Arch Linux

ctrlX

Member

Registered: 2017-10-11

Posts: 2

[SOLVED] Cryptkey parameter does not seem to be picked up by encrypt..

Hi!

I am a relatively new Arch Linux user and so far all my questions and problems have been answered by reading the Wiki and/or forum. Until now... Hence this forum post.

I have successfully installed Arch Linux with encryption including boot partition according to the following documentation: https://wiki.archlinux.org/index.php/Dm … .28GRUB.29

Partition scheme:

+----------------+-----------------+----------------------+----------------------+----------------------+
| ESP partition: | Boot partition: | Volume 1:            | Volume 2:            | Volume 3:            |
|                |                 |                      |                      |                      |
| /boot/efi      | /boot           | root                 | swap                 | home                 |
| 512 MB         | 250 MB          | 150 GB               | 8 GB                 |                      |
|                |                 |                      |                      |                      |
|                |                 | /dev/mapper/vg0-root | /dev/mapper/vg0-swap | /dev/mapper/vg0-home |
| /dev/nvme0n1p1 | /dev/nvme0n1p2  +----------------------+----------------------+----------------------+
| Not encrypted  | LUKS encrypted  | /dev/nvme0n1p3 encrypted using LVM on LUKS                         |
+----------------+-----------------+--------------------------------------------------------------------+

HOOKS:

HOOKS="base udev autodetect modconf keyboard block keymap encrypt lvm2 resume filesystems fsck"

Grub configuration:

GRUB_CMDLINE_LINUX_DEFAULT="quiet ipv6.disable_ipv6=1"
GRUB_CMDLINE_LINUX="cryptdevice=/dev/nvme0n1p3:lvm resume=/dev/mapper/vg0-swap"

I have been using this setup for a couple of months and everything works great. Recently I decided to be able to pass an encryption key for my LUKS container holding my LVM (/dev/nvme0n1p3) by using a key file on a USB stick. After studying the documentation below I felt ready to test this on a Arch installation using a VirtualBox VM before implementing it on my main system

https://wiki.archlinux.org/index.php/Dm … n#cryptkey
https://wiki.archlinux.org/index.php/Dm … he_keyfile
https://wiki.archlinux.org/index.php/Dm … on_at_boot
https://wiki.archlinux.org/index.php/Dm … mkinitcpio
https://wiki.archlinux.org/index.php/Dm … parameters

I created a GPT partition table and EFI partition on on /dev/sdb. Then I created a FAT filesystem on /dev/sdb1 with command below.

mkfs.vfat /dev/sdb1

I created a key file using the following command:

dd bs=512 count=4 if=/dev/urandom of=~/keyfile.bin

I then moved the key file to the new partition and added the key to my LUKS container.

cryptsetup luksAddKey /dev/sda3 /mnt/keyfile.bin

Please note the sda3 is used instead of nvme0n1p3 as this was first tested on a VirtualBox VM.

I added the following modules in /etc/mkinitcpio.conf:

MODULES="nls_cp437 vfat"

I modified /etc/default/grub configuration file:

GRUB_CMDLINE_LINUX_DEFAULT="quiet ipv6.disable_ipv6=1"
GRUB_CMDLINE_LINUX="cryptdevice=/dev/sda3:lvm cryptkey=/dev/disk/by-uuid/A329-2078:vfat:/keyfile.bin resume=/dev/mapper/vg0-swap"

Lastly I generated grub and initramfs:

mkinitcpio -p linux
grub-mkconfig -o /boot/grub/grub

Unfortunately I was not able to make this work. During boot it is always asking me to type a passphrase instead. After hours of troubleshooting, searching the forum, re-reading the Arch Wiki and Google search I made a discovery. It does not seem that the encrypt hook is catching the cryptkey parameter in my Grub configuration file, or the other way around.

In /lib/initcpio/hooks/encrypt the first block of code is the following:

#!/usr/bin/ash

run_hook() {
    modprobe -a -q dm-crypt >/dev/null 2>&1
    [ "${quiet}" = "y" ] && CSQUIET=">/dev/null"

    # Get keyfile if specified
    ckeyfile="/crypto_keyfile.bin"
    if [ -n "$cryptkey" ]; then
        IFS=: read ckdev ckarg1 ckarg2 <<EOF
$cryptkey
EOF

So I modified it to the following and rebooted.

#!/usr/bin/ash

run_hook() {
    modprobe -a -q dm-crypt >/dev/null 2>&1
    [ "${quiet}" = "y" ] && CSQUIET=">/dev/null"

    # Get keyfile if specified
    ckeyfile="/crypto_keyfile.bin"
    if [ -n "$cryptkey" ]; then
        IFS=: read ckdev ckarg1 ckarg2 <<EOF
$cryptkey
EOF

echo "cryptkey = $cryptkey"
echo "ckdev = $ckdev"
echo "ckarg1 = $ckarg1"
echo "ckarg2 = $ckarg2"

To my big surprise the variables above were not populated with the information provided in my cryptkey parameter.

I then proceded to change the code to the following:

#!/usr/bin/ash

run_hook() {
    modprobe -a -q dm-crypt >/dev/null 2>&1
    [ "${quiet}" = "y" ] && CSQUIET=">/dev/null"

    # Get keyfile if specified
    ckeyfile="/crypto_keyfile.bin"
    cryptkey="/dev/disk/by-uuid/A329-2078:vfat:/keyfile.bin"
    if [ -n "$cryptkey" ]; then
        IFS=: read ckdev ckarg1 ckarg2 <<EOF
$cryptkey
EOF

echo "cryptkey = $cryptkey"
echo "ckdev = $ckdev"
echo "ckarg1 = $ckarg1"
echo "ckarg2 = $ckarg2"

After re-generating initramfs and rebooting I could observe that all the variables were populated and the LUKS container could be opened using the key file on my USB stick.

I am unsure if this is a result of incorrect configuration from my part or a bug in the code of the encrypt hook or maybe even a bug in the cryptsetup package. Any help with troubleshooting/investigating this would be gratefully appreciated. Thank you in advance.

Last edited by ctrlX (2017-10-12 19:34:51)

ctrlX

Member

Registered: 2017-10-11

Posts: 2

Re: [SOLVED] Cryptkey parameter does not seem to be picked up by encrypt..

Solved it... Boy do I feel stupid. All this time I was executing

grub-mkconfig -o /boot/grub/grub

instead of

grub-mkconfig -o /boot/grub/grub.cfg

Marking thread as solved.