missing from the current install

Grub config then had to be re-generated to reflect this

sudo grub-mkconfig -o /boot/grub/grub.cfg

Grub then had to be re-installed to link to the newly (ie correctly) generated grub.cfg

sudo mount /dev/sda1 /boot/efi
sudo grub-install --target=x86_64-efi --efi-directory=/boot/efi --bootloader-id=manjaro_grub --boot-directory=/boot --recheck

This installed a functioning grub in /boot/efi/EFI/manjaro_grub

$ pwd
/boot/efi/EFI
[manjaro@manjaro-luks EFI]$ ll manjaro_grub
total 204
drwxr-xr-x 2 root root   4096 Feb 12 13:08 .
drwxr-xr-x 5 root root   4096 Feb 12 13:08 ..
-rwxr-xr-x 1 root root 198656 Feb 26 03:45 grubx64.efi

=> This failed in the current manjaro-architect bootloader install

Without the correctly generated grub.cfg, grub-install must have failed and the subsequent error was not captured or handled.

To make this new grub the default bootloader I had to manually clobber the old one

sudo mv /boot/efi/EFI/manjaro_grub/grubx64.efi /boot/efi/EFI/boot/bootx64.efi

=> This is not working in the current manjaro-architect bootloader install

This step was probably not linked to a successful completion of grub-install, or the error not detected, thus the default boot loader was simply replaced with whatever was already in /boot/efi/EFI/manjaro_grub.

Proof of life…

So it should be noted that installing to an encrypted partition you must install the grub bootloader to subsequently use it. This should probably be reflected within manjaro-grub in the form of dependencies somehow.

Using another grub instance will not find this system, due to os-prober explicitly skipping detection process on partitions of type luks. No idea why this is the case.


#496

Thank you. I think we need to modify bootloader function so that it detects if /boot is on encrypted volume and sets appropriate setting in /etc/default/grub if needed.

Other thing to fix is mounting encrypted volumes. Btw, when trying to mount it without formatting, did you select /dev/sd* or cryptroot?


#497

I attempted to mount /dev/mapper/cryptroot, which was formatted during the previous install to ext4. I used the cryptsetup open menu item in the LUKS menu to de-crypt.

Didn’t see any point attempting to mount /dev/sdb1 without de-crypting first, just binary white noise, although this instance should probably be tested and error handled, or preferably prevented entirely by excluding encypted partitions from this menu list.

The other thing was also in the mount partition list, each partition in a logical volume is listed redundantly multiple times, instead of just a single logical volume name. See previous post for details.

This makes sense as it looks like a formatted version of lsblk or blkid, but maybe use a separate method to populate logical volumes, like lvs or lvdisplay. Or maybe there is an easier way by just filtering the current list… whatever, you’ll figure it out.

EDIT : I still don’t understand the contents of /etc/crtypttab, more Arch wiki reading required… tomorrow though.


#498

That is a good idea. I’ll put it on my list


#499

Just look in the os-prober script… its got luks partition exclusion down pat… :wink:


#500

To do for the next time I get to work on this (possibly this night):

  1. fix mounting LUKS volumes without formatting (I suspect my fix for f2fs may have introduced this problem)
    EDIT: Fixed (1)

  2. add proper configuration in grub if /boot is encrypted
    EDIT: hopefully fixed, not tested yet
    EDIT2: Fixed, tested

  3. exclude encrypted partitions from the list


#501

Okay, I’m now somewhat satisfied with encryption support. I tested installing bspwm profile, uefi boot with everything but esp encrypted and it just works.

I also discovered that if you skip setting locales, locales don’t get set (suprise suprise). This breaks stuff like tmux.

Hiding already mounted partitions and partitions containing cryptdevices is now also well under way. Papajoker wrote a function to hide partitions and I wrote one to list partitions to be hidden. Just needs to be put together.


#502

To do for the next update:

  • hide pointless partition entries from selection
  • implement exit check that warns if you missed something important
  • show grub-mkconfig output

#503

Should we automatically setup keyfile for encryption if /boot is encrypted? Like this:

Bonus: Login once
You’ve probably noticed that there remains the minor annoyance of having to decrypt your drive twice: once for GRUB and once for the kernel. Evidently, when GRUB passes control to the kernel, the encrypted drive is dismounted.

There is, however, a way to open a LUKS device without entering a passphrase: with a keyfile. The encrypt hook can take the file specified in the cryptkey kernel parameter (default: /crypto_keyfile.bin) and use it to unlock the cryptdevice.

dd bs=512 count=4 if=/dev/urandom of=/crypto_keyfile.bin
cryptsetup luksAddKey /dev/sda1 /crypto_keyfile.bin
I tried various methods to get GRUB to load the keyfile into memory and pass it to the kernel, without success. Then, I realised that the initrd image is itself something GRUB loads into memory, and mkinitcpio.conf has a very convenient FILES option…

FILES=/crypto_keyfile.bin
Run mkinitcpio again, and when you reboot, you’ll only need to enter your password once.

http://www.pavelkogan.com/2014/05/23/luks-full-disk-encryption/