Seeking Assistance to Install Fedora 41 with Detached LUKS Header

I am in need of assistance with installing Fedora 41 while utilizing a detached LUKS header.
I have the same problem as the user of this thread.
I just recently started using fedora and linux and I have little experience yet.

I couldn’t find any instructions on the Internet that are suitable for fedora 41.

Also, I couldn’t move the /boot partition together with the luks header to a separate USB drive.

Have you tried using, Chapter 9. Encrypting block devices using LUKS | Red Hat Product Documentation

It’s not :fedora: specific but I would think would point you in the right direction.

1 Like

Used commands from point 9.4 and 9.5

cryptsetup luksUUID /dev/mapper/luks
For some reason this command does not display UUID, although I did everything correctly.

I specified UUID from /dev/sda3 in /etc/crypttab
As a result, after rebooting, the system does not boot.

I can’t cope with the transfer of header

It should work with cryptsetup luksUUID /dev/<yourDeviceID>, e.g. /dev/sda5.

Alternatively, the lsblk -f command should also reveal the UUID of the Luks device.

1 Like

Some outputs to show what it looks like.

-85e89c240c97
[grumpey@grumpey1 ~]$ lsblk 
NAME                                          MAJ:MIN RM   SIZE RO TYPE  MOUNTPOINTS
zram0                                         252:0    0     8G  0 disk  [SWAP]
nvme0n1                                       259:0    0 953.9G  0 disk  
├─nvme0n1p1                                   259:1    0     1G  0 part  /boot/efi
├─nvme0n1p2                                   259:2    0     2G  0 part  /boot
└─nvme0n1p3                                   259:3    0 950.9G  0 part  
  └─luks-5a26a62f-0a55-4b72-a775-85e89c240c97 253:0    0 950.9G  0 crypt /var
                                                                         /snapshots
                                                                         /home
                                                                         /

sudo cryptsetup luksUUID /dev/nvme0n1p3
5a26a62f-0a55-4b72-a775-85e89c240c97
lsblk -f 
NAME                                          FSTYPE      FSVER LABEL         UUID                                 FSAVAIL FSUSE% MOUNTPOINTS
zram0                                                                                                                             [SWAP]
nvme0n1                                                                                                                           
├─nvme0n1p1                                   vfat        FAT32 ESP           A10B-34EA                             981.4M     4% /boot/efi
├─nvme0n1p2                                   ext4        1.0   boot          0c3fc63c-846d-476f-9a27-276fa01703ec    1.5G    15% /boot
└─nvme0n1p3                                   crypto_LUKS 2                   5a26a62f-0a55-4b72-a775-85e89c240c97                
  └─luks-5a26a62f-0a55-4b72-a775-85e89c240c97 btrfs             grumpey-btrfs a8bbfc65-12df-4144-bf98-28469a06321f  609.8G    36% /var
                                                                                                                                  /snapshots
                                                                                                                                  /home
                                                                                                                                  /

1 Like

upd. I successfully got the UUID via the lsblk -f command

Please tell me how to correctly register the disk in
/etc/crypttab
Is it necessary to register the UUID of the encrypted disk here and add the path to the header location at the end?

luks_encrypted UUID=5a26a62f-0a55-4b72-a775-85e89c240c97 none discard luks,header=/dev/sdb1

dracut --regenerate-all --force

As a result, after grub, the system boots endlessly (it does not see the disk)

Is there anything to change in etc/fstab?

Are you using a LUKS partition with detached header? If so, I would first make sure the encrypted partition can opened and mounted manually:

# Open luks device
sudo cryptsetup open /dev/your-partition your-mapping-name --header=/path-to-your-header

# Mount device
sudo mount /dev/mapper/your-mapping-name /your-mount-point

Yes. I did that. It opens and decrypts and mounts successfully.
But I can’t do anything else.

When I reboot the system - the system doesn’t boot (just the fedora logo and constant boot) and the password is not requested.

I see you’re booting into a live session.

In your troubleshooting efforts you could use the nofail flag in /etc/fstab, so that at least an unsuccessful mount wouldn’t block you from booting into a graphical session.

I don’t know what else to do.
I did everything according to the instructions and it didn’t work.

Presuming it’s not the root partition you’re trying to encrypt with a detached header, as a workaround you could remove the fstab and crypttab entries, and open/mount the encrypted device each time after logging in to a graphical session. A bash alias might make things a bit easier.

I’m trying to encrypt the root section completely, except /boot

Well, a functional encrypted root partition with non-detached header is still better (from my point of view), than a non-working encrypted partition with detached header.

You might want to go with a default/automatic installation (LUKS encrypted), until you figure out how to work with detached headers (maybe even trying with a non-system partitions first).

1 Like