You are not logged in.

#1 2020-08-05 17:45:23

DeusKult
Member
Registered: 2020-08-05
Posts: 5

[solved] grub cryptdisk unlock via keyfile not working

Hi,

I'm currently switching to a new device and try to setup a fully encrypted system with encrypted /boot.
Unlocking the /boot partition via keyfile works correct.
Unlocking the lvm containing root/swap still always asks for a password despite having a working crypto_keyfile.

My partitions (pretty much the same as in the Arch Wiki):

NAME           MAJ:MIN    RM   SIZE     RO TYPE  MOUNTPOINT
nvme0n1             259:0    0      477G    0     disk 
├─nvme0n1p1    259:1    0      512M    0     part     /boot/efi
├─nvme0n1p2    259:2    0      200M    0     part 
│  └─cryptboot    254:3    0     198M     0    crypt    /boot
└─nvme0n1p3    259:3    0     476,2G   0    part 
  └─lvm                254:0    0    476,2G   0    crypt
    ├─vg0-swap    254:1    0     64G       0    lvm      [SWAP]
    └─vg0-root      254:2    0     412,2G  0    lvm      /

blkid:

/dev/nvme0n1p1: UUID="702B-5CF3" BLOCK_SIZE="512" TYPE="vfat" PARTLABEL="EFI system partition" PARTUUID="ad68bb99-7101-4623-b3f3-a98e242bc522"
/dev/nvme0n1p2: UUID="50edd581-0b39-4ff0-acd3-d4c6d6227166" TYPE="crypto_LUKS" PARTLABEL="Linux filesystem" PARTUUID="29b20931-4222-4075-9621-953b6e40d545"
/dev/nvme0n1p3: UUID="6916f41f-436a-4eb4-8851-a88c30a4b084" TYPE="crypto_LUKS" PARTLABEL="Linux LVM" PARTUUID="8368cff2-21b8-46bc-b164-3d776ab15df8"
/dev/mapper/lvm: UUID="r2U7Dv-YyaX-mrfA-L3hY-dHSF-5U2G-mSOtO9" TYPE="LVM2_member"
/dev/mapper/vg0-swap: UUID="b782b74b-5c34-4161-8fb8-f0588d28970c" TYPE="swap"
/dev/mapper/vg0-root: UUID="b268e2bd-2364-42f2-80cd-4582002a7d75" BLOCK_SIZE="4096" TYPE="ext4"
/dev/mapper/cryptboot: UUID="1acc5485-11a2-4a9f-ac89-1631b8070a33" BLOCK_SIZE="1024" TYPE="ext2"

/etc/mkinitcpio.conf Hooks & Files:

HOOKS=(base udev autodetect keyboard keymap modconf block encrypt lvm2 resume filesystems fsck)
FILES=(/crypto_keyfile.bin)

/etc/default/grub:

GRUB_CMDLINE_LINUX="cryptdevice=UUID=6916f41f-436a-4eb4-8851-a88c30a4b084:lvm resume=/dev/mapper/vg0-swap"
GRUB_PRELOAD_MODULES="part_gpt part_msdos"
GRUB_ENABLE_CRYPTODISK=y

the /crypto_keyfile.bin works correct too (the last returns are translated from my native language):

cryptsetup luksDump /dev/nvme0n1p3
LUKS header information for /dev/nvme0n1p3

Version:           1
Cipher name:       aes
Cipher mode:       xts-plain64
Hash spec:         sha256
Payload offset:    4096
MK bits:           512
MK digest:         c5 99 70 f0 75 31 a6 1e 49 7e 3c 74 5c d7 01 bc 0e 4e c7 2e
MK salt:           9e 3c 24 5c 15 8c fd 34 1c f3 c6 15 24 48 56 51
                   fe 30 4b b3 9e 95 9f 1c b1 2a a6 91 e5 08 b7 03
MK iterations:     116404
UUID:              6916f41f-436a-4eb4-8851-a88c30a4b084

Key Slot 0: ENABLED
    Iterations:             1916956
    Salt:                   46 01 ae 6c 3d e2 ec 4d 36 29 46 9a 61 1e 6f e7
                              5d 91 1d 43 19 13 fd f2 c7 6f bb 10 9a 34 12 18
    Key material offset:    8
    AF stripes:                4000
Key Slot 1: ENABLED
    Iterations:             2036068
    Salt:                   cf 2a 2b 50 9a e0 b8 65 4b df 85 2b e6 52 1f 82
                              81 fe 7a d2 d3 1b ab 61 ab f2 ab 88 4f 4b c8 dd
    Key material offset:    512
    AF stripes:                4000
Key Slot 2: DISABLED
Key Slot 3: DISABLED
Key Slot 4: DISABLED
Key Slot 5: DISABLED
Key Slot 6: DISABLED
Key Slot 7: DISABLED


cryptsetup --verbose open --key-file /crypto_keyfile.bin --test-passphrase /dev/nvme0n1p3
Schlüsselfach 1 entsperrt.  -> Key Slot 1 unlocked
Befehl erfolgreich.              -> Command successful

crypto_keyfile.bin is available in the initramfs:

zcat /boot/initramfs-5.4-x86_64.img | cpio -idmv
....
....
/crypto_keyfile.bin
....
....

my /etc/crypttab:

cryptboot /dev/nvme0n1p2 /etc/key luks

what I tried without success:
- FILES in mkinitcpio.conf in a different syntax - so like FILES=("/crypto_keyfile.bin") and FILES="/crypto_keyfile.bin"
- explicitly write the cryptkey in the GRUB config:

GRUB_CMDLINE_LINUX="cryptdevice=UUID=6916f41f-436a-4eb4-8851-a88c30a4b084:lvm cryptkey=rootfs:/crypto_keyfile.bin resume=/dev/mapper/vg0-swap"

- create a new keyfile
- write nvm1n0p3 and/or lvm to /etc/crypttab.

I can't find my error to be honest and the exakt same config works properly on my old device.
Any help is greatly appreciated

Last edited by DeusKult (2020-08-06 16:47:21)

Offline

#2 2020-08-06 06:08:09

DeusKult
Member
Registered: 2020-08-05
Posts: 5

Re: [solved] grub cryptdisk unlock via keyfile not working

Some further progress I made in trobuleshooting this:

I tried to enter a wrong password in the first password prompt for hd1.gpt2  which resulted in the grub resuce shell as expected - was able to unlock gpt2 with the correct password manually and the same for gpt3 from there

Now what really confuses me:
I tried entering a wrong password in the second password prompt for hd1.gpt3 and to my surprise it still unlocked and booted (???) although the unlock process took a few seconds longer.

That made me think that there may be a problem with the password being in Luks Key Slot 0 and the key-file in Slot 1 so I swapped that -> still the same.
I get prompted a second time for a password during boot but it does not matter what I type in. It seems to always unlock via the keyfile.

Afterwards I changed the UUID of my cryptdisk in /etc/default/grub to a non-existing UUID because I wanted to get to the grub rescue shell during the second password prompt.
Still it properply unlocked but only the encrypt hook that runs after both password prompts are finished was not able to find the root partition of course and I got to a rootfs shell.

From there I was not able to fix my grub so I had to chroot via the Install media to fix it.

It seems as if the Key-File unlock is working properly the whole time, but due to an unkown issue there is still a password prompt?

Last edited by DeusKult (2020-08-06 06:08:28)

Offline

#3 2020-08-06 16:46:59

DeusKult
Member
Registered: 2020-08-05
Posts: 5

Re: [solved] grub cryptdisk unlock via keyfile not working

Just in case somebody else has the same problem like me in the future:

I found the mistake in /boot/grub/grub.cfg.

in the 00-header part of the cfg the part which defines the cryptodisk was there twice like this:

....
insmod gcry_sha256
insmod lvm
insmod ext2
cryptomount -u 6916f41f436a4eb48851a88c30a4b084
set root='lvmid/PR48Wt-34KN-mOQB-BbFy-DgrQ-VN3E-UTwZeC/2CPwuV-7vJI-bI4K-4InD-LI>
if [ x$feature_platform_search_hint = xy ]; then
.....
nsmod gcry_sha256
insmod lvm
insmod ext2
cryptomount -u 6916f41f436a4eb48851a88c30a4b084
set root='lvmid/PR48Wt-34KN-mOQB-BbFy-DgrQ-VN3E-UTwZeC/2CPwuV-7vJI-bI4K-4InD-LI>
if [ x$feature_platform_search_hint = xy ]; then
.....

This caused the Cryptomount to run twice, once successfull via the Key-File but invisible to me and afterwards once again which caused the seconds password prompt.

removing everything except the most essential lines in /etc/default/grub and reinstalling grub solved the issue

Offline

#4 2020-09-01 19:08:03

d9a
Member
Registered: 2020-09-01
Posts: 1

Re: [solved] grub cryptdisk unlock via keyfile not working

Hello. I'm having this exact issue. Can you be more specific about what's in /etc/default/grub that's "essential"? I don't know what to remove to remove the duplicate cryptomount step. Thank you!

Offline

Board footer

Powered by FluxBB