You are not logged in.
Hi all,
I'm trying to set up my system to require a passphrase AND a keyfile (aka an encrypted keyfile) to unlock my root partition.
My configuration is currently:
/boot on a USB thumb drive. There's a plain text encryption key on there as well to unlock /
/ on internal disk (encrypted)
/home on internal disk (encrypted).
When I try to set up a new luks encrypted keyfile, with mkinitcpio hook to open it, I get the following error on boot:
:: Triggering uevents
:: running hook [lukskey]
Enter passphrase for /boot/luks.key:
Attaching loopback device failed (loop device with autoclear flag is required).
Device lukskey is not active.
:: running hook [encrypt[
Keyfile cound not be opened. Reverting to passphrase.
A password is required to access the cryptroot volume:What is supposed to happen is: luks.key gets opened (with a passphrase), and attached to /dev/mapper/lukskey. The contents (the key for cryptroot) then get catted somewhere and used to unlock cryptroot. I believe it's failing to even open /boot/luks.key and assign it to /dev/mapper/lukskey ("Loop device with autoclear flag is required)."
Anyone have any ideas what's going on?
I was trying to follow the instructions here: https://bbs.archlinux.org/viewtopic.php?id=193451
and here: https://wiki.gentoo.org/wiki/Custom_Ini … ed_keyfile
I modified/created the following files:
/etc/initcpio/install/lukskey (Created):
#!/bin/bash
build() {
add_file "/boot/luks.key"
add_runscript
}
help () {
cat <<HELPEOF
LUKS-Encrypted Key
Using /boot/luks.key
HELPEOF
}/etc/initcpio/hooks/lukskey (created):
#!/usr/bin/ash
run_hook() {
cryptsetup -T 5 luksOpen /boot/luks.key lukskey && cat /dev/mapper/lukskey > /boot/crypto_keyfile.bin
cryptsetup luksClose lukskey
}/etc/mkinitcpio.conf (modified)
HOOKS="base udev autodetect modconf block bcache lukskey encrypt filesystems keyboard fsck"
# Note the addition of "lukskey" between "bcache" and "encrypt"Original /etc/default/grub (works):
GRUB_CMDLINE_LINUX_DEFAULT="cryptdevice=/dev/disk/by-uuid/yyyyyyy-yyyy-yyyyy-yyyy-yyyyyyyyyyy:cryptroot cryptkey=/dev/disk/by-uuid/xxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxx:ext4:/keyfile"Attempted new grub (I think things are failing before this step):
GRUB_CMDLINE_LINUX_DEFAULT="cryptdevice=/dev/disk/by-uuid/yyyyyy-yyyy-yyyy-yyyy-yyyyyyyyyyyy:cryptroot cryptkey=/dev/disk/by-uuid/xxxxxx-xxxx-xxx-xxxx-xxxxxxxxxxxx:ext4:/crypto_keyfile.bin" Last edited by LeftyAce (2018-03-15 06:18:28)
Offline
I found a solution! Apparently 2 days of googling wasn't enough, I needed 2 days plus 1 hour:
https://bbs.archlinux.org/viewtopic.php?id=208276
Bottom line, I needed to add the loop module to /etc/initcpio/install/lukskey as follows:
/etc/initcpoi/install/lukskey
#!/bin/bash
build() {
add_file "/boot/luks.key"
add_runscript
add_module loop
}
help () {
cat <<HELPEOF
LUKS-Encrypted Key
Using /boot/luks.key
HELPEOF
}Offline