[solved] root on luks, systemd-encrypt, with crypttab at boot not used

Leryan · 2017-08-01 20:15:24

Hello,

I have configured my system to use an encrypted root filesystem with LUKS, using systemd-encrypt. I have a second hard drive encrypted too, that i want to unlock using a key safely stored on the encrypted root. Using /etc/crypttab, as the documentation says it, but it doesn't works.

I checked that post: https://bbs.archlinux.org/viewtopic.php?id=219859

Here are my configuration files:

/etc/mkinitcpio.conf

MODULES="nvidia aesni_intel usbhid xhci_hcd"
BINARIES=""
FILES=""
HOOKS="base systemd autodetect modconf keyboard sd-vconsole block sd-encrypt filesystems fsck"
COMPRESSION="cat"

/etc/fstab

UUID=d9cf50bf-622f-488c-a62a-c986b799965e	/         	btrfs     	rw,noatime,ssd,space_cache,subvol=archlinux	0 0
UUID=d9cf50bf-622f-488c-a62a-c986b799965e   /home         	btrfs     	rw,noatime,ssd,space_cache,subvol=home	0 0

UUID=c3ba480c-995f-4ec9-9401-0c65b1069b8a      	/boot     	ext4      	rw,noatime,data=ordered	0 2

UUID=9A4C-32F9      	/boot/efi 	vfat      	rw,noatime,fmask=0022,dmask=0022,codepage=437,iocharset=iso8859-1,shortname=mixed,errors=remount-ro	0 2
/dev/mapper/luks_arch_data  /mnt/arch.data  btrfs   ro,noatime,nofail 0 0
tmpfs   /var/cache/pacman/pkg tmpfs rw,noatime 0 0

/etc/crypttab (chmod 600)

luks_arch_data  UUID=fdfd5412-3c94-4277-bcb9-8f8dabc3ac7d   /etc/luks.arch.data.key luks

/etc/default/grub

GRUB_CMDLINE_LINUX_DEFAULT="quiet luks.uuid=93c8cedf-ee58-4ef8-b4c9-c54b460561dc luks.name=93c8cedf-ee58-4ef8-b4c9-c54b460561dc=luks_arch_root root=/dev/mapper/luks_arch_root luks.options=timeout=120s luks.crypttab=yes"

Output from lsblk -f:

NAME               FSTYPE      LABEL           UUID                                 MOUNTPOINT
sda                                                                                 
├─sda1             ntfs        Recovery        009C9E329C9E2268                     
├─sda2             vfat                        DE9E-9787                            
├─sda3                                                                              
└─sda4             ntfs                        A27AB0027AAFD0F9                     
sdb                                                                                 
├─sdb1             ntfs        System Reserved 96702E21702E0897                     
└─sdb2             ntfs                        70D61F3AD61F0050                     
sdc                crypto_LUKS                 fdfd5412-3c94-4277-bcb9-8f8dabc3ac7d 
nvme0n1                                                                             
├─nvme0n1p1        vfat                        9A4C-32F9                            /boot/efi
├─nvme0n1p2        ext4                        c3ba480c-995f-4ec9-9401-0c65b1069b8a /boot
└─nvme0n1p3        crypto_LUKS                 93c8cedf-ee58-4ef8-b4c9-c54b460561dc 
  └─luks_arch_root btrfs                       d9cf50bf-622f-488c-a62a-c986b799965e /var/lib/docker/btrfs

Path to the key file is OK and key is chmod 400.

The encrypted container is not opened at all, and this configuration worked with the "regular" udev and encrypt hooks.

Also systemd is in version 234.11-1.

What's wrong?

Thanks for your help.

Last edited by Leryan (2017-08-01 20:40:20)

Shibumi · 2017-08-01 20:33:51

Hello,
there is a bug with systemd version 234.11-1 with systemd-hooks and cryptsetup. I would suggest you downgrade to systemd 233 or you wait for 234.11-2:
See also: https://bugs.archlinux.org/task/54825

Leryan · 2017-08-01 20:39:53

Well, i've just found a working setup:

GRUB_CMDLINE_LINUX_DEFAULT="quiet rd.luks.uuid=93c8cedf-ee58-4ef8-b4c9-c54b460561dc rd.luks.name=93c8cedf-ee58-4ef8-b4c9-c54b460561dc=luks_arch_root root=/dev/mapper/luks_arch_root rd.luks.options=timeout=120s rd.luks.crypttab=no"

Replacing all "luks." with "rd.luks." and adding "rd.luks.crypttab=no".

Leryan · 2017-08-01 20:45:55

@Shibumi: this issue is unrelated to the problem i have, that's why i added rd.luks.options=timeout=120s to workaround it.

This is another problem but it's sounds more like a problem from documentation on both sides (systemd, then archlinux).

Shibumi · 2017-08-01 20:53:05

Leryan wrote:

Well, i've just found a working setup:
GRUB_CMDLINE_LINUX_DEFAULT="quiet rd.luks.uuid=93c8cedf-ee58-4ef8-b4c9-c54b460561dc rd.luks.name=93c8cedf-ee58-4ef8-b4c9-c54b460561dc=luks_arch_root root=/dev/mapper/luks_arch_root rd.luks.options=timeout=120s rd.luks.crypttab=no"
Replacing all "luks." with "rd.luks." and adding "rd.luks.crypttab=no".

Well of course you need rd.luks here.. see: https://www.freedesktop.org/software/sy … rator.html
"rd.luks= is honored only by initial RAM disk (initrd) while luks= is honored by both the main system and the initrd."

Leryan · 2017-08-01 20:57:50

I read at least four times this manpage, and when "luks= is honored by **both** the main systemd and the initrd", i don't expect luks= options to bypass /etc/crypttab when booted.

Arch Linux

#1 2017-08-01 20:15:24

[solved] root on luks, systemd-encrypt, with crypttab at boot not used

#2 2017-08-01 20:33:51

Re: [solved] root on luks, systemd-encrypt, with crypttab at boot not used

#3 2017-08-01 20:39:53

Re: [solved] root on luks, systemd-encrypt, with crypttab at boot not used

#4 2017-08-01 20:45:55

Re: [solved] root on luks, systemd-encrypt, with crypttab at boot not used

#5 2017-08-01 20:53:05

Re: [solved] root on luks, systemd-encrypt, with crypttab at boot not used

#6 2017-08-01 20:57:50

Re: [solved] root on luks, systemd-encrypt, with crypttab at boot not used

Board footer