[SOLVED] crypttab entry causes other drive to be read only

marcelsmudda · 2024-03-08 00:13:05

Hi,

I have set up my computer with root, /boot and encrypted /home on sdc, and a RAID 1 nvme (currently only one drive because I was waiting for hardware) that is also encrypted.
I unlock home during boot with a password and the key for the encrypted raid is located on home.
But for some reason, when I decrypt the raid at boot time, home becomes read-only.
When I looked at dmesg or journalctl, no output indicated to me that there were any issues...
Could you please help me.
Let me know, if you need any more information.

dmesg output: https://pastebin.com/G9NNaAkh
journalctl -xe output: https://pastebin.com/fz0sRjeq

crypttab:

home	UUID=26706259-f681-4fff-9b35-002ef6836171	none	luks,loud
data	UUID=91434711-7c91-4a15-a0e5-8510ce9377ce	/$USERNAME/.keys.d/data.key:UUID=d0d429c9-7abe-49db-9e2e-86bc62c014dd	luks

lsblk -f:

NAME        FSTYPE            FSVER LABEL            UUID                                 FSAVAIL FSUSE% MOUNTPOINTS
sda                                                                                                      
├─sda1      ntfs                                     6E50190C5018DD21                      104.9G    77% /mounts/Windows
└─sda2      vfat              FAT32                  2C0F-72D1                                           
sdb                                                                                                      
├─sdb1                                                                                                   
└─sdb2      ntfs                    WinLinExchange   0A8481C28481B12D                      343.7G    63% /mounts/WindowsData
sdc                                                                                                      
├─sdc1      vfat              FAT32                  C81C-F25E                             266.9M    45% /boot
├─sdc2      ext4              1.0                    18b8370b-71c5-4cf2-821c-66ab7594446b   85.2G     8% /
└─sdc3      crypto_LUKS       2                      26706259-f681-4fff-9b35-002ef6836171                
  └─home    ext4              1.0                    d0d429c9-7abe-49db-9e2e-86bc62c014dd  754.4G     3% /home
sdd                                                                                                      
└─sdd1      ntfs                    WinLinuxExchange 6921E0F258419D93                      811.1G    13% /mounts/WindowsLinuxExchange
nvme1n1                                                                                                  
└─nvme1n1p1 linux_raid_member 1.2   archiso:0        95f6d018-950d-412a-5bad-8c17171a7268                
  └─md127   crypto_LUKS       2                      91434711-7c91-4a15-a0e5-8510ce9377ce                
    └─data  ext4              1.0                    02bd8ce4-63f8-4444-9fb0-c47ac41ddf3c

fstab:

# /dev/sdc2
UUID=18b8370b-71c5-4cf2-821c-66ab7594446b	/         	ext4      	rw,relatime	0 1

# /dev/mapper/home
UUID=d0d429c9-7abe-49db-9e2e-86bc62c014dd	/home     	ext4      	rw,relatime	0 2

# /dev/sdc1
UUID=C81C-F25E      	/boot     	vfat      	rw,relatime,fmask=0022,dmask=0022,codepage=437,iocharset=ascii,shortname=mixed,utf8	0 2

# /dev/mapper/data
#UUID=02bd8ce4-63f8-4444-9fb0-c47ac41ddf3c	/mounts/data	ext4      	rw,relatime	0 2

# /dev/sdd1 LABEL=WinLinuxExchange
UUID=6921E0F258419D93	/mounts/WindowsLinuxExchange	ntfs      	rw,nosuid,nodev,user_id=0,group_id=0,allow_other,blksize=4096	0 0

# /dev/sda1
UUID=6E50190C5018DD21	/mounts/Windows	ntfs      	rw,nosuid,nodev,user_id=0,group_id=0,allow_other,blksize=4096	0 0

# /dev/sdb2 LABEL=WinLinExchange
UUID=0A8481C28481B12D	/mounts/WindowsData	ntfs      	rw,nosuid,nodev,user_id=0,group_id=0,allow_other,blksize=4096	0 0

Last edited by marcelsmudda (2024-03-22 10:13:57)

ua4000 · 2024-03-10 11:00:46

[   12.368186] Key type encrypted registered
[   12.608951] EXT4-fs (dm-0): orphan cleanup on readonly fs
[   12.610985] EXT4-fs (dm-0): mounted filesystem d0d429c9-7abe-49db-9e2e-86bc62c014dd ro with ordered data mode. Quota mode: none.

Try disabling for testing the "data" line in your crypttab.
Is home (dm-0) still ro ?

$USERNAME in the crypttab looks wrong - at this timepoint the variable is not set and I think variables are probably not allowed here.
Try a static line.

frostschutz · 2024-03-10 11:07:46

Does cryptsetup status show readonly mode?

I'm not sure if you can put "loud" in crypttab. It's not mentioned in the manpage.

marcelsmudda · 2024-03-11 11:01:38

ua4000 wrote:

Try disabling for testing the "data" line in your crypttab.
Is home (dm-0) still ro ?

No, it just stops booting (because it cannot mount home...). It instead asks me to intervene manually.
Also, like I said earlier, my encryption key is on home, so, if I am not mounting home, I cannot decrypt data.
And if I decrypt and mount data after home is mounted, there are no problems that I have noticed.

ua4000 wrote:

$USERNAME in the crypttab looks wrong - at this timepoint the variable is not set and I think variables are probably not allowed here.
Try a static line.

I should have mentioned that, I just didn't want to leak my name, so I replaced it with this string in the logs etc. On my computer, they are static.

frostschutz wrote:

Does cryptsetup status show readonly mode?

No, that one says read-write. But the output of mount says readonly.

frostschutz wrote:

I'm not sure if you can put "loud" in crypttab. It's not mentioned in the manpage.

I had added loud after some initial tries to fix it. I read somewhere that it's similar to verbose for other programs. But I don't know. It looks like it's being ignored. With or without loud, the result is the same...

ua4000 · 2024-03-11 15:16:55

What happens if you try to put it later after boot from ro to rw:

sudo mount -o remount,rw /home

And may before a filesystem check

sudo fsck /dev/mapper/home

marcelsmudda · 2024-03-11 23:30:46

ua4000 wrote:

What happens if you try to put it later after boot from ro to rw:
sudo mount -o remount,rw /home
And may before a filesystem check
sudo fsck /dev/mapper/home

After a remount, home was read-write as it should be. And the fsck came back clean...

ua4000 · 2024-03-13 18:59:34

Do you use mkinitcpio ? Can you show the complete output from

sudo mkinitcpio  --allpresets

fsck HOOK is included ?

And another idea: is your sdc drive healthy ? Did you recently had a look at your SMART values ?

marcelsmudda · 2024-03-14 09:39:59

ua4000 wrote:

Do you use mkinitcpio ? Can you show the complete output from
sudo mkinitcpio  --allpresets
fsck HOOK is included ?
And another idea: is your sdc drive healthy ? Did you recently had a look at your SMART values ?

sudo mkinitcpio --allpresets
[sudo] password for $USERNAME: 
==> Building image from preset: /etc/mkinitcpio.d/linux.preset: 'default'
==> Using default configuration file: '/etc/mkinitcpio.conf'
  -> -k /boot/vmlinuz-linux -g /boot/initramfs-linux.img
==> Starting build: '6.7.8-arch1-1'
  -> Running build hook: [base]
  -> Running build hook: [udev]
  -> Running build hook: [microcode]
  -> Running build hook: [modconf]
  -> Running build hook: [kms]
==> WARNING: Possibly missing firmware for module: 'ast'
  -> Running build hook: [keyboard]
==> WARNING: Possibly missing firmware for module: 'xhci_pci'
  -> Running build hook: [autodetect]
  -> Running build hook: [keymap]
  -> Running build hook: [consolefont]
==> WARNING: consolefont: no font found in configuration
  -> Running build hook: [block]
  -> Running build hook: [filesystems]
  -> Running build hook: [fsck]
==> Generating module dependencies
==> Creating zstd-compressed initcpio image: '/boot/initramfs-linux.img'
==> Initcpio image generation successful
==> Building image from preset: /etc/mkinitcpio.d/linux.preset: 'fallback'
==> Using default configuration file: '/etc/mkinitcpio.conf'
  -> -k /boot/vmlinuz-linux -g /boot/initramfs-linux-fallback.img -S autodetect
==> Starting build: '6.7.8-arch1-1'
  -> Running build hook: [base]
  -> Running build hook: [udev]
  -> Running build hook: [microcode]
  -> Running build hook: [modconf]
  -> Running build hook: [kms]
==> WARNING: Possibly missing firmware for module: 'ast'
  -> Running build hook: [keyboard]
==> WARNING: Possibly missing firmware for module: 'xhci_pci'
  -> Running build hook: [keymap]
  -> Running build hook: [consolefont]
==> WARNING: consolefont: no font found in configuration
  -> Running build hook: [block]
==> WARNING: Possibly missing firmware for module: 'aic94xx'
==> WARNING: Possibly missing firmware for module: 'qla2xxx'
==> WARNING: Possibly missing firmware for module: 'wd719x'
==> WARNING: Possibly missing firmware for module: 'qed'
==> WARNING: Possibly missing firmware for module: 'qla1280'
==> WARNING: Possibly missing firmware for module: 'bfa'
  -> Running build hook: [filesystems]
  -> Running build hook: [fsck]
==> Generating module dependencies
==> Creating zstd-compressed initcpio image: '/boot/initramfs-linux-fallback.img'
==> Initcpio image generation successful

Regarding SMART:
It's a completely new drive, fresh from Samsung. I just did a short test and no issues there.

SMART overall-health self-assessment test result: PASSED
Self-test execution status:      (   0)	The previous self-test routine completed
					without error or no self-test has ever 
					Self-test supported.
					No Conveyance Self-test supported.
					Selective Self-test supported.

ua4000 · 2024-03-14 17:18:27

Please post after the "--test=short", when it's finished, e.g. after 2 minutes, the complete output from

sudo smartctl --all /dev/sdc

The single line you posted has no real data.
If not performed so far, you could also have a look at memtest, to exclude a further HW fault.

I see so far no config error. If you disable auto unlocking of data in crypttab *and* fstab - does this change the ro/rw problem of /home during boot ?
(simplify your setup to track the issue down)

Last edited by ua4000 (2024-03-14 17:20:22)

marcelsmudda · 2024-03-15 08:32:06

smartctl 7.4 2023-08-01 r5530 [x86_64-linux-6.7.8-arch1-1] (local build)
Copyright (C) 2002-23, Bruce Allen, Christian Franke, www.smartmontools.org

=== START OF INFORMATION SECTION ===
Model Family:     Samsung based SSDs
Device Model:     Samsung SSD 870 EVO 1TB
Serial Number:    S74ZNS0W546126W
LU WWN Device Id: 5 002538 f335212bf
Firmware Version: SVT03B6Q
User Capacity:    1,000,204,886,016 bytes [1.00 TB]
Sector Size:      512 bytes logical/physical
Rotation Rate:    Solid State Device
Form Factor:      2.5 inches
TRIM Command:     Available, deterministic, zeroed
Device is:        In smartctl database 7.3/5528
ATA Version is:   ACS-4 T13/BSR INCITS 529 revision 5
SATA Version is:  SATA 3.3, 6.0 Gb/s (current: 6.0 Gb/s)
Local Time is:    Fri Mar 15 17:28:41 2024 JST
SMART support is: Available - device has SMART capability.
SMART support is: Enabled

=== START OF READ SMART DATA SECTION ===
SMART overall-health self-assessment test result: PASSED

General SMART Values:
Offline data collection status:  (0x00)	Offline data collection activity
					was never started.
					Auto Offline Data Collection: Disabled.
Self-test execution status:      (   0)	The previous self-test routine completed
					without error or no self-test has ever 
					been run.
Total time to complete Offline 
data collection: 		(    0) seconds.
Offline data collection
capabilities: 			(0x53) SMART execute Offline immediate.
					Auto Offline data collection on/off support.
					Suspend Offline collection upon new
					command.
					No Offline surface scan supported.
					Self-test supported.
					No Conveyance Self-test supported.
					Selective Self-test supported.
SMART capabilities:            (0x0003)	Saves SMART data before entering
					power-saving mode.
					Supports SMART auto save timer.
Error logging capability:        (0x01)	Error logging supported.
					General Purpose Logging supported.
Short self-test routine 
recommended polling time: 	(   2) minutes.
Extended self-test routine
recommended polling time: 	(  85) minutes.
SCT capabilities: 	      (0x003d)	SCT Status supported.
					SCT Error Recovery Control supported.
					SCT Feature Control supported.
					SCT Data Table supported.

SMART Attributes Data Structure revision number: 1
Vendor Specific SMART Attributes with Thresholds:
ID# ATTRIBUTE_NAME          FLAG     VALUE WORST THRESH TYPE      UPDATED  WHEN_FAILED RAW_VALUE
  5 Reallocated_Sector_Ct   0x0033   100   100   010    Pre-fail  Always       -       0
  9 Power_On_Hours          0x0032   099   099   000    Old_age   Always       -       92
 12 Power_Cycle_Count       0x0032   099   099   000    Old_age   Always       -       29
177 Wear_Leveling_Count     0x0013   100   100   000    Pre-fail  Always       -       0
179 Used_Rsvd_Blk_Cnt_Tot   0x0013   100   100   010    Pre-fail  Always       -       0
181 Program_Fail_Cnt_Total  0x0032   100   100   010    Old_age   Always       -       0
182 Erase_Fail_Count_Total  0x0032   100   100   010    Old_age   Always       -       0
183 Runtime_Bad_Block       0x0013   100   100   010    Pre-fail  Always       -       0
187 Uncorrectable_Error_Cnt 0x0032   100   100   000    Old_age   Always       -       0
190 Airflow_Temperature_Cel 0x0032   076   071   000    Old_age   Always       -       24
195 ECC_Error_Rate          0x001a   200   200   000    Old_age   Always       -       0
199 CRC_Error_Count         0x003e   100   100   000    Old_age   Always       -       0
235 POR_Recovery_Count      0x0012   099   099   000    Old_age   Always       -       15
241 Total_LBAs_Written      0x0032   099   099   000    Old_age   Always       -       833621074
252 Unknown_Attribute       0x0032   100   100   000    Old_age   Always       -       0

SMART Error Log Version: 1
No Errors Logged

SMART Self-test log structure revision number 1
Num  Test_Description    Status                  Remaining  LifeTime(hours)  LBA_of_first_error
# 1  Short offline       Completed without error       00%        84         -

SMART Selective self-test log data structure revision number 1
 SPAN  MIN_LBA  MAX_LBA  CURRENT_TEST_STATUS
    1        0        0  Not_testing
    2        0        0  Not_testing
    3        0        0  Not_testing
    4        0        0  Not_testing
    5        0        0  Not_testing
  256        0    65535  Read_scanning was never started
Selective self-test flags (0x0):
  After scanning selected spans, do NOT read-scan remainder of disk.
If Selective self-test is pending on power-up, resume after 0 minute delay.

The above only provides legacy SMART information - try 'smartctl -x' for more

Here is the complete output.

The last memtest I did was like 3 months or so ago and there were no errors.

ua4000 wrote:

If you disable auto unlocking of data in crypttab *and* fstab - does this change the ro/rw problem of /home during boot ?

Yes, that is why I chose this title for the thread and I just noticed that I didn't mention that in my original post. Sorry about that.

ua4000 · 2024-03-15 15:45:24

Your sdc looks healty.
I have no further idea to solve your issue, looks like a timing issue.

If "late loading" of data solves it, then you could do as workaround,
add "noauto" to both files for the "data" :

crypttab
	data ... luks,noauto

fstab
... /mounts/data ... rw,relatime,noauto

Then you could do after login something like this:

sudo systemctl start systemd-cryptsetup@data.service
sudo mount /mounts/data

and if this works, try to put it in a script/cronjob/systemd job, which runs e.g. 2min after boot.

marcelsmudda · 2024-03-15 17:20:18

I mean, this would be no different from mounting data manually after I have logged into my user, right?
Right now, I just run the remount command first thing, before I start sway.
I am also thinking of adding an exception for my user for that command in the sudoers file and add it to the zshrc file that I use. I am the only user of my computer, so it's not a big issue in that regard...

But thank you for taking the time to take a look.

Last edited by marcelsmudda (2024-03-15 17:20:42)

ua4000 · 2024-03-17 10:23:56

Instead of "late" unlocking, you could have a look at
https://wiki.archlinux.org/title/Dm-cry … -generator

and make use of
/etc/crypttab.initramfs

Note the main difference for you:
sd-encrypt HOOK: "Passwords entered during boot are cached in the kernel keyring by systemd-cryptsetup(8), so if multiple devices can be unlocked with the same password (this includes devices in crypttab that are unlocked after boot), then you will only need to input each password once."

encrypt HOOK : "Only one device can be unlocked in the initramfs."

So you would give data in addition to the key-file a normal password, same as home, as further slot in LUKS, and unlock both during boot in one step with the sd-encryp HOOK.

marcelsmudda · 2024-03-22 10:13:22

ua4000 wrote:

Instead of "late" unlocking, you could have a look at
https://wiki.archlinux.org/title/Dm-cry … -generator
and make use of
/etc/crypttab.initramfs

Thank you. I've tried that, I've added

sd-encrypt

after

block

and it didn't work.
Then I saw the example with

sd-vconsole sd-encrypt

before

block

and it also didn't work, in both cases, it didn't ask me for the password.

Then i removed everything from the hooks and I deleted /etc/crypttab.initramfs again and I instead changed my /etc/crypttab file to the following:

home	UUID=26706259-f681-4fff-9b35-002ef6836171	none	luks
data    UUID=91434711-7c91-4a15-a0e5-8510ce9377ce       /home/MY_USER_NAME/.keys.d/data.key       luks

(The difference being that I do not define a path on the device and the device but I just give the full path after the previous device has been fully mounted)
And this works!
I didn't expect that it goes crypttab->fstab->crypttab->fstab but it does O.o
Thank you for your advice even though it didn't solve it. I appreciate your time trying to help me.

Arch Linux

#1 2024-03-08 00:13:05

[SOLVED] crypttab entry causes other drive to be read only

#2 2024-03-10 11:00:46

Re: [SOLVED] crypttab entry causes other drive to be read only

#3 2024-03-10 11:07:46

Re: [SOLVED] crypttab entry causes other drive to be read only

#4 2024-03-11 11:01:38

Re: [SOLVED] crypttab entry causes other drive to be read only

#5 2024-03-11 15:16:55

Re: [SOLVED] crypttab entry causes other drive to be read only

#6 2024-03-11 23:30:46

Re: [SOLVED] crypttab entry causes other drive to be read only

#7 2024-03-13 18:59:34

Re: [SOLVED] crypttab entry causes other drive to be read only

#8 2024-03-14 09:39:59

Re: [SOLVED] crypttab entry causes other drive to be read only

#9 2024-03-14 17:18:27

Re: [SOLVED] crypttab entry causes other drive to be read only

#10 2024-03-15 08:32:06

Re: [SOLVED] crypttab entry causes other drive to be read only

#11 2024-03-15 15:45:24

Re: [SOLVED] crypttab entry causes other drive to be read only

#12 2024-03-15 17:20:18

Re: [SOLVED] crypttab entry causes other drive to be read only

#13 2024-03-17 10:23:56

Re: [SOLVED] crypttab entry causes other drive to be read only

#14 2024-03-22 10:13:22

Re: [SOLVED] crypttab entry causes other drive to be read only

Board footer