LLars-Dominik Braun wrote on 30 May 2022 12:07
(address . email@example.com)
I followed the manual to manually install Guix with full disk encryption
using LUKS2 and PBKDF2. However this leaves me with an unbootable system,
stuck at Grub’s rescue prompt, because `grub-install` apparently does
not know how to detect a LUKS2 target and therefore does not include
the modules required to open the encrypted volume in the EFI image. See
I managed to manually create a core.img with the help of ArchLinux’
Wiki (see also ), boot into the system and reconfigure with a
"Create an Grub EFI image with included cryptomount support for luks2,
which grub-install does not handle yet."
#~(lambda (bootloader efi-dir mount-point)
(let ((grub-mkimage (string-append bootloader "/bin/grub-mkimage"))
;; Required modules, YMMV.
(modules (list "luks2" "part_gpt" "cryptodisk" "gcry_rijndael" "pbkdf2" "gcry_sha256" "ext2"))
(prefix (string-append mount-point "/boot/grub"))
;; Different configuration required to set up a crypto
;; device. Change crypto_uuid to match your output of
;; `cryptsetup luksUUID /device`.
;; XXX: Maybe cryptomount -a could work?
(config #$(plain-file "grub.cfg" "set crypto_uuid=755e547f78f44dc38dab58399e1780a6
cryptomount -u $crypto_uuid
(target-esp (if (file-exists? (string-append mount-point efi-dir))
(string-append mount-point efi-dir)
(apply invoke (append
"-o" (string-append target-esp "/EFI/Guix/grubx64.efi"))
Supposedly there are also patches for grub-mkimage, but maybe we can
include a workaround like the above by default until then or remove the
section about LUKS2 entirely?