As of late I have discovered that the mounting of veracrypt volumes is supported natively by cryptsetup and systemd.
Since I seek a dual-boot fully-encrypted installation where all partitions are accessible by all systems, and LUKS can't be read from windows AFAIK, I decided to go in the rabbit hole that is installing Ubuntu manually to a veracrypt volume.
So far, I have achieved almost everything. I unsquashed the squashfs image the CD came with into the root partition, made a few configuration tweaks and got:
- A root filesystem with Lubuntu in
/dev/sdb5(An encrypted veracrypt volume), - A
/boot/efipartition in/dev/sdb2(Unencrypted FAT32 partition), - A shared
/homefolder located within/dev/sdb6(Another encrypted veracrypt volume)
Since both the root and home partitions have the same password, I set up crypttab as such (supposedly the keyscript decrypt_keyctl shortly caches the passwords and passes it to subsequent calls):
# <target name> <source device> <key file> <options>
ubunturoot /dev/sda5 /dev/null tcrypt,tcrypt-veracrypt,keyscript=decrypt_keyctl
sharedfiles /dev/sda6 /dev/null tcrypt,tcrypt-veracrypt,keyscript=decrypt_keyctl
And to mount the filesystems my fstab is configured as such:
#[Device] [Mount Point] [File System Type] [Options] [Dump] [Pass]
/dev/mapper/ubunturoot / ext4 defaults 0 1
/dev/mapper/sharedfiles /media/sharedfiles ntfs-3g defaults 0 2
/dev/sda2 /boot/efi fat32 defaults 0 2
/media/sharedfiles/Users /home none defaults,bind 0 2
(And yes, I am aware that the shared files partition is not mounted directly to /home, that is the intended effect)
I have chrooted into the fs using a live CD, making sure to mount -B all of /dev, /dev/pts, /sys, /proc and /run from the live CD to the chroot.
I have successfully installed grub using grub-install without any errors.
However, when trying to build an initramfs to reside in /boot/efi using
mkinitramfs -o /boot/efi/initramfs
I get the following output:
cryptsetup: ERROR: ubunturoot: Source mismatch
cryptsetup: WARNING: target 'ubunturoot_1' not found in /etc/crypttab
cryptsetup: WARNING: target 'ubunturoot_2' not found in /etc/crypttab
W: Possible missing firmware /lib/firmware/amdgpu/navi10_gpu_info.bin for module amdgpu
Some 10 more lines regarding AMD firmware, which I'm not particularly worried about, then
E: /usr/share/initramfs-tools/hooks/cryptkeyctl failed with return 1.
I have looked through the internet for the "Source mismatch" line, and have not found much to help me.
I have gone to the mentioned script in the last line, found it prerequired another initramfs hook, then found the offending line and surrounding comments in /usr/share/initramfs-tools/hooks/cryptroot
# crypttab_print_entry()
# Print an unmangled crypttab(5) entry to FD nr. 3, using CRYPTTAB_*
# and _CRYPTTAB_* values.
# _CRYPTTAB_SOURCE is replaced with /dev/mapper/$sourcename for mapped
# sources, otherwise by UUID=<uuid> if possible (eg, for LUKS). If
# the entry uses the 'decrypt_derived' keyscript, the other
# crypttab(5) entries it depends on are (recursively) printed before
# hand.
# Various checks are performed on the key and crypttab options, but no
# parsing is done so it's the responsibility of the caller to call
# crypttab_parse_options().
# Return 0 on success, 1 on error.
crypttab_print_entry() {
local DEV MAJ MIN sourcename uuid keyfile
if resolve_device "$CRYPTTAB_SOURCE"; then
if [ "$(dmsetup info -c --noheadings -o devnos_used -- "$CRYPTTAB_NAME" 2>/dev/null)" != "$MAJ:$MIN" ]; then
cryptsetup_message "ERROR: $CRYPTTAB_NAME: Source mismatch"
I have tried to understand the surrounding script, but failed. I am barely understanding that the initramfs script concerning mounting an encrypted rootfs is failing, but I can't for the life of me find why.
Any other troubleshooting actions I can take to shed some light on this? If any commands are suggested, I'll run them and update on it.
The script does a cross-check between the config files - fstab and crypttab. This cross-check is to ensure that the entries match, more specifically that the device major and minor numbers match.
You could run the following command to see the raw error message, where $CRYPTTAB_NAME is 'ubunturoot' in this case. This is the actual command that the script is running at the time, but it is suppressing errors.