You are not logged in.

#1 2018-10-06 16:45:45

glombus
Member
Registered: 2018-02-27
Posts: 5

[SOLVED] LUKs encrypted root with USB key file stopped working

I've used LUKS to encrypt my entire system for a long time now. I unlock / at boot via a keyfile on a USB device. This setup has worked fine for me for a while, but I recently pulled in some updates, rebooted, and my configuration is no longer working. The USB device with the keyfile is not being read at boot. The activity light is not blinking, and I see a message that the keyfile could not be read and I'm prompted to enter a password instead.

The fallback image works as expected. It's only the default/generic linux boot image that is failing.

See my configs here. (Note:  Historically I've used this Arch Wiki guide on full system encryption and this guide on keyfiles for my configuration)

# /etc/default/grub
GRUB_CMDLINE_LINUX="cryptdevice=UUID=1d40ff56-53b0-4d59-acf5-bf169430c5cf:cryptroot root=/dev/mapper/cryptroot cryptkey=UUID=E3E0-ACEC:vfat:/root.crypt.key"
# /etc/default/cryptdisk
CRYPTDISKS_MOUNT='/mnt/key'
# /etc/fstab
/dev/disk/by-uuid/E3E0-ACEC                     /mnt/key                vfat    ro,nofail,x-systemd.device-timeout=60           0 0
/dev/mapper/cryptroot                           /                       ext4    rw,relatime,data=ordered                        0 1
# /etc/mkinitcpio.conf
MODULES=(nls_cp437 vfat ext4)
HOOKS=(base udev autodetect modconf block encrypt filesystems keyboard fsck)

The grub-generated menu entries are identical so I don't think there's anything wrong with my GRUB config. I think this must be a problem with the image generated by mkinitcpio.

I noticed that the guide I typically follow had a couple new HOOKS that I did not. keymap, specifically. I added that and regenerated the image but no change on reboot. I still need to use the fallback. The fallback initramfs works without issue and I can see the USB activity light blinking and my keyfile is used as expected to unlock the root partition at boot.

Any thoughts on what may have changed or what I may be missing? I haven't touched my configs in ages and didn't notice any new alerts on the Arch home page that seemed relevant to me.

Thanks.

Last edited by glombus (2018-10-06 23:22:23)

Offline

#2 2018-10-06 16:53:59

Scimmia
Fellow
Registered: 2012-09-01
Posts: 11,463

Re: [SOLVED] LUKs encrypted root with USB key file stopped working

Offline

#3 2018-10-06 23:22:00

glombus
Member
Registered: 2018-02-27
Posts: 5

Re: [SOLVED] LUKs encrypted root with USB key file stopped working

That is my exact issue. Thank you for bringing it to my attention.

I was able to apply the workaround in that bug report (adding "usb_storage" to my mkinitcpio modules) and I'm all set now.

Offline

#4 2018-10-10 18:55:58

Forgotten Path
Member
Registered: 2012-02-07
Posts: 20

Re: [SOLVED] LUKs encrypted root with USB key file stopped working

I have the exact same setup.

I'm also having nearly the same issue, the only difference being that when I use my fallback image, the usb drive is still not recognized.

I have added both "usb_storage" and "uas" to my MODULES with no result (I've done this from an arch-chroot and also ran mkinitcpio to update the images).

I am using the linux-zen kernel.  Does anyone have an idea of what the problem could be?  I'm at my wits end.

*EDIT*
I've also tried the normal Arch kernel (and fallback), upgrading mkinitcpio to the new version from testing (which is supposed to contain a fix for the bug), various usb ports on my PC, and I've also verified that my keyfile is not corrupt by comparing its md5sum to a backup.

*EDIT 2*
I've also moved the keyfile to my boot partition (on an internal SATA drive), and pointed dm-crypt there with no success, so the problem seems unrelated to USB...

Last edited by Forgotten Path (2018-10-10 20:37:25)

Offline

#5 2018-10-15 10:24:57

stefan
Member
Registered: 2013-03-22
Posts: 104

Re: [SOLVED] LUKs encrypted root with USB key file stopped working

For me, the solution pointed out by Scimmia worked.  Did you run

# mkinitcpio -g /boot/initramfs-linux.img -k /boot/vmlinuz-linux

after adding the modules to `/etc/mkinitcpio.conf`?

Offline

#6 2018-10-15 15:05:46

Forgotten Path
Member
Registered: 2012-02-07
Posts: 20

Re: [SOLVED] LUKs encrypted root with USB key file stopped working

I did run

mkinitcpio -p linux-zen
mkinitcpio -p linux

which should by default point to /boot.  As a confirmation it worked, it did create initramfs-linux.img and vmlinuz-linux in /boot, neither of which previously existed.

Since the problem doesn't seem to be related to USB devices, I'll probably create a new post.  Right now I'm using a password as a workaround.  Thanks!

Offline

Board footer

Powered by FluxBB