You are not logged in.
Hello.
I am trying a new install and can't get the kernel to load the keyfile or to ask for password either.
I have tried to put the keyfile on an unencrypted /boot, on an unencrypted usb, on a luks1 /boot, on a luks2 /boot; on ext4 and xfs. Also tried adding the keyfile to the init.
I have successfully tested decryption with the keyfile.
For /dev/mapper/boot (/boot): cryptsetup luksFormat /dev/sda2 -v --type luks1 -c aes-xts-plain64 -h sha512 --key-size 512 --label boot #also tried different options
For /dev/mapper/system (/): cryptsetup luksFormat /dev/sda3 -v --type luks2 -c aes-xts-plain64 -h sha512 --key-size 512 --label system #also tried different options
For keyfile: dd if=/dev/urandom of=/crypto_keyfile.bin bs=1024 count=4 iflag=fullblock
(UUID and device ID have been obscured)
What I see on boot :
:: running early hook [udev]
Starting version 248
:: running hook [udev]
:: Triggering uevents...
:: running hook [consolefont]
:: Loading console font...done.
:: running hook [encrypt]
Waiting 10 seconds for device /dev/disk/by-id/ata-BRAND-123456789-part2 ...
Waiting 10 seconds for device /dev/disk/by-uuid/5bd20ca9-e31d-454a-b1fa-2523abd126be ...
Waiting 10 seconds for device /dev/disk/by-uuid/5bd20ca9-e31d-454a-b1fa-2523abd126be ...
ERROR: device 'UUID=5bd20ca9-e31d-454a-b1fa-2523abd126be' not found skipping fsck
:: mounting 'UUID=5bd20ca9-e31d-454a-b1fa-2523abd126be' on real root
mount: /new_root: Can't find UUID=5bd20ca9-e31d-454a-b1fa-2523abd126be.
You are now being dropped into an emergency shell
sh: Can't access tty: job control turned off
[rootfs ]# ls -a
. VERSION config etc
.. bin consolefont.psfu hooks
.ash_history buildconfig dev init
partitions (gpt)
Number Start End Size File system Name Flags
1 1049kB 3146kB 2097kB bios_grub bios_grub
2 3146kB 1077MB 1074MB boot
3 1077MB 500GB 499GB system
/etc/mkinitcpio.conf
MODULES=(xfs ext4 amdgpu radeon)
BINARIES=()
FILES=(/crypto_keyfile.bin)
HOOKS=(base udev autodetect keyboard consolefont modconf block encrypt filesystems fsck)
COMPRESSION="cat"
/etc/default/grub
GRUB_DEFAULT=0
GRUB_TIMEOUT=5
GRUB_DISTRIBUTOR="Arch"
GRUB_CMDLINE_LINUX_DEFAULT="verbose escalator=cfq "
GRUB_CMDLINE_LINUX=" cryptdevice=/dev/disk/by-id/ata-luks2-device-part3:system cryptkey=/dev/disk/by-id/ata-luks1-device-part2:/crypto_keyfile.bin "
GRUB_PRELOAD_MODULES="part_gpt part_msdos"
GRUB_ENABLE_CRYPTODISK=y
GRUB_TERMINAL_INPUT=console
GRUB_GFXMODE=auto
GRUB_GFXPAYLOAD_LINUX=keep
GRUB_DISABLE_LINUX_UUID=false
GRUB_DISABLE_RECOVERY=true
GRUB_COLOR_NORMAL="white/black"
GRUB_COLOR_HIGHLIGHT="cyan/black"
GRUB_SAVEDEFAULT="true"
# I have also tried
cryptdevice=/dev/disk/usb-unencrypted-partition:ext4:/crypto_keyfile.bin
rootfs:/crypto_keyfile.bin
/etc/crypttab
boot /dev/disk/by-id/ata-luks1-device-part2 /crypto_keyfile.bin
system /dev/disk/by-id/ata-luks2-device-part3 /crypto_keyfile.bin # UUID=5bd20ca9-e31d-454a-b1fa-2523abd126be
#I have also tried commenting out the system entry and using plain and luks options
/etc/fstab
/dev/mapper/system / xfs rw,relatime,attr2,inode64,noquota 0 1
---
I have reviewed the following articles and a few more:
https://wiki.archlinux.org/index.php/GRUB
https://wiki.archlinux.org/index.php/Dm … figuration
https://wiki.archlinux.org/index.php/Dm … ire_system
Last edited by sipak (2019-02-21 01:52:48)
Offline
Please edit your post and use [ code ] tags when posting output (not quote tags).
GRUB_CMDLINE_LINUX=" crypdevice=/dev/disk/by-id/ata-luks2-device-part3:system
Is this a typo? Should it be "cryptdevice" ?
Offline
Yes, thank you. Corrected.
The typo was in my post, not in the original system file.
Last edited by sipak (2019-02-03 15:06:35)
Offline
afaik LUKS 1 does not have labels, what does it show in cryptsetup luksDump?
I'm not entirely sure if /dev/disk/by-id works initramfs stage, just go with the LUKS-UUID. If you built in the /crypto_keyfile.bin into your initramfs (FILES) you should not need the cryptkey parameter at all.
In the initramfs shell, try:
cat /proc/cmdline # boot parameters
cat /proc/partitions # available devices
ls -l /crypto_keyfile.bin # keyfile status
Offline
OK so... I've no idea what happened. Tried several times from scratch without luck. Left it, tried again yesterday and now everything works. I don't think I did something different really so I guess I was missing something totally silly ¯\_(ツ)_/¯
Thanks for checking. I am closing this
Offline