You are not logged in.

Pages: 1

#1 2024-03-12 15:38:06

pierr
Member
Registered: 2024-03-12
Posts: 5

[SOLVED] mkinitcpio v38: cryptsetup cannot read key-file

Hello,

I use disk encryption as detailled in https://wiki.archlinux.org/title/Dm-cry … n_dm-crypt

* My EFI boot is on a usb key (unprotected)
* My cryptsetup key is a key file stored on another usb key

Yesterday I upgraded the system and after doing that I could no longer decrypt the disk: Cannot read keyfile error, reverting to passphrase

Can someone please tell me if the mkinitcpio.conf from the page mentioned above, section 7.4 is still valid for mkinitcpio 38 please ?

It tells to use:

HOOKS=(base udev autodetect modconf kms keyboard keymap consolefont block encrypt lvm2 filesystems fsck)

My mkinitcpio.conf:

# vim:set ft=sh
# MODULES
# The following modules are loaded before any boot hooks are
# run.  Advanced users may wish to specify all system modules
# in this array.  For instance:
#     MODULES=(usbhid xhci_hcd)
MODULES=(amdgpu nvidia nvidia_modeset nvidia_uvm nvidia_drm vfat)

# BINARIES
# This setting includes any additional binaries a given user may
# wish into the CPIO image.  This is run last, so it may be used to
# override the actual binaries included by a given hook
# BINARIES are dependency parsed, so you may safely ignore libraries
BINARIES=()

# FILES
# This setting is similar to BINARIES above, however, files are added
# as-is and are not parsed in any way.  This is useful for config files.
FILES=()

# HOOKS
# This is the most important setting in this file.  The HOOKS control the
# modules and scripts added to the image, and what happens at boot time.
# Order is important, and it is recommended that you do not change the
# order in which HOOKS are added.  Run 'mkinitcpio -H <hook name>' for
# help on a given hook.
# 'base' is _required_ unless you know precisely what you are doing.
# 'udev' is _required_ in order to automatically load modules
# 'filesystems' is _required_ unless you specify your fs modules in MODULES
# Examples:
##   This setup specifies all modules in the MODULES setting above.
##   No RAID, lvm2, or encrypted root is needed.
#    HOOKS=(base)
#
##   This setup will autodetect all modules for your system and should
##   work as a sane default
#    HOOKS=(base udev autodetect modconf block filesystems fsck)
#
##   This setup will generate a 'full' image which supports most systems.
##   No autodetection is done.
#    HOOKS=(base udev modconf block filesystems fsck)
#
##   This setup assembles a mdadm array with an encrypted root file system.
##   Note: See 'mkinitcpio -H mdadm_udev' for more information on RAID devices.
#    HOOKS=(base udev modconf keyboard keymap consolefont block mdadm_udev encrypt filesystems fsck)
#
##   This setup loads an lvm2 volume group.
#    HOOKS=(base udev modconf block lvm2 filesystems fsck)
#
##   NOTE: If you have /usr on a separate partition, you MUST include the
#    usr and fsck hooks.
HOOKS=(base udev autodetect modconf kms keyboard keymap consolefont block encrypt lvm2 filesystems fsck)

# COMPRESSION
# Use this to compress the initramfs image. By default, zstd compression
# is used. Use 'cat' to create an uncompressed image.
#COMPRESSION="zstd"
#COMPRESSION="gzip"
#COMPRESSION="bzip2"
#COMPRESSION="lzma"
#COMPRESSION="xz"
#COMPRESSION="lzop"
#COMPRESSION="lz4"

# COMPRESSION_OPTIONS
# Additional options for the compressor
#COMPRESSION_OPTIONS=()

# MODULES_DECOMPRESS
# Decompress kernel modules during initramfs creation.
# Enable to speedup boot process, disable to save RAM
# during early userspace. Switch (yes/no).
#MODULES_DECOMPRESS="yes"

I tried merging the HOOKS from the mkinitcpio.conf.pacnew (it adds a microcode hook) and regenerate the initramfs but with or without it does not work.

If anyone has a clue or a pointer regarding a news I obviously did not read before doing the upgrade, it would be very appreciated. Thanks.

Last edited by pierr (2024-03-12 18:09:21)

Offline

#2 2024-03-12 16:06:18

seth
Member
From: Don't DM me only for attention
Registered: 2012-09-03
Posts: 71,689

Re: [SOLVED] mkinitcpio v38: cryptsetup cannot read key-file

Same as https://bbs.archlinux.org/viewtopic.php?id=293690 ?

How to upload text · How to boot w/o GUI · Disable Windows Fast-Start! · Fix your xinitrc

Offline

#3 2024-03-12 16:22:06

pierr
Member
Registered: 2024-03-12
Posts: 5

Re: [SOLVED] mkinitcpio v38: cryptsetup cannot read key-file

I have seen and read that topic before posting, and I thought that it was quite different to justify another thread.

By the way, I have another laptop for work, and it also uses plain dmcrypt to encrypt its disk. Almost exactly the same setup, the only difference is that on my work laptop I use a passphrase and not a keyfile. I had no issue updating the laptop. So that looks like either related to key file, or to my setup...

Edit: after verifying, there are more differences - I use luks on the work laptop - so can't say it's the same setup bare the key.

Last edited by pierr (2024-03-12 16:26:33)

Offline

#4 2024-03-12 16:49:11

nl6720
The Evil Wiki Admin
Registered: 2016-07-02
Posts: 710

Re: [SOLVED] mkinitcpio v38: cryptsetup cannot read key-file

The encrypt hook has issues with parsing the ":" character (archlinux/mkinitcpio/mkinitcpio!329 and archlinux/mkinitcpio/mkinitcpio!333 fixes them). Is there any ":" in your cryptdevice, cryptkey or crypto parameters?

Offline

#5 2024-03-12 17:48:47

pierr
Member
Registered: 2024-03-12
Posts: 5

Re: [SOLVED] mkinitcpio v38: cryptsetup cannot read key-file

nl6720 wrote:

The encrypt hook has issues with parsing the ":" character (archlinux/mkinitcpio/mkinitcpio!329 and archlinux/mkinitcpio/mkinitcpio!333 fixes them). Is there any ":" in your cryptdevice, cryptkey or crypto parameters?

Yes I have. My /boot/loader/entries/arch.conf :

title Arch Linux
linux /vmlinuz-linux-zen
initrd /initramfs-linux-zen.img
options cryptdevice=/dev/disk/by-id/nvme-eui.002538ba21b7d0fd:cryptlvm:allow-discards,no-read-workqueue,no-write-workqueue cryptkey=/dev/disk/by-id/usb-SanDisk_Ultra_Fit_05018c02ee3eb8210fb6def64ba8fa9e935353600357b114517069fa3ed8c0416a4600000000000000000000803584afff0a1010835581072c2879c8-0\:0-part2:vfat:/key crypto=:aes-xts-plain64:512:0:0 root=/dev/front-m2/root resume=/dev/front-m2/root resume_offset=85420032 sysctl.vm.swappiness=10 nvidia_drm.modeset=1 rw quiet

Offline

#6 2024-03-12 17:59:05

nl6720
The Evil Wiki Admin
Registered: 2016-07-02
Posts: 710

Re: [SOLVED] mkinitcpio v38: cryptsetup cannot read key-file

pierr wrote:
cryptkey=/dev/disk/by-id/usb-SanDisk_Ultra_Fit_05018c02ee3eb8210fb6def64ba8fa9e935353600357b114517069fa3ed8c0416a4600000000000000000000803584afff0a1010835581072c2879c8-0\:0-part2:vfat:/key

Any use of \: in these parameters is currently broken. Tomorrow's mkinitcpio 38.1 release will fix it.
Until then, you can edit /usr/lib/initcpio/hooks/encrypt and replace the three: 

read -r

with: 

read

Offline

#7 2024-03-12 18:08:47

pierr
Member
Registered: 2024-03-12
Posts: 5

Re: [SOLVED] mkinitcpio v38: cryptsetup cannot read key-file

I'll try the workaround tonight.

Thanks to both of you seth and nl6720 for the help.

Edit: tested the workaround, and I confirm everything works smoothly with these changes. Thanks again.

Last edited by pierr (2024-03-12 19:18:22)

Offline

Pages: 1

Board footer

Powered by FluxBB