luks cryptdevice - not asking passwd/reading keyfile/saving keyfile

sipak · 2019-02-03 14:36:35

Hello.

I am trying a new install and can't get the kernel to load the keyfile or to ask for password either.
I have tried to put the keyfile on an unencrypted /boot, on an unencrypted usb, on a luks1 /boot, on a luks2 /boot; on ext4 and xfs. Also tried adding the keyfile to the init.
I have successfully tested decryption with the keyfile.

For /dev/mapper/boot (/boot): cryptsetup luksFormat /dev/sda2 -v --type luks1 -c aes-xts-plain64 -h sha512 --key-size 512 --label boot #also tried different options
For /dev/mapper/system (/): cryptsetup luksFormat /dev/sda3 -v --type luks2 -c aes-xts-plain64 -h sha512 --key-size 512 --label system #also tried different options
For keyfile: dd if=/dev/urandom of=/crypto_keyfile.bin bs=1024 count=4 iflag=fullblock

(UUID and device ID have been obscured)

What I see on boot :

:: running early hook [udev]
Starting version 248
:: running hook [udev]
:: Triggering uevents...
:: running hook [consolefont]
:: Loading console font...done.
:: running hook [encrypt]

Waiting 10 seconds for device /dev/disk/by-id/ata-BRAND-123456789-part2 ...
Waiting 10 seconds for device /dev/disk/by-uuid/5bd20ca9-e31d-454a-b1fa-2523abd126be ...
Waiting 10 seconds for device /dev/disk/by-uuid/5bd20ca9-e31d-454a-b1fa-2523abd126be ...
ERROR: device 'UUID=5bd20ca9-e31d-454a-b1fa-2523abd126be' not found skipping fsck
:: mounting 'UUID=5bd20ca9-e31d-454a-b1fa-2523abd126be'  on real root
mount: /new_root: Can't find UUID=5bd20ca9-e31d-454a-b1fa-2523abd126be.
You are now being dropped into an emergency shell
sh: Can't access tty: job control turned off
[rootfs ]# ls -a
.                       VERSION                       config                         etc
..                      bin                                consolefont.psfu        hooks
.ash_history    buildconfig                    dev                             init

partitions (gpt)

Number  Start   End     Size    File system  Name       Flags
 1      1049kB    3146kB    2097kB               bios_grub  bios_grub
 2      3146kB    1077MB   1074MB               boot
 3      1077MB   500GB      499GB                system

/etc/mkinitcpio.conf

MODULES=(xfs ext4 amdgpu radeon)
BINARIES=()
FILES=(/crypto_keyfile.bin)
HOOKS=(base udev autodetect keyboard consolefont modconf block encrypt filesystems fsck)
COMPRESSION="cat"

/etc/default/grub

GRUB_DEFAULT=0
GRUB_TIMEOUT=5
GRUB_DISTRIBUTOR="Arch"
GRUB_CMDLINE_LINUX_DEFAULT="verbose escalator=cfq "
GRUB_CMDLINE_LINUX=" cryptdevice=/dev/disk/by-id/ata-luks2-device-part3:system cryptkey=/dev/disk/by-id/ata-luks1-device-part2:/crypto_keyfile.bin "
GRUB_PRELOAD_MODULES="part_gpt part_msdos"
GRUB_ENABLE_CRYPTODISK=y
GRUB_TERMINAL_INPUT=console
GRUB_GFXMODE=auto
GRUB_GFXPAYLOAD_LINUX=keep
GRUB_DISABLE_LINUX_UUID=false
GRUB_DISABLE_RECOVERY=true
GRUB_COLOR_NORMAL="white/black"
GRUB_COLOR_HIGHLIGHT="cyan/black"
GRUB_SAVEDEFAULT="true"

# I have also tried
cryptdevice=/dev/disk/usb-unencrypted-partition:ext4:/crypto_keyfile.bin
rootfs:/crypto_keyfile.bin

/etc/crypttab

boot           /dev/disk/by-id/ata-luks1-device-part2     /crypto_keyfile.bin
system      /dev/disk/by-id/ata-luks2-device-part3      /crypto_keyfile.bin # UUID=5bd20ca9-e31d-454a-b1fa-2523abd126be

#I have also tried commenting out the system entry and using plain and luks options

/etc/fstab

/dev/mapper/system              /               xfs             rw,relatime,attr2,inode64,noquota       0 1

---
I have reviewed the following articles and a few more:

https://wiki.archlinux.org/index.php/GRUB
https://wiki.archlinux.org/index.php/Dm … figuration
https://wiki.archlinux.org/index.php/Dm … ire_system

Last edited by sipak (2019-02-21 01:52:48)

2ManyDogs · 2019-02-03 14:44:20

Please edit your post and use [ code ] tags when posting output (not quote tags).

GRUB_CMDLINE_LINUX=" crypdevice=/dev/disk/by-id/ata-luks2-device-part3:system

Is this a typo? Should it be "cryptdevice" ?

sipak · 2019-02-03 15:06:15

Yes, thank you. Corrected.
The typo was in my post, not in the original system file.

Last edited by sipak (2019-02-03 15:06:35)

frostschutz · 2019-02-03 15:32:12

afaik LUKS 1 does not have labels, what does it show in cryptsetup luksDump?

I'm not entirely sure if /dev/disk/by-id works initramfs stage, just go with the LUKS-UUID. If you built in the /crypto_keyfile.bin into your initramfs (FILES) you should not need the cryptkey parameter at all.

In the initramfs shell, try:

cat /proc/cmdline # boot parameters
cat /proc/partitions # available devices
ls -l /crypto_keyfile.bin # keyfile status

sipak · 2019-02-17 21:13:19

OK so... I've no idea what happened. Tried several times from scratch without luck. Left it, tried again yesterday and now everything works. I don't think I did something different really so I guess I was missing something totally silly ¯\_(ツ)_/¯

Thanks for checking. I am closing this

Arch Linux

#1 2019-02-03 14:36:35

luks cryptdevice - not asking passwd/reading keyfile/saving keyfile

#2 2019-02-03 14:44:20

Re: luks cryptdevice - not asking passwd/reading keyfile/saving keyfile

#3 2019-02-03 15:06:15

Re: luks cryptdevice - not asking passwd/reading keyfile/saving keyfile

#4 2019-02-03 15:32:12

Re: luks cryptdevice - not asking passwd/reading keyfile/saving keyfile

#5 2019-02-17 21:13:19

Re: luks cryptdevice - not asking passwd/reading keyfile/saving keyfile

Board footer