[solved] auto unlock luks after unlocking encrypted boot

mouseman · 2020-06-01 17:53:25

I've succesfully set up a system with an encrypted boot, rootfs and home volume. It's asking for 3 passwords even though I thought I've gone through all the steps, I checked several times but I can't seem to figure out what is wrong.

I made the key with dd placed it in /etc/luks-keys/cryptlvm.key

I added it with cryptsetup luksAddkey to /dev/nvme2n1p2 (boot), p3 (root on lvm) and p4 (home on lvm). All came back with success and I checked the slot is in use with luksDump.

The layout is as follows:

nvme2n1                                                                                                       
├─nvme2n1p1                 vfat        FAT32    EFI    C2AC-ADD1                               510.8M     0% /boot/efi
├─nvme2n1p2                 crypto_LUKS 1               fedf054d-bf3d-4d02-960d-c5f47a99b52c                  
│ └─CRYPTBOOT               ext4        1.0      BOOT   4d3e6d64-706d-4686-9d34-cf91242a11fa    836.5M     9% /boot
├─nvme2n1p3                 crypto_LUKS 2               8920b8f1-ce12-4c81-809f-3cdaac563562                  
│ └─luks-8920b8f1-ce12-4c81-809f-3cdaac563562
│                           LVM2_member LVM2 001        k2dfJU-a4AF-poQb-LKEu-tF23-4gYg-B88h3k                
│   ├─vgOS-lvROOTFS         ext4        1.0      ROOTFS f3e453f7-9956-4dc1-8da9-c70e42655579     21.6G     7% /
│   ├─vgOS-lvLOG            ext4        1.0      LOG    31908cc3-9fb0-428b-a730-e6eed93461d6      9.2G     0% /var/log
│   └─vgOS-lvCACHE          ext4        1.0      CACHE  e1c4af18-f8fa-47da-b314-5123a7f0401d     36.7G     1% /var/cache
└─nvme2n1p4                 crypto_LUKS 2               5b831458-ab9f-44d4-ac2c-d62466ff7ad4                  
  └─HOME                    LVM2_member LVM2 001        dmBGg8-yCG2-xzAW-2Lcl-0o24-YPIP-37uUo2                
    └─vgDATA-lvHOME         ext4        1.0      HOME   88e43742-2876-4670-81df-af2522cac2fb     92.9G     0% /home

I added the file reference to /etc/mkinitcpio.conf and recreated initramfs. Came back without warnings or errors.

FILES=(/etc/luks-keys/cryptlvm.keyfile)

I edited /etc/default/grub as below and ran grub-mkconfig -o /etc/boot/grub.cfg:

GRUB_CMDLINE_LINUX_DEFAULT="loglevel=6 rd.lvm.lv=vgOS/ROOTFS rd.luks.key=fedf054d-bf3d-4d02-960d-c5f47a99b52c=rootfs:/etc/luks-keys/cryptlvm.key rd.luks.uuid=luks-8920b8f1-ce12-4c81-809f-3cdaac563562"

I'm guessing the error is in there somewhere ...

Next I setup /etc/crypttab:

CRYPTBOOT	/dev/nvme2n1p2				/etc/luks-keys/cryptlvm.key
HOME		/dev/nvme2n1p4				/etc/luks-keys/cryptlvm.key

and /etc/fstab:

# /dev/mapper/vgOS-lvROOTFS LABEL=ROOTFS
UUID=f3e453f7-9956-4dc1-8da9-c70e42655579	/         	ext4      	rw,relatime	0 1

# /dev/mapper/CRYPTBOOT LABEL=BOOT
UUID=4d3e6d64-706d-4686-9d34-cf91242a11fa	/boot     	ext4      	rw,relatime	0 2

# /dev/nvme2n1p1 LABEL=EFI
UUID=C2AC-ADD1      	/boot/efi 	vfat      	rw,relatime,fmask=0022,dmask=0022,codepage=437,iocharset=iso8859-1,shortname=mixed,utf8,errors=remount-ro	0 2

# /dev/mapper/vgOS-lvCACHE LABEL=CACHE
UUID=e1c4af18-f8fa-47da-b314-5123a7f0401d	/var/cache	ext4      	rw,relatime	0 2

# /dev/mapper/vgOS-lvLOG LABEL=LOG
UUID=31908cc3-9fb0-428b-a730-e6eed93461d6	/var/log  	ext4      	rw,relatime	0 2

# /dev/mapper/vgDATA-lvHOME LABEL=HOME
UUID=88e43742-2876-4670-81df-af2522cac2fb	/home     	ext4      	rw,relatime	0 2

So with this, the system boots up succesfully and unlocks and mounts everything, I just have to type in a passphrase 3 times.

If someone can help me figure out how to unlock automatically after entering the grub boot passphrase I'd appreciate it.

Thanks in advance!

Last edited by mouseman (2020-06-02 05:56:45)

frostschutz · 2020-06-01 20:27:20

You said FILES=(/etc/luks-keys/cryptlvm.keyfile)

But then rd.luks.key=fedf054d-bf3d-4d02-960d-c5f47a99b52c=rootfs:/etc/luks-keys/cryptlvm.key

so, .key or .keyfile, pick one?

edit: also the parameter looks weird, example in the manpage is rd.luks.key=b40f1abf-2a53-400a-889a-2eccc27eaa40=/keyfile so not sure what is rootfs: there

edit: your rd.luks.uuid= looks weird too, shouldn't it be just the uuid, not start with luks-?

Last edited by frostschutz (2020-06-01 20:33:14)

mouseman · 2020-06-02 05:56:20

https://wiki.archlinux.org/index.php/Dm … rase_twice

There is the reference to rootfs:

The sd-encrypt page is clearer so after reading that it made sense what needed to be there.

So I fixed the keyfile name (good catch!), added "luks-" to rd.luks.uuid in grub and recreated initramfs (after correcting the filenames).

All good now, thanks for the help!

frostschutz · 2020-06-02 09:31:26

mouseman wrote:

https://wiki.archlinux.org/index.php/Dm … rase_twice
There is the reference to rootfs:

for cryptkey= parameter (non-systemd encrypt hook), not rd.luks.key= parameter (systemd sd-encrypt hook)

mouseman wrote:

All good now, thanks for the help!

great!

Arch Linux

#1 2020-06-01 17:53:25

[solved] auto unlock luks after unlocking encrypted boot

#2 2020-06-01 20:27:20

Re: [solved] auto unlock luks after unlocking encrypted boot

#3 2020-06-02 05:56:20

Re: [solved] auto unlock luks after unlocking encrypted boot

#4 2020-06-02 09:31:26

Re: [solved] auto unlock luks after unlocking encrypted boot

Board footer