Arch Linux

Moviuro

Member

Registered: 2012-06-03

Posts: 73

Multiple LUKS drives; systemd, cryptsetup and more

Hi all,

I want to be able to boot my machine and get all drives decrypted and correctly mounted, including my USB device which is: my EFI boot partition, my keyfile device and my Linux /boot (I know it works, it used to work with the old cryptsetup hooks).

title   ArchLinux
# / here is the root of the EFI filesystem. /toxo is the /boot of my system; it contains the kernels, etc.
linux   /toxo/vmlinuz-linux
initrd  /toxo/intel-ucode.img
initrd  /toxo/initramfs-linux.img
options luks.uuid=8378cf26-54fb-4cc3-9125-36e311178c21 luks.options=8378cf26-54fb-4cc3-9125-36e311178c21=allow-discards rd.luks.key=8378cf26-54fb-4cc3-9125-36e311178c21=/key:UUID=F862-7316 root=UUID=66ddfdb0-47ee-4d2d-ba0e-f09f482f36fd rw i915.enable_rc6=0

After boot, my key device is mounted in /run, but I can't mount it elsewhere:

# mount
...
/dev/sdd1 on /run/systemd/cryptsetup/keydev-luks-8d132091-30a9-448d-ac0b-53136589516a type vfat (ro,relatime,fmask=0022,dmask=0022,codepage=437,iocharset=iso8859-1,shortname=mixed,utf8,errors=remount-ro)
/dev/sdd1 on /run/systemd/cryptsetup/keydev-luks-8378cf26-54fb-4cc3-9125-36e311178c21 type vfat (ro,relatime,fmask=0022,dmask=0022,codepage=437,iocharset=iso8859-1,shortname=mixed,utf8,errors=remount-ro)
...
# mount /dev/sdd1 /mnt/F862-7316
mount: /mnt/F862-7316: /dev/sdd1 already mounted on /run/systemd/cryptsetup/keydev-luks-8d132091-30a9-448d-ac0b-53136589516a.

After unmounting those, I can:

# mount /dev/sdd1 /mnt/F862-7316
# mount --bind /mnt/F862-7316/toxo /boot
# date > /boot/test

And finally, I'm in the correct setup. I can now upgrade my kernel, etc.

I wish to automate that last step and never again have to worry about unmounting and re-mounting /boot. How should I do that?

Thanks,

---

bspwm, BTRFS over LUKS
Archlinux a lot, FreeBSD more and more...
Murphy's rule: The day you need a backup, you tell yourself you should have created some.

Swiggles

Member

Registered: 2014-08-02

Posts: 266

Re: Multiple LUKS drives; systemd, cryptsetup and more

Wouldn't something like this be possible?

mount -o remount,bind,rw /run/systemd/cryptsetup/keydev-luks-8378cf26-54fb-4cc3-9125-36e311178c21 /boot
# Write to /boot
umount /boot

You could put it all into pacman hooks:

/etc/pacman.d/hooks/95-linux-luks-pre.hook

[Trigger]
Operation = Upgrade
Type = File
Target = boot/vmlinuz*

[Action]
Description = Remounting boot writable
When = PreTransaction
Depends = coreutils
Exec = /usr/bin/mount -o remount,bind,rw /run/systemd/cryptsetup/keydev-luks-8378cf26-54fb-4cc3-9125-36e311178c21 /boot

/etc/pacman.d/hooks/95-linux-luks-post.hook

[Trigger]
Operation = Upgrade
Type = File
Target = boot/vmlinuz*

[Action]
Description = Removing boot mount
When = PostTransaction
Depends = coreutils
Exec = /usr/bin/umount /boot

Ofc nothing is tested, but this is the rough idea.

Last edited by Swiggles (2019-09-25 21:57:45)

Moviuro

Member

Registered: 2012-06-03

Posts: 73

Re: Multiple LUKS drives; systemd, cryptsetup and more

I want those commands to be run at boottime, yes. Launching them by hand is a catastrophe waiting to happen. The post/pre hooks though cool are not really the matter here: I really just want to `mount /dev/sdd1 /mnt/F862-7316`.

---

bspwm, BTRFS over LUKS
Archlinux a lot, FreeBSD more and more...
Murphy's rule: The day you need a backup, you tell yourself you should have created some.

Swiggles

Member

Registered: 2014-08-02

Posts: 266

Re: Multiple LUKS drives; systemd, cryptsetup and more

Wouldn't an entry in fstab suffice for this?
At least mount -a should perform remount operations. Could you please test this and share your fstab?

Edit: Also consider adding rd. to your other luks parameters in relation to the drive so it shouldn't interfere after boot.

Last edited by Swiggles (2019-09-25 22:13:55)

Moviuro

Member

Registered: 2012-06-03

Posts: 73

Re: Multiple LUKS drives; systemd, cryptsetup and more

% cat /proc/cmdline 
initrd=\toxo\intel-ucode.img initrd=\toxo\initramfs-linux-lts.img rd.luks.uuid=8378cf26-54fb-4cc3-9125-36e311178c21 rd.luks.options=8378cf26-54fb-4cc3-9125-36e311178c21=allow-discards rd.luks.key=8378cf26-54fb-4cc3-9125-36e311178c21=/key:UUID=F862-7316 rd.luks.uuid=8d132091-30a9-448d-ac0b-53136589516a rd.luks.key=8d132091-30a9-448d-ac0b-53136589516a=/key:UUID=F862-7316 root=UUID=66ddfdb0-47ee-4d2d-ba0e-f09f482f36fd rw i915.enable_rc6=0
# mount -o remount,bind,rw /run/systemd/cryptsetup/keydev-luks-8378cf26-54fb-4cc3-9125-36e311178c21 /mnt/F862-7316 # try to mount the USB thumb drive to its place
mount: /mnt/F862-7316: mount point not mounted or bad option.
# mount -obind,rw /run/systemd/cryptsetup/keydev-luks-8378cf26-54fb-4cc3-9125-36e311178c21 /mnt/F862-7316
# touch /mnt/F862-7316/foo
touch: cannot touch '/mnt/F862-7316/foo': Read-only file system

% cat /proc/cmdline 
initrd=\toxo\intel-ucode.img initrd=\toxo\initramfs-linux-lts.img luks.uuid=8378cf26-54fb-4cc3-9125-36e311178c21 luks.options=8378cf26-54fb-4cc3-9125-36e311178c21=allow-discards luks.key=8378cf26-54fb-4cc3-9125-36e311178c21=/key:UUID=F862-7316 luks.uuid=8d132091-30a9-448d-ac0b-53136589516a luks.key=8d132091-30a9-448d-ac0b-53136589516a=/key:UUID=F862-7316 root=UUID=66ddfdb0-47ee-4d2d-ba0e-f09f482f36fd rw i915.enable_rc6=0
# mount -o remount,bind,rw /run/systemd/cryptsetup/keydev-luks-8378cf26-54fb-4cc3-9125-36e311178c21 /mnt/F862-7316 # try to mount the USB thumb drive to its place
mount: /mnt/F862-7316: mount point not mounted or bad option.
# mount -obind,rw /run/systemd/cryptsetup/keydev-luks-8378cf26-54fb-4cc3-9125-36e311178c21 /mnt/F862-7316
# touch /mnt/F862-7316/foo
touch: cannot touch '/mnt/F862-7316/foo': Read-only file systemi
# umount /mnt/F862-7316
# mount -orw,sync /dev/sdd1 /mnt/F862-7316
mount: /mnt/F862-7316: /dev/sdd1 already mounted on /run/systemd/cryptsetup/keydev-luks-8378cf26-54fb-4cc3-9125-36e311178c21.
# vim /etc/fstab # add /mnt/F862-7316
# mount /mnt/F862-7316
mount: /mnt/F862-7316: /dev/sdd1 already mounted on /run/systemd/cryptsetup/keydev-luks-8378cf26-54fb-4cc3-9125-36e311178c21.
# grep F862 /etc/fstab
UUID=F862-7316          /mnt/F862-7316  vfat            rw,sync,relatime,fmask=0022,dmask=0022,codepage=437,iocharset=iso8859-1,shortname=mixed,utf8,errors=remount-ro  0 2

AFAICT, `rd.` prefix had no impact.

Rebooting with the UUID=F862-7316 line in fstab(5) caused my landing in emergency mode, because it wouldn't mount.

Last edited by Moviuro (2019-09-26 22:18:49)

---

bspwm, BTRFS over LUKS
Archlinux a lot, FreeBSD more and more...
Murphy's rule: The day you need a backup, you tell yourself you should have created some.

Swiggles

Member

Registered: 2014-08-02

Posts: 266

Re: Multiple LUKS drives; systemd, cryptsetup and more

Ok, my bad. It looks like bind and remount do not mix. Remount is necessary otherwise you get the read only error, because bind does not override it even though the command succeeds.
I thought the system performs a remount on boot, but after checking the systemd docs this only applies to root and /usr.

After playing around a bit I figured out you have to remount rw and then you can either double mount or first unmount. I don't know if "/run/systemd/cryptsetup/keydev-luks-8378cf26-54fb-4cc3-9125-36e311178c21" is still required by LUKS after boot.

mount -o remount,rw /run/systemd/cryptsetup/keydev-luks-8378cf26-54fb-4cc3-9125-36e311178c21

Is it possible to specify rw in luks.options? If yes, this should be taken care of. Otherwise you could either write a systemd unit or initcpio hook. The fstab entry should succeed.