How to Encrypt the Root Partition with LUKS in Text Mode Installation on CentOS 9?

[Cyrker]

Hi！
due to some odd issues with the server, I am unable to enter the graphical installation interface and can only use text mode (textmode) for installation.

However, there is also a need to encrypt the root directory. After searching through related documents, it is mentioned that the encryption of the root directory needs to be done during the installation process.

Therefore, I am seeking help from the community! Currently, this is how I am proceeding: After entering text mode, I switch to another terminal by pressing Alt+Tab and use the commands:


cryptsetup luksFormat /dev/sda2
cryptsetup open /dev/sda2 root


to create an encrypted partition. Then, when I switch back to the text-based installation mode and select the installation location, an error occurs. The error message is:

"The existing unlocked Luks device sda2 cannot be used for the installation without an encryption key specified for this device. Please, rescan the storage."

[TrevorH]

You can append ' vnc' to the end of the kernel command line (without quotes) before you start the install and then you can run the GUI installer via VNC and use all the options from that. Or alternatively look at using a kickstart file where you can tell the installer exactly what you want to do and then load that ks file using the kernel command line and automate the entire process from then on.

[Cyrker]

Thanks for you reply!
I try to add the tag like this!


and the output is

[TrevorH]

I am suspecting that it does not have an ip address assigned. I am fairly sure the installer defaults to using ip=dhcp so it should pick one up from a DHCP server if there is one present. If you don't have a DHCP server then you may need to tell it what the ip address and interface should be, search for ip= in https://access.redhat.com/documentation ... ller/index for the syntax on how to do that.

For some weird reason everything except ip= is inst.something= but ip= is just that, no inst.

[Cyrker]

Thank you for your reply! Since this server does not assign IP addresses via DHCP but requires manual VLAN segmentation to obtain an IP, should I complete the VLAN configuration and then attempt to restart VNC?

[Cyrker]

I also attempted to use a kickstart file, but encountered an issue: the IPMI interface can only mount one file at a time. If I opt to mount the ISO, I am unable to mount the kickstart file; conversely, if I choose the kickstart file, I cannot mount the ISO. Additionally, configuring the IP requires editing the boot menu and then using Alt+Tab to switch to another terminal for manual VLAN segmentation, which is necessary for the server to gain network connectivity.

[TrevorH]

You can do VLAN connections from the installer but the kernel command line is not exactly nice and easy. You can also do it from a kickstart using syntax like

network --device=bond0 --onboot=yes --bootproto=static --noipv6 --noipv4 --bondopts=mode=802.3ad,miimon=100 --bondslaves=eno1,eno3 --hostname=yourhostname
network --device=bond0 --vlanid=999 --interfacename=bond0.999 -...
network --device=bond0 --vlanid=998 --interfacename=bond0.998 ...

You can also do it from the kernel command line, search for vlan= in the bootoptions link I posted earlier and it has syntax like vlan=vlan5:enp0s1 (has multiple syntax options so read the doc for more). If you have more than one interface and the one you want to use is not the first one then also look at bootdev=

[Cyrker]

The problem is solved! When the system asked me to choose VNC or TEXTMODE, I pressed alt+tab to switch to another terminal to configure vlan, then switched back to enable VNC, and then I could use the VNC connection to start the installation!
thanks for you reply again!