Using an encrypted root with a regular keyfile asks for passphrase
siebz0r opened this issue · comments
I have an encrypted root set up on /dev/sda2. To access the encrypted partition I use a key, which is a regular file called key on the root of a usb drive with the label KEY.
I've read the manual and this is what I came up with for the kernel arguments:
luks=reg:LABEL=KEY:/key root=root-sda2
When I boot (and the usb drive isn't connected) I am prompted to plug in the drive with LABEL=KEY, so far so good. However, when I plug it in, I am prompted for a passphrase for /dev/sda2. I am forced to press enter until I am dropped in a rescue shell where I can manually mount the thumb drive, use cryptsetup to open the root device with the key and mount it under /newroot. Then pressing ctrl-D and the booting continues as expected.
Not sure if I'm doing something wrong here, but it looks like a bug to me.
kernel arg seem correct, you say
I boot (and the usb drive isn't connected)
Did you try to boot with usb drive connected, maybe it change something ?
what's the file system u are using ?
and how did you build the image ? (command)
A log file can be usefull too :)
When booting with the usb drive connected it doesn't prompt to connect the usb drive but it does prompt me for a passphrase. I'm using ext4 for the usb drive and the root partition.
I have built the the image using mkinitramfs, it uses the following config:
opts[-module-boot]+=:kms:ext2:ext3:ext4
opts[-module-device-mapper]+=:dm-thin-pool:dm-mirror:dm-cache:dm-multipath:dm-snapshot
opts[-module-dm-crypt]+=aes:dm-crypt:sha256:sha512:wp512:ecb:lrw:xts:twofish:serpent
opts[-module-dm-raid]+=:dm-raid:dm-mirror:dm-multipath:dm-snapshot
opts[-module-gpg]+=:cast5
opts[-module-kms]+=:i915:nouveau:radeon
opts[-module-raid]+=:raid0:raid10:raid1:raid456
opts[-module-remdev]+=:nls_cp437:vfat
opts[-module-squashd]+=:aufs:overlay:squashfs
opts[-module-swsusp]+=
opts[-module-tuxonice]+=:tuxonice_swap:tuxonice_userui:tuxonice_file
opts[-module-zfs]+=:zfs
opts[-module-zram]+=:zram
opts[-module-bcache]+=:bcache
opts[-module-btrfs]+=:btrfs
opts[-firmware]=:iwlwifi-7260
opts[-module]+=:boot:kms:remdev:uvesafb
opts[-module-group]+=:boot:kms:remdev:swsusp
opts[-bin]+=:blkid:v86d
opts[-bin-zfs]=zfs:zpool:mount.zfs
opts[-bin-btrfs]=btrfs:btrfsck:fsck.btrfs
opts[-font]+=:ter-g12n:ter-g14n:ter-112n:ter-v12n
opts[-keymap]+=:us
opts[-luks]=:
opts[-compressor]=none
opts[-initramfs]="efi/initramfs-$(uname -r)"
env=(
${MIR_EXTRA_ENV}
'CHECK_ENV=false'
)
And here's the log:
[0]: umask 0077
[0]: mkdir -p dev/pts proc run sys /newroot /mnt/tok
[0]: mount -t proc proc /proc
[0]: mount -t sysfs sysfs /sys
[0]: mount -t devtmpfs devtmpfs /dev
[0]: /sbin/mdev -s
[0]: mount -t tmpfs -o mode=755,size=1% tmpfs /run
[0]: MODPROBE kms
[0]: ln -fns /proc/self/fd /dev/fd
[0]: ln -fns fd/2 /dev/stderr
[0]: ln -fns fd/0 /dev/stdin
[0]: ln -fns fd/1 /dev/stdout
[0]: loadfont
[0]: loadkmap
[1]: test -f /etc/issue
[0]: test -n root-sda2
[0]: CUT _luks reg:LABEL=KEY:/key , 1
[0]: mount -n -r /dev/sdc1 /mnt/tok
[0]: test -f /mnt/tok//key
[0]: get_key reg:LABEL=KEY:/key
[0]: MODPROBE dm-crypt
[0]: cryptsetup isLuks /dev/sda2
[0]: dmcrypt /dev/sda2 _dev
[2]: cryptsetup open /dev/sda2 root
[1]: test -b /dev/mapper/root
[1]: dmopen root-sda2 DEV
[0]: get_dev root-sda2 ROOT 1
[1]: mount /newroot
I'll just show an example what i did last time. So directly after install mkinitramfs-ll.
You need generate a static busybox.
# cd /usr/share/mkinitramfs-ll/scripts
# ./busybox.sh
After, you edit /etc/mkinitramfs.conf to add kernel arg on last line.
# vim /etc/mkinitramfs.conf
env="${env} luks=reg:LABEL=KEY:/key root=root-sda2"And last step, build image, check kernel version (4.9.24-hardened here):
# ls /lib/modules
4.9.24-hardened
# mkinitramfs-ll.sh --luks --keymap=us -k 4.9.24-hardened --extension=img
if you have alrealy done that or it doesn't help, don't know how resolve your issue. Never test with regular file.
what command line do you use to open your device with regular key?
I am afraid there is a bug that should be fixed. I will commit a patch later.