You are not logged in.

#1 2020-01-19 15:13:29

tameddysphoria
Member
Registered: 2020-01-19
Posts: 4

Help with key & header files on encrypted grub usb with encrypted root

As stated in the heading; what I am trying to do is create a USB device with grub that contains an encrypted partition containing the key file and header of the system. The encrypted partition is to used a key file as well. I actually plan on figuring out how to do this using a section data on the storage hdd of the system, but for initially figuring out this system I am using a key file on the plaintext partition of the grub usb. The system is seated on a hardware controlled RAID0. The /boot directory is not encrypted in this situation.

I am trying to achieve this through mkinitcpio hooks. I don't want to inject the key files or headers into the kernel as it negates the purpose of encrypting them away on a separate partition.
I have followed the instructions here https://wiki.archlinux.org/index.php/Dm … der_on_USB with no success.

The issue I am currently having is getting dropped into an emergency shell. See
https://mega.nz/#!RcdQCYRa!kYtvG-UTyvjm … v7-xhzp_ec

Because I can't get the system to see the device I cannot test the other arguments in the hook, although that doesn't mean the rest of my script isn't bad. I have spent a long time testing a lot of different hooks and I think I am missing something conceptually. I would love some help.


System Configuration

[root@archiso /]# lsblk -o NAME,SIZE,FSTYPE,TYPE,MOUNTPOINT,UUID
NAME            SIZE FSTYPE TYPE  MOUNTPOINT UUID
loop0         541.5M squash loop             
sda             1.8T        disk             
`-sda1          1.8T ext4   part             917d90d3-a73e-4a9f-ac07-5d31e2ead086
sdb           232.9G linux_ disk             e087de6b-d1c0-f3e2-5004-e9a05ae79b73
`-md127       465.5G        raid0            
  `-cryptrootlm
              465.5G LVM2_m crypt            MXl8cE-BwqO-r6qM-vYn5-Rtph-921w-GFDywb
    |-laughing--man-swap
    |            16G swap   lvm   [SWAP]     120debc0-b275-47be-8026-4446f6cb9e43
    |-laughing--man-var
    |           300G ext4   lvm   /var       fe4b11d0-afca-480a-a6cb-0cf918a64e6a
    `-laughing--man-root
              149.5G btrfs  lvm   /snapshots ae403958-c279-4b38-a333-f17594bdc8c2
sdc           232.9G linux_ disk             e087de6b-d1c0-f3e2-5004-e9a05ae79b73
`-md127       465.5G        raid0            
  `-cryptrootlm
              465.5G LVM2_m crypt            MXl8cE-BwqO-r6qM-vYn5-Rtph-921w-GFDywb
    |-laughing--man-swap
    |            16G swap   lvm   [SWAP]     120debc0-b275-47be-8026-4446f6cb9e43
    |-laughing--man-var
    |           300G ext4   lvm   /var       fe4b11d0-afca-480a-a6cb-0cf918a64e6a
    `-laughing--man-root
              149.5G btrfs  lvm   /snapshots ae403958-c279-4b38-a333-f17594bdc8c2
sdd             7.5G        disk             
`-sdd1          7.5G iso966 part             2020-01-01-05-20-18-00
sde            14.5G        disk             
|-sde1            1M        part             
|-sde2          300M vfat   part  /boot/efi  C61D-FC9C
|-sde3            4G ext4   part  /boot      ff92b20f-e9ff-492e-8026-a9983c108487
|-sde4            1G crypto part             ba4a64bb-1970-446d-8978-d6a0676d2185
| `-Enc-Kf-H-D-Stor
|              1022M ext4   crypt            97187a52-7773-4110-8ac0-a27eb84f170d
|-sde5          6.4G        part             
`-sde6          2.8G vfat   part             3781-3F52

Hook

/etc/initcpio/hooks/customencrypthook
#!/usr/bin/ash

run_hook() {
    modprobe -a -q dm-crypt >/dev/null 2>&1
    modprobe loop
    [ "${quiet}" = "y" ] && CSQUIET=">/dev/null"
	
    mkdir -p /mnt
    mount /dev/disk/by-uuid/ff92b20f-e9ff-492e-8026-a9983c108487 /mnt
    cryptsetup --key-file=/mnt/keystor.img /dev/disk/by-uuid/ba4a64bb-1970-446d-8978-d6a0676d2185 open --type luks Enc-Kf-H-D-Stor
    umount /mnt
    
    mount /dev/mapper/Enc-Kf-H-D-Stor /mnt
    cryptsetup --header /mnt/laughing-man/headers/l-m-root-header.img --key-file=/mnt/laughing-man/key-files/l-m-root-key.img --keyfile-size=4096 open --type luks /dev/disk/by-id/md-uuid-e087de6b:d1c0f3e2:5004e9a0:5ae79b73 cryptrootlm
    cryptsetup close Enc-Kf-H-D-Stor
    umount /mnt
}

mkinitcpio config

/etc/mkinitcpio.conf
MODULES=(loop dm_mod raid456 ext4 usbcore sd_mod ehci_hcd uhci_hcd  usb_storage dm-crypt)
...
BINARIES=(mdmon)
...
HOOKS=(base udev autodetect modconf block mdadm keymap customencrypthook lvm2 btrfs filesystems keyboard fsck)

Grub config

/etc/default/grub
GRUB_CMDLINE_LINUX_DEFAULT="quiet"
GRUB_CMDLINE_LINUX="cryptdevice=/dev/disk/by-id/md-uuid-e087de6b:d1c0f3e2:5004e9a0:5ae79b73:root"
GRUB_ENABLE_CRYPTODISK=y

BTRFS Subvolumes

findmnt -nt btrfs
/            /dev/mapper/laughing--man-root[/@root]      btrfs  rw,noatime,compress
|-/home      /dev/mapper/laughing--man-root[/@home]      btrfs  rw,noatime,compress
`-/snapshots /dev/mapper/laughing--man-root[/@snapshots] btrfs  rw,noatime,compress

Offline

#2 2020-01-19 15:32:05

frostschutz
Member
Registered: 2013-11-15
Posts: 1,409

Re: Help with key & header files on encrypted grub usb with encrypted root

your cryptsetup command is in the wrong order, use 'open /dev/...' instead of '/dev/... open'

this should be the cause of your 'cryptsetup: Unknown action' error

but before that, your mount is already failing. try UUID= instead of /dev/disk/by-uuid. If it's an USB stick, it might also take time to be detected (yes, even if you booted off of it, that was the bootloader - linux has to detect it on its own first)

so you might have to sleep and wait for it to appear

that's assuming the necessary modules for usb etc. are loaded. You can check /proc/partitions, /dev/disk/*, lsmod, dmesg, etc. on the rescue shell

Offline

#3 2020-01-21 07:28:56

tameddysphoria
Member
Registered: 2020-01-19
Posts: 4

Re: Help with key & header files on encrypted grub usb with encrypted root

frostschutz wrote:

your cryptsetup command is in the wrong order, use 'open /dev/...' instead of '/dev/... open'

You were right this solved the 'cryptsetup: Unkown action' error

frostschutz wrote:

but before that, your mount is already failing. try UUID= instead of /dev/disk/by-uuid. If it's an USB stick, it might also take time to be detected (yes, even if you booted off of it, that was the bootloader - linux has to detect it on its own first)

so you might have to sleep and wait for it to appear

This was the other issue. I put 'sleep 5' statements between all of the commands and it solved the issue. In the process of narrowing down those wait periods now. I had to put /dev/disk/by-id/'uuid' as this is on a hardware controlled raid and the uuid wasn't being picked up properly, and the id had ':' in it hence the ''. That took me an embarrassing long amount of time to figure out -_-

Thank you frostschutz for your help. It's all working now.

Offline

Board footer

Powered by FluxBB