cryptsetup partition encryption issues

coolazura · 2013-08-10 23:52:56

So, I am attempting to make a very secure Arch install on a 16gb USB Drive and using a 4gb USB Drive for /boot and keys

Setup:
16GB:
- Holds 2 encrypted partitions
-- / and /var
- /var is 5gb and / is 10gb
- mounts to /dev/mapper/eroot and /dev/mapper/evar when opened with Luks.

4GB:
- Holds 3 non-encrypted partitions
- /boot
- keys - mounts to /crypt
- data -- does not automount

I used the Beginner's Guide Installation and used Encrypt partitions with LUKS and keyfiles on USB +swap suspend-to-disk as a basis for my install up to step 11.
I seem to have run into a road block at this point, after figuring out how to get my root partition mounted at boot, my system doesn't know how to mount the /var partition and tells me /var/log/****.log does not exist.
After searching the forum and using google for the past 5 hours I have made some slight headway into figuring out how to get systemd to load encrypted partitions with systemd-cryptsetup-generator and moving the unit file to /etc/systemd/system.

However this didn't seem to help.
If anyone would be so kind has to give me some pointers on what I need to do now I would appreciate it.

Here is my fstab and crypttab.

fstab:

#
# /etc/fstab: static file system information
#
# <file system> <dir>   <type>  <options>       <dump>  <pass>
# /dev/mapper/eroot
UUID=2df86bd3-9e8d-4d75-aa2d-fa970c5aec96       /               ext4            rw,noatime,data=ordered                                                                                 0 1

# /dev/mapper/evar  # attempted using this instead of the UUID and changed nothing
UUID=5af86d6d-95f9-4c6b-948d-080ec462a104       /var            f2fs            rw,noatime,background_gc_on,user_xattr,acl,active_logs=6                                                0 0

# /dev/sdd2
UUID=863D-92CB                                  /boot           vfat            rw,relatime,fmask=0022,dmask=0022,codepage=437,iocharset=iso8859-1,shortname=mixed,errors=remount-ro    0 2

# /tmp
tmpfs                                           /tmp            tmpfs           nodev                                                                                                   0 0

# /dev/sdd3  --- Key Files
UUID=6d12388e-843a-4a93-8770-75ba947a6508       /crypt          ext2            ro                                                                                                      0 1

crypttab

# crypttab: mappings for encrypted partitions
#
# Each mapped device will be created in /dev/mapper, so your /etc/fstab
# should use the /dev/mapper/<name> paths for encrypted devices.
#
# The Arch specific syntax has been deprecated, see crypttab(5) for the
# new supported syntax.
#
# NOTE: Do not list your root (/) partition here, it must be set up
#       beforehand by the initramfs (/etc/mkinitcpio.conf).

evar    /dev/disk/by-uuid/7bf07cb3-5932-4db5-af0f-fa4927d91dc1 /crypt/keys/var.key

and here is the unit file that was created by systemd-cryptsetup-generator
systemd-cryptsetup@evar.service:

# Automatically generated by systemd-cryptsetup-generator

[Unit]
Description=Cryptography Setup for %I
Documentation=man:systemd-cryptsetup@.service(8) man:crypttab(5)
SourcePath=/etc/crypttab
Conflicts=umount.target
DefaultDependencies=no
BindsTo=dev-mapper-%i.device
After=systemd-readahead-collect.service systemd-readahead-replay.service
Before=cryptsetup.target
RequiresMountsFor=/crypt/keys/var.key
BindsTo=dev-disk-by\x2duuid-7bf07cb3\x2d5932\x2d4db5\x2daf0f\x2dfa4927d91dc1.device
After=dev-disk-by\x2duuid-7bf07cb3\x2d5932\x2d4db5\x2daf0f\x2dfa4927d91dc1.device
Before=umount.target

[Service]
Type=oneshot
RemainAfterExit=yes
TimeoutSec=0
ExecStart=/usr/lib/systemd/systemd-cryptsetup attach 'evar' '/dev/disk/by-uuid/7bf07cb3-5932-4db5-af0f-fa4927d91dc1' '/crypt/keys/var.key' ''
ExecStop=/usr/lib/systemd/systemd-cryptsetup detach 'evar'

And in case this is needed. here is my grub menuentry:

menuentry 'Arch Linux, with Linux core repo kernel' --class arch --class gnu-linux --class gnu --class os $menuentry_id_option 'gnulinux-core repo kernel-true-2df86bd3-9e8d-4d75-aa2d-fa970c5aec96' {
	load_video
	set gfxpayload=keep
	insmod gzio
	insmod part_msdos
	insmod fat
	set root='hd3,msdos2'
	if [ x$feature_platform_search_hint = xy ]; then
	  search --no-floppy --fs-uuid --set=root --hint-bios=hd3,msdos2 --hint-efi=hd3,msdos2 --hint-baremetal=ahci3,msdos2  863D-92CB
	else
	  search --no-floppy --fs-uuid --set=root 863D-92CB
	fi
	echo	'Loading Linux core repo kernel ...'
	linux	/vmlinuz-linux root=/dev/mapper/eroot rw cryptdevice=/dev/disk/by-uuid/c9732c5d-c3da-4856-a5bd-7176cd8cbe15:eroot cryptkey=/dev/disk/by-uuid/6d12388e-843a-4a93-8770-75ba947a6508:ext2:/keys/root.key quiet
	echo	'Loading initial ramdisk ...'
	initrd	/initramfs-linux.img
}

If you need anything else please let me know.

EDIT: forgot to add my mkinitcpio.conf

# vim:set ft=sh
# MODULES
# The following modules are loaded before any boot hooks are
# run.  Advanced users may wish to specify all system modules
# in this array.  For instance:
#     MODULES="piix ide_disk reiserfs"
MODULES="dm_mod ext2 ext4 vfat"

# BINARIES
# This setting includes any additional binaries a given user may
# wish into the CPIO image.  This is run last, so it may be used to
# override the actual binaries included by a given hook
# BINARIES are dependency parsed, so you may safely ignore libraries
BINARIES=""

# FILES
# This setting is similar to BINARIES above, however, files are added
# as-is and are not parsed in any way.  This is useful for config files.
FILES=""

# HOOKS
# This is the most important setting in this file.  The HOOKS control the
# modules and scripts added to the image, and what happens at boot time.
# Order is important, and it is recommended that you do not change the
# order in which HOOKS are added.  Run 'mkinitcpio -H <hook name>' for
# help on a given hook.
# 'base' is _required_ unless you know precisely what you are doing.
# 'udev' is _required_ in order to automatically load modules
# 'filesystems' is _required_ unless you specify your fs modules in MODULES
# Examples:
##   This setup specifies all modules in the MODULES setting above.
##   No raid, lvm2, or encrypted root is needed.
#    HOOKS="base"
#
##   This setup will autodetect all modules for your system and should
##   work as a sane default
#    HOOKS="base udev autodetect block filesystems"
#
##   This setup will generate a 'full' image which supports most systems.
##   No autodetection is done.
#    HOOKS="base udev block filesystems"
#
##   This setup assembles a pata mdadm array with an encrypted root FS.
##   Note: See 'mkinitcpio -H mdadm' for more information on raid devices.
#    HOOKS="base udev block mdadm encrypt filesystems"
#
##   This setup loads an lvm2 volume group on a usb device.
#    HOOKS="base udev block lvm2 filesystems"
#
##   NOTE: If you have /usr on a separate partition, you MUST include the
#    usr, fsck and shutdown hooks.
HOOKS="base udev autodetect modconf block encrypt filesystems keyboard shutdown"

# COMPRESSION
# Use this to compress the initramfs image. By default, gzip compression
# is used. Use 'cat' to create an uncompressed image.
#COMPRESSION="gzip"
#COMPRESSION="bzip2"
#COMPRESSION="lzma"
#COMPRESSION="xz"
#COMPRESSION="lzop"

# COMPRESSION_OPTIONS
# Additional options for the compressor
#COMPRESSION_OPTIONS=""

Last edited by coolazura (2013-08-11 02:34:17)

Strike0 · 2013-08-11 11:55:00

Maybe you have to add "f2fs" to your initramfs modules, like you do for the other filesystems?

falconindy · 2013-08-11 14:57:03

You seem confused:

- Do not copy over files created by generators unless you have very specific reasons to do so. This defeats the point of the generator.
- Get rid of the /tmp entry from /etc/fstab. This is done for you.
- You should never have more than 1 filesystem specified with a passno of '1'. This should be reserved for root if it isn't already being fsck'd by the initramfs (in which case it should be zero).

And really, why are you separating /var from root? It's a useless distinction given they're on the same physical disk.

Strike0 wrote:

Maybe you have to add "f2fs" to your initramfs modules, like you do for the other filesystems?

This doesn't make sense. He isn't trying to mount /var from the initramfs.

Last edited by falconindy (2013-08-11 14:59:12)

coolazura · 2013-08-11 15:21:05

falconindy wrote:

You seem confused:
- Do not copy over files created by generators unless you have very specific reasons to do so. This defeats the point of the generator.
- Get rid of the /tmp entry from /etc/fstab. This is done for you.
- You should never have more than 1 filesystem specified with a passno of '1'. This should be reserved for root if it isn't already being fsck'd by the initramfs (in which case it should be zero).
And really, why are you separating /var from root? It's a useless distinction given they're on the same physical disk.
Strike0 wrote:
Maybe you have to add "f2fs" to your initramfs modules, like you do for the other filesystems?
This doesn't make sense. He isn't trying to mount /var from the initramfs.

Thanks for the reply Strike0 and falconindy.

falcon, I am confused.
- I copied the files created by the generator because they were originally created in /tmp and following the answers in How do I configured systemd to activate an encrypted swap file. This question was specifically for an encrypted swap and I figured that it should work for an encrypted partition.
I moved them from /tmp because I thought /tmp disappeared after restarting. Am I wrong?
- I'll remove the /tmp entry and fix the boot orders, I didn't originally have this specified in fstab but I saw another person had it specified.

I'm separating /var from root because this is all on a usb drive and I know /var gets written/read very often for log files and I wanted to have F2FS for the file system to help things along. I figured this would help my system be a little faster, but if I'm wrong I'll remove it.

falconindy · 2013-08-11 20:01:42

I doubt that the generator files were in /tmp. Its far more likely that they were in /run/systemd/generator.

If you want to use f2fs, that's fine (though I don't necessarily think f2fs is intended for your use case). Just make the whole partition f2fs.

Last edited by falconindy (2013-08-11 20:05:47)

Strike0 · 2013-08-12 00:49:09

Do you happen to know if the fsck for f2fs is there yet (includng repair)? If not that would be another reason not to use it for root already.

falconindy · 2013-08-12 00:52:04

How is that a valid reason not to use a filesystem? ZFS is heavily in use and features no fsck tool. btrfs has no "real" fsck either and yet it remains popular. Mind you, there's reasons that fsck isn't really necessary for these filesystems under normal circumstances (they ensure consistency via their CoW design).

FWIW, f2fs has an offline fsck implemented.

Last edited by falconindy (2013-08-12 00:53:00)

Strike0 · 2013-08-12 01:03:28

Yes, ok, I guess such design features mitigate an fsck somewhat. Besides with flash memory something like a powerloss is not that grave. Still they seem to want it (just googled this,first sentence; so it'll come eventually):

coolazura · 2013-08-12 02:06:45

So I attempted removing the encrypted evar partition by just cp everything in it to a temp location, unmounting it and moving the temp location back to /var. and now my system still does the exact same thing. Just sits at boot after mounting root (says it's clean with ### / ### blocks/files)

falconindy · 2013-08-12 02:16:06

coolazura wrote:

my system still does the exact same thing. Just sits at boot after mounting root (says it's clean with ### / ### blocks/files)

Uhh, that's nothing at all like what you describe in your original post. Did you neglect to remove the /var entries from /etc/crypttab and /etc/fstab?

Last edited by falconindy (2013-08-12 02:16:31)

coolazura · 2013-08-13 17:22:20

yes, I removed them :-/

Well I think I'm just going to reinstall and use F2FS for the whole partition and not do separate partitions. I got an install like that to work on my laptop. Thanks for the help with this Falconindy and Strike0.

Arch Linux

#1 2013-08-10 23:52:56

cryptsetup partition encryption issues

#2 2013-08-11 11:55:00

Re: cryptsetup partition encryption issues

#3 2013-08-11 14:57:03

Re: cryptsetup partition encryption issues

#4 2013-08-11 15:21:05

Re: cryptsetup partition encryption issues

#5 2013-08-11 20:01:42

Re: cryptsetup partition encryption issues

#6 2013-08-12 00:49:09

Re: cryptsetup partition encryption issues

#7 2013-08-12 00:52:04

Re: cryptsetup partition encryption issues

#8 2013-08-12 01:03:28

Re: cryptsetup partition encryption issues

#9 2013-08-12 02:06:45

Re: cryptsetup partition encryption issues

#10 2013-08-12 02:16:06

Re: cryptsetup partition encryption issues

#11 2013-08-13 17:22:20

Re: cryptsetup partition encryption issues

Board footer