dm-crypt encryption: Multiple tries to enter passphrase?

eearcher · 2021-04-08 20:08:31

This afternoon I followed the Arch Wiki and successfully set up a full disk plain dm-crypt encryption in a VM. I chose to have a passphrase over a keyfile, because I will implement this later on my laptop (and I don't want it to auto-boot). The boot partition is on a separate drive, as suggested by the WIki. I am using GRUB.

I chose a strong passphrase made up of random characters, therefore there is a high chance I will accidentally mistype sometime. I noticed that if I enter the wrong passphrase, the decryption will fail (duh) and then an error message is displayed:

ERROR: device '/dev/mapper/vg-root' not found. Skipping fsck.
:: mounting '/dev/mapper/vg-root' on real root
mount: /new_root: no filesystem type specified.

From there, it does a fallback to an emergency shell. At this point I can't see any possibility to re-enter the passphrase without just rebooting.

Is there a way to be able to retry after a failed passphrase attempt without the need to reboot? I admit to not really understand "who" asks me for a passphrase here and attempt the decryption. dm-crypt itself?
Because of this, I don't know where to look for the feature I want.

Any help would be appreciated.

Last edited by eearcher (2021-04-08 20:08:45)

natervance · 2021-04-09 17:57:41

Your initramfs houses the software used to collect the passphrase that you type, and then uses that passphrase with dm-crypt to decrypt your disk. I had a similar frustration when using the passphrase prompt supplied by mkinitcpio (I think it's whatever gets pulled in when adding the encrypt hook to mkinitcpio.conf), and while I never figured out how to fix things in mkinitcpio, I found that the "crypt" module for dracut allows for multiple tries. My file in /etc/dracut.conf.d/custom.conf looks like:

add_dracutmodules+=" crypt "

Of course, that would require you to switch from mkinitcpio to dracut, which may be more than you had in mind. I haven't looked into mkinitcpio's encrypt implementation; maybe that's accessible?

frostschutz · 2021-04-09 18:40:28

which initramfs hook are you using to handle encryption?

by default, cryptsetup should ask 3 times

I would suggest using an easier to type password. Hard to type passwords are not necessarily strong and vice versa...

eearcher · 2021-04-10 12:15:50

Thanks for the replies.

I am using the encrypt hook. Where did you get that information that cryptsetup asks 3 times?
Changing the password and using dracut are possibilities if all else fails for me, but thanks anyways.

I took a look at /usr/lib/initcpio/hooks/encrypt:

 # Ask for a passphrase
            if [ ${dopassphrase} -gt 0 ]; then
                echo ""
                echo "A password is required to access the ${cryptname} volume:"

                #loop until we get a real password
                while ! eval cryptsetup open --type luks ${resolved} ${cryptname} ${cryptargs} ${CSQUIET}; do
                    sleep 2;
                done
            fi
            if [ -e "/dev/mapper/${cryptname}" ]; then
                if [ ${DEPRECATED_CRYPT} -eq 1 ]; then
                    export root="/dev/mapper/root"
                fi
            else
                err "Password succeeded, but ${cryptname} creation failed, aborting..."
                return 1
            fi

As it seems, you get multiple passphrase attempts when using LUKS. But since I use plain dm-crypt, I have to go further down in the file:

            msg "Non-LUKS encrypted device found..."
            if echo "$crypto" | awk -F: '{ exit(NF == 5) }'; then
                err "Verify parameter format: crypto=hash:cipher:keysize:offset:skip"
                err "Non-LUKS decryption not attempted..."
                return 1
            fi
            exe="cryptsetup open --type plain $resolved $cryptname $cryptargs"
            IFS=: read c_hash c_cipher c_keysize c_offset c_skip <<EOF
$crypto
EOF
            [ -n "$c_hash" ]    && exe="$exe --hash '$c_hash'"
            [ -n "$c_cipher" ]  && exe="$exe --cipher '$c_cipher'"
            [ -n "$c_keysize" ] && exe="$exe --key-size '$c_keysize'"
            [ -n "$c_offset" ]  && exe="$exe --offset '$c_offset'"
            [ -n "$c_skip" ]    && exe="$exe --skip '$c_skip'"
            if [ -f "$ckeyfile" ]; then
                exe="$exe --key-file $ckeyfile"
            else
                echo ""
                echo "A password is required to access the ${cryptname} volume:"
            fi
            eval "$exe $CSQUIET"

            if [ $? -ne 0 ]; then
                err "Non-LUKS device decryption failed. verify format: "
                err "      crypto=hash:cipher:keysize:offset:skip"
                return 1
            fi
            if [ -e "/dev/mapper/${cryptname}" ]; then
                if [ ${DEPRECATED_CRYPT} -eq 1 ]; then
                    export root="/dev/mapper/root"
                fi
            else
                err "Password succeeded, but ${cryptname} creation failed, aborting..."
                return 1
            fi

So there is no loop or anything in the encrypt hook to enable multiple passphrase attempts. If I read this script correctly, after "A password is required..." the command "cryptsetup open --type plain ..." gets executed. From this I conclude that cryptsetup only asks for the passphrase once.

I guess I will try to investigate a bit further, and if I fail, maybe just use LUKS.

Arch Linux

#1 2021-04-08 20:08:31

dm-crypt encryption: Multiple tries to enter passphrase?

#2 2021-04-09 17:57:41

Re: dm-crypt encryption: Multiple tries to enter passphrase?

#3 2021-04-09 18:40:28

Re: dm-crypt encryption: Multiple tries to enter passphrase?

#4 2021-04-10 12:15:50

Re: dm-crypt encryption: Multiple tries to enter passphrase?

Board footer