You are not logged in.
My system is currently setup like the following:
- two luks encrypted partitions, one for / and one for swap. Both are setup to prompt for a password when the tpm fails.
- systemd-boot with the following in my loader entry:
options rd.luks.name=9b1565e5-abe1-4ba2-bf66-33588a99dd5d=cryptroot rd.luks.name=d66b1c60-620c-48dd-baa3-15c283e9d801=cryptswap rd.luks.options=tpm2-device=auto,tpm2-pin=yes root=/dev/mapper/cryptroot resume=/dev/mapper/cryptswap rw- My /etc/fstab contains the following:
/dev/mapper/cryptroot / ext4 rw,relatime 0 1
/dev/mapper/cryptswap none swap defaults 0 0Usually everything works fine with this setup. That means, my laptop starts, decrypts the partitions with the tpm-backed keys and bootsup just fine.
But when tpm authentication is broken (usually because of a broken kernel or broken systemd, but thats another topic), the system asks me for my password. I quickly enter the password but it usually takes me quite a few tries to get it correct. But after complaining for a few tries, the system usually boots up just fine.
But then, last time, I entered the password for the root partition correctly and systemd did not try to decrypt the swap partition with the same password (probably because it already failed 3 or so times in doing that). The system booted up just fine, I logged into my WM and only then remembered that I actually had some state hibernated into the swap partition. I figured that that might cause issues with the filesystem and quickly turned off the system, but found that data corruption was already going on. It seems like syncthing did some weird stuff and overwrote some files, but due to backups and stuff tracked in git nothing bad happened.
Now I want to protect against something like this ever happening again. I would say the best solution here would be to just make sure that the swap partition is always mounted when I boot up my system, so make bootup fail when no swap is mounted. But how do I achieve that? Is my configuration broken, so that this issue should have never happened in the first place?
(I only found nofail in the manpages, but that's exactly the oppossite of what I want)
Last edited by fabianthomas (2023-12-25 18:25:04)
Offline
i would recommend LVM on LUKS, that way both partitions will always be unlocked together.
Offline
would adding option to swap line help:
/dev/mapper/cryptswap none swap defaults, x-systemd.device-timeout=0 0 0
Offline
I dont know if it is the same issue that is affecting you, but systemd release 255 is not auto unlocking my encrypted luks2 swap partition, but all my other encrypted partitions works just fine.
I am using hooks systemd, sd-vconsole and sd-encrypt on /etc/mkinicpio.conf, and so the system will unlock my partitions with /etc/crypttab.
Within it I just have something like
storage UUID=abcdefg
So when it opens the partition, it will be called storage in the mapper, /dev/mapper/storage. After that my partitions are mounted trough fstab as usual. Except root that automounts, because systemd hook will automount the root partition ID root x86-64. (Discoverable Partition Specification).
I am just explaining this because you can autounlock all your partitions if they have the same password like this without using LVM.
Oh, about systemd not autounlocking my swap partition, he also requests the UUID of the luks2 opened swap UUID, and as a workaround I made a new non encrypted swap with mkswap -U so that I could provide the UUID it wants until they fix it. (if it is a systemd bug).
Last edited by Soultrigger (2023-12-18 17:16:36)
Offline
would adding option to swap line help:
/dev/mapper/cryptswap none swap defaults, x-systemd.device-timeout=0 0 0
Yes, I think that this is what I need. Thank you @GeneArch!
Additionally, I found https://bbs.archlinux.org/viewtopic.php … 3#p1747773 which links to https://wiki.archlinux.org/title/Dm-cry … on#Timeout. The solution that is proposed there is to disable the timeout of pw entry (and to allow infinite tries). It seems like this is even more what I want. In the end I'm not even sure what exactly happened in my case, maybe it was the timeout that occured and not the tries. So now I have the following in my systemd-boot entry.conf:
options ... rd.luks.options=...,timeout=0,tries=0 ...
Depending on your configuration you might need to use both (fstab and luks options) or only one.
Offline