You are not logged in.

#1 2020-06-01 10:08:04

thejavascriptman
Member
Registered: 2020-02-11
Posts: 25

[SOLVED] Cryptsetup asks for password on boot even if keyfile is...

Description:
Since upgrading cryptsetup from 2.3.2-2 to 2.3.3-1, cryptsetup asks for luks password on boot and boot process can not continue until I fail to enter password multiple times (this issue was not happening before cryptsetup 2.3.3-1).

sudo journalctl -p 3 -xb

Jun 01 15:27:23 computer systemd-cryptsetup[738]: Failed to activate with key file '/root/keyfile'. (Key data incorrect?)
Jun 01 15:27:35 computer systemd-cryptsetup[738]: Failed to activate with specified passphrase. (Passphrase incorrect?)
Jun 01 15:27:39 computer systemd-cryptsetup[738]: Failed to activate with specified passphrase. (Passphrase incorrect?)
Jun 01 15:27:39 computer systemd-cryptsetup[738]: Too many attempts to activate; giving up.
Jun 01 15:27:39 computer systemd[1]: Failed to start Cryptography Setup for luks_sda1.
-- Subject: A start job for unit systemd-cryptsetup@luks_sda1.service has failed

tail -n 2 /etc/fstab

/dev/mapper/luks_sdb1 /media/sdb1 ext4 rw,relatime 0 2
/dev/mapper/luks_sda1 /media/sda1 ext4 rw,relatime 0 2

cat /etc/crypttab (yes, key slot is 1)

luks_sdb1 UUID=intentionally-hidden /root/keyfile luks,key-slot=1
luks_sda1 UUID=intentionally-hidden /root/keyfile luks,discard,key-slot=1

Expected behavior:
Cryptsetup does not ask for password for partitions with a keyfile declared in /etc/crypttab

Actual behavior:
Cryptsetup asks for luks password even if keyfile is declared in /etc/crypttab

Last edited by thejavascriptman (2020-06-08 13:42:51)

Offline

#2 2020-06-01 14:48:58

mxfm
Member
Registered: 2015-10-23
Posts: 163

Re: [SOLVED] Cryptsetup asks for password on boot even if keyfile is...

/root/keyfile

One obvious suggestion is that keyfile is not available when systemd-cryptsetup is started. Another suggestion is that parsing of 'keyslot=1' option is broken in new release. Can you downgrade cryptsetup and rebuild initramfs with old version?

EDIT: I thought it is today thread.

Last edited by mxfm (2020-06-01 14:49:37)

Offline

#3 2020-06-01 15:27:17

thejavascriptman
Member
Registered: 2020-02-11
Posts: 25

Re: [SOLVED] Cryptsetup asks for password on boot even if keyfile is...

I'm already running previous cryptsetup version (2.3.2-2) without any issue, however I would prefer not to freeze that package version as something else could break in the future.

Offline

#4 2020-06-01 17:21:08

mxfm
Member
Registered: 2015-10-23
Posts: 163

Re: [SOLVED] Cryptsetup asks for password on boot even if keyfile is...

thejavascriptman wrote:

I'm already running previous cryptsetup version (2.3.2-2) without any issue, however I would prefer not to freeze that package version as something else could break in the future.

This looks like cryptsetup bug. I would try to recreate issue (probably with external bootable disk) and file thread in cryptsetup mailing lost.

By the way, do you use any special characters in password? Do you use some characters from special German/French layout. Some time ago there were complaints that cryptsetup suddely stopped to recognize passwords and users swored they provided exact passwords as in the past.

P.S If you use new cryptsetup, can you eventually log in during boot? If you cannot decrypt with 2.3.3-1 under any circumstances (multiple attempts, key file) while you can with previous version, then there is definitely some bug worth investigating.

Offline

#5 2020-06-01 17:47:38

loqs
Member
Registered: 2014-03-06
Posts: 17,192

Re: [SOLVED] Cryptsetup asks for password on boot even if keyfile is...

Can the cryptsetup command open luks_sda1 with the keyfile under crypysetup 2.3.3-1?  See if the issue is limited to systemd-cryptsetup.

Offline

#6 2020-06-02 14:43:15

thejavascriptman
Member
Registered: 2020-02-11
Posts: 25

Re: [SOLVED] Cryptsetup asks for password on boot even if keyfile is...

mxfm wrote:
thejavascriptman wrote:

I'm already running previous cryptsetup version (2.3.2-2) without any issue, however I would prefer not to freeze that package version as something else could break in the future.

This looks like cryptsetup bug. I would try to recreate issue (probably with external bootable disk) and file thread in cryptsetup mailing lost.

By the way, do you use any special characters in password? Do you use some characters from special German/French layout. Some time ago there were complaints that cryptsetup suddely stopped to recognize passwords and users swored they provided exact passwords as in the past.

P.S If you use new cryptsetup, can you eventually log in during boot? If you cannot decrypt with 2.3.3-1 under any circumstances (multiple attempts, key file) while you can with previous version, then there is definitely some bug worth investigating.


@mxfm I'll try to recreate the issue in a virtual machine tomorrow. I only use the characters available in an English keyboard. Yes, decrypting the root partition with a passphrase works normally.

loqs wrote:

Can the cryptsetup command open luks_sda1 with the keyfile under crypysetup 2.3.3-1?  See if the issue is limited to systemd-cryptsetup.

@loqs luks_sda1 and luks_sdb1 get decrypted normally when I log in into my computer (even after failing the password prompt at boot), also tried to decrypt manually and it's working just fine.

Offline

#7 2020-06-02 14:59:22

loqs
Member
Registered: 2014-03-06
Posts: 17,192

Re: [SOLVED] Cryptsetup asks for password on boot even if keyfile is...

Please post the journal for a boot with the issue and a boot without the issue.

Offline

#8 2020-06-02 18:36:47

mxfm
Member
Registered: 2015-10-23
Posts: 163

Re: [SOLVED] Cryptsetup asks for password on boot even if keyfile is...

thejavascriptman wrote:

Yes, decrypting the root partition with a passphrase works normally.

So, with new version of cryptsetup you can eventually decrypt the volume with passphrase? Your log indicated that systemd-cryptsetup asked passphrase and it was incorrect.

You can test systemd-cryptsetup to see whether it is broken (although, after reading your comments it appears that some encrypted partitions are eventually decrypted before login - so it looks like relevant systemd services are started twice and the second attempt does work).

 systemd-cryptsetup attach <name> <path> 

Last edited by mxfm (2020-06-02 18:42:47)

Offline

#9 2020-06-04 10:38:31

thejavascriptman
Member
Registered: 2020-02-11
Posts: 25

Re: [SOLVED] Cryptsetup asks for password on boot even if keyfile is...

@loqs the infromation from journalctl is at the first post

@mxfm sorry for the confusion, I have another encrypted root partition which is suposed to be the only one to ask for a password, I made a table to make it easier to understand

+-----------+-----------+-------------+--------------+--------------+------------------+----------------+---------------------+---------------------+
| Device    | Mapper    | Mountpoint  | Passphrase?  | Keyfile?     | Keyfile location | Should ask     | cryptsetup 2.3.2-2  | cryptsetup 2.3.3-1  |
|           |           |             |              |              |                  | for passphrase | asks for passphrase | asks for passphrase |
|           |           |             |              |              |                  | at boot?       | at boot?            | at boot?            |
+-----------+-----------+-------------+--------------+--------------+------------------+----------------+---------------------+---------------------+
| nvme0n1p1 | luks_root | /           | yes (slot 0) | no           | -                | yes            | yes                 | yes                 |
+-----------+-----------+-------------+--------------+--------------+------------------+----------------+---------------------+---------------------+
| sda1      | luks_sda1 | /media/sda1 | yes (slot 0) | yes (slot 1) | /root/keyfile    | no             | no                  | yes                 |
+-----------+-----------+-------------+--------------+--------------+------------------+----------------+---------------------+---------------------+
| sdb1      | luks_sdb1 | /media/sdb1 | yes (slot 0) | yes (slot 1) | /root/keyfile    | no             | no                  | yes                 |
+-----------+-----------+-------------+--------------+--------------+------------------+----------------+---------------------+---------------------+

p.s. I created a virtual machine with a similar configuration and everything is working fine

Offline

#10 2020-06-04 11:40:38

loqs
Member
Registered: 2014-03-06
Posts: 17,192

Re: [SOLVED] Cryptsetup asks for password on boot even if keyfile is...

Please post the full output of journalctl for one boot with the issue without filtering for message priority and without catalog messages.

Offline

#11 2020-06-07 18:07:23

renegat
Member
From: Europe
Registered: 2012-12-28
Posts: 88

Re: [SOLVED] Cryptsetup asks for password on boot even if keyfile is...

I have a quite similar setup with one encrypted drive using a keyfile (sda1) and also encrypted arch on nvme drive using passphrase on boot.

cryptsetup 2.3.3-1 is installed and the only password I'am asked for on boot is the one for the nvme with arch on it.
The encrypted drive sda1 is unlocked and mounted as expected.

The only differences seems to be the location where the keyfile resides and I do not specify the particular key-slot to use.

crypttab:

ST4000DM	UUID=intentionally-hidden	/etc/keyfile.key

Offline

#12 2020-06-08 13:42:06

thejavascriptman
Member
Registered: 2020-02-11
Posts: 25

Re: [SOLVED] Cryptsetup asks for password on boot even if keyfile is...

Thank you all, it seems that the issue was related to my setup. I ended reinstalling the whole system and it's working as expected.

Offline

#13 2020-06-22 20:23:45

tormoz
Member
Registered: 2020-06-22
Posts: 2

Re: [SOLVED] Cryptsetup asks for password on boot even if keyfile is...

Have the same problem and it seems to have some race condition. Sometimes everything work and sometimes cryptsetup asks for password. My root partition is not encrypted (yet) but i have some encrypted storage with keyfile in crypttab. Sometimes it boots correctly and sometimes not.

Offline

#14 2021-01-02 21:33:47

davidde
Member
Registered: 2020-12-17
Posts: 1

Re: [SOLVED] Cryptsetup asks for password on boot even if keyfile is...

I can confirm this is probably some sort of race condition, since it seems to fail arbitrarily.
It's also really hard to fix. I've literally tried dozens of things, but now it finally seems to be working again.

For anyone running into this problem in the future, I'll list some of the things I did that could have made the difference:
* Update bios
* Switch to proprietary nvidia drivers
* Set keyfile permissions to 400 instead of 000.
* Add extra keyslot for the same keyfile with default `--iter-time` of 2000ms
* Disable watchdogs (see https://wiki.archlinux.org/index.php/im … Watchdogs).
* Change HOOKS in /etc/mkinitcpio.conf:
  - For some reason I had `sd-encrypt` right after `filesystems`, I moved it back to right before.
  - Return `autodetect` hook before `keyboard`: I recall changing this because ArchWiki recommended in "Common Hooks > Keyboard" to place `keyboard` before `autodetect` in order to always include all keyboard drivers (see https://wiki.archlinux.org/index.php/mk … mon_hooks).

Since the error "Failed to activate with key file '/root/.keyfile'. (Key data incorrect?)" seems to indicate the keyfile is somehow incorrect, but manually unlocking with it works flawlessly each and every time, it seems that something occasionally blocks the keyfile from being (fully?) available when systemd needs it.

At this point I can't really tell anymore which change or which combination actually fixed things, but I recommend trying things out from the bottom up.

Offline

Board footer

Powered by FluxBB