You are not logged in.

#1 2019-07-17 00:26:44

squeakychair
Member
Registered: 2018-04-15
Posts: 8

[SOLVED] initrd can't auto-mount dm-crypt from keyfile

I'm a couple nights and too many hours into researching this problem, finally capitulating and asking for help smile

Doing a fresh install of Arch on a new machine. I'm getting hung up on the disk encryption (seems like a common hurdle). I want to load the encryption key from a USB stick, instead of typing the passphrase. My initrd can't do this automatically, but if I manually run the steps, the system loads up no problem.

I believe the Arch install is good, and that this is just a configuration issue somewhere. This is a standalone machine, so I manually re-typed any console outputs in this post. If you see a typo, let me know and I'll try to fix it (or maybe that's my problem!).

# UEFI boot loader & kernel parameters (tokenized for readability)
efibootmgr
    --disk /dev/nvme0n1
    --part 1
    --create
    --label "Arch Linux"
    --loader /vmlinuz-linux
    --unicode '
        cryptroot=/dev/nvme0n1p2:cryptroot
        root=/dev/mapper/cryptroot
        cryptkey=/dev/disk/by-uuid/8253-018D:vfat:/t480s.key
        rw
        initrd=\initramfs-linux.img
        '
    --verbose
# /etc/mkinitcpio.conf (abridged)
MODULES=(vfat)
HOOKS=(base udev modconf block encrypt filesystems keyboard fsck)

UEFI loads the kernel and initrd ok, but the hooks fail to automatically open my crypt, and mount root.

:: running early hook [udev]
Starting version 242.32-1-arch
:: running hook [udev]
:: Triggering uevents...
:: running hook [encrypt]
Waiting 10 seconds for device /dev/disk/by-uuid/8253-018D ...
Waiting 10 seconds for device /dev/mapper/cryptroot …
Waiting 10 seconds for device /dev/mapper/cryptroot ...
ERROR: device '/dev/mapper/cryptroot' not found. Skipping fsck.
:: mounting '/dev/mapper/cryptroot' on real root
mount: /new_root: special device /dev/mapper/cryptroot does not exist.
You are now being dropped into an emergency shell.
sh: can't access tty; job control turned off
[rootfs ]# 

But if I manually go through the steps, I can open, mount, and boot without any troubles.

[rootfs ]# mkdir /mnt
[rootfs ]# mount /dev/disk/by-uuid/8253-018D /mnt
[rootfs ]# cryptsetup open /dev/nvme0n1p2 cryptroot –d /mnt/t480s.key
WARNING: Locking directory /run/cryptsetup is mssing!
[rootfs ]# mount /dev/mapper/cryptroot /new_root
[rootfs ]# exit

At this point, the system fully boots, with no other issues that I've noticed. Anyone have an idea why my initrd is hanging up here? And how I can fix it?

Last edited by squeakychair (2019-07-18 11:46:19)

Offline

#2 2019-07-17 06:00:47

frostschutz
Member
Registered: 2013-11-15
Posts: 819

Re: [SOLVED] initrd can't auto-mount dm-crypt from keyfile

try UUID=thing instead of /dev/disk/by-uuid/thing

Offline

#3 2019-07-17 11:30:53

squeakychair
Member
Registered: 2018-04-15
Posts: 8

Re: [SOLVED] initrd can't auto-mount dm-crypt from keyfile

Thanks, I'll try that after work tonight. What's puzzling  to me is why the manual boot works fine (even using /dev/disk/by-uuid/thing).

Offline

#4 2019-07-18 01:14:55

squeakychair
Member
Registered: 2018-04-15
Posts: 8

Re: [SOLVED] initrd can't auto-mount dm-crypt from keyfile

frostschutz wrote:

try UUID=thing instead of /dev/disk/by-uuid/thing

Well, after all that it looks like the initramfs hook scripts directly translate "UUID=thing" into "/dev/disk/by-uuid/thing". So I hit the same issue either way, unfortunately.

Offline

#5 2019-07-18 07:17:52

schard
Member
From: Hannover
Registered: 2016-05-06
Posts: 516
Website

Re: [SOLVED] initrd can't auto-mount dm-crypt from keyfile

mkinitcpio --hookhelp encrypt wrote:

For unlocking via keyfile, 'cryptkey=device:fstype:path' should be specified on
the kernel cmdline, where 'device' represents the raw block device where the key
exists, 'fstype' is the filesystem type of 'device' (or auto), and 'path' is
the absolute path of the keyfile within the device.

You have not specified an absolute path.

Online

#6 2019-07-18 07:53:49

frostschutz
Member
Registered: 2013-11-15
Posts: 819

Re: [SOLVED] initrd can't auto-mount dm-crypt from keyfile

schard wrote:

You have not specified an absolute path.

No, that's completely fine.

The file is in the root of the filesystem provided so no additional path elements are necessary.

The keyfile does not have to start with / (no harm if it does anyway, but no point to it either).

#resolved=/dev/disk/by-uuid/8253-018D (or equivalent, if it found that device at all)
#ckarg1=vfat
#ckarg2=t480s.key

                    mkdir /ckey
                    mount -r -t "$ckarg1" "$resolved" /ckey
                    dd if="/ckey/$ckarg2" of="$ckeyfile" >/dev/null 2>&1
                    umount /ckey
                    ;;

so it mounts to /ckey then looks for /ckey/t480s.key, and OP mounted to /mnt then used /mnt/t480s.key, same difference

Offline

#7 2019-07-18 08:18:18

schard
Member
From: Hannover
Registered: 2016-05-06
Posts: 516
Website

Re: [SOLVED] initrd can't auto-mount dm-crypt from keyfile

Ah, I see.
The parameter is cryptdevice, not cryptroot.

        …
        cryptdevice=/dev/nvme0n1p2:cryptroot
        …

Last edited by schard (2019-07-18 08:27:06)

Online

#8 2019-07-18 11:45:58

squeakychair
Member
Registered: 2018-04-15
Posts: 8

Re: [SOLVED] initrd can't auto-mount dm-crypt from keyfile

schard wrote:

Ah, I see.
The parameter is cryptdevice, not cryptroot.

        …
        cryptdevice=/dev/nvme0n1p2:cryptroot
        …

This was my problem! cryptroot (wrong) vs. cryptdevice (correct). Thank you for spotting that one! The initramfs boots cleanly and easily now.

As a side note, my key actually has a leading slash, but I missed it when transcribing the original post. It's fixed now.

I genuinely appreciate the help you both offered, thank you!

Offline

Board footer

Powered by FluxBB