Skip to main content
Topic: crypttab error: LUKS on LVM install (need help/guidance/assistance) (Read 475 times) previous topic - next topic
0 Members and 1 Guest are viewing this topic.

crypttab error: LUKS on LVM install (need help/guidance/assistance)

Hi, I'm trying to setup a LUKS on LVM install. My technical knowledge is only as good as the references menitoned below as well as other parts of the artix and arch wiki, but I can't code. I can somewhat make sense of the source code/scripts.  So forgive me if this is some oversight.

Everything works fine except for crypttab/cryptsetup. (I would have to decrypt and mount them manually every reboot/power on)

Digging on some posts mentioned (either in this forum or in others) that instead of using /etc/crypttab I should instead use /etc.conf.d/dmcrypt. I have tried it but it doesn't work and that seems to be more on for openrc only. source says otherwise for s6: https://gitea.artixlinux.org/artix/s6-services/src/branch/master/srv/cryptsetup/cryptsetup/shell_up

Here's the intended layout:
Code: [Select]
nvme0n1                  259:0    0 931.5G  0 disk  
├─nvme0n1p1              259:1    0   600M  0 part  /boot/efi
├─nvme0n1p2              259:2    0   1.2G  0 part 
│ └─cryptboot            254:4    0   1.2G  0 crypt /boot
└─nvme0n1p3              259:3    0 929.8G  0 part 
  ├─volgroup-lvcryptroot 254:0    0   128G  0 lvm  
  │ └─openedroot         254:2    0   128G  0 crypt /
  └─volgroup-lvcrypthome 254:1    0 801.8G  0 lvm  
    └─openedhome         254:3    0 801.7G  0 crypt /home

But upon booting up /dev/nvme0n1p2 and /dev/volgroup/lvcrypthome arent decrypted hence what I only see is:
Code: [Select]
nvme0n1                  259:0    0 931.5G  0 disk  
├─nvme0n1p1              259:1    0   600M  0 part
├─nvme0n1p2              259:2    0   1.2G  0 part 
└─nvme0n1p3              259:3    0 929.8G  0 part 
  ├─volgroup-lvcryptroot 254:0    0   128G  0 lvm  
  │ └─openedroot         254:2    0   128G  0 crypt /
  └─volgroup-lvcrypthome 254:1    0 801.8G  0 lvm
Only root is mounted since crypttab didn't work so mountpoints /boot, /boot/efi, and /home arent mounted as /boot and /home are encrypted.


Upon further digging it seems to be an s6-rc problem although I am not sure. In this stage cryptsetup does not prompt for password in both /dev/nvme0n1p2 (/boot) and /dev/volgroup/lvcrypthome (/home) partitions. Both seems to be immediately skipped it's as if it had been set with the "nofail" option from crypttab: https://man.archlinux.org/man/crypttab.5

Here is the log from /run/uncaught-logs/current (/etc/s6/current/scripts/runlevel exec s6-rc line set with -v 2 verbose level)

/run/uncaught-logs/current:
Code: [Select]
@4000000065276d5f36c589e7 s6-rc: info: service s6rc-fdholder: starting
@4000000065276d5f36c67a41 s6-rc: info: service s6rc-oneshot-runner: starting
@4000000065276d5f3709e883 s6-rc: info: service s6rc-oneshot-runner successfully started
@4000000065276d5f370e39b2 s6-rc: info: service rc-local: starting
@4000000065276d5f370fd8ec s6-rc: info: service sysctl: starting
@4000000065276d5f3711583b s6-rc: info: service net-lo: starting
@4000000065276d5f37136750 s6-rc: info: service mount-tmpfs: starting
@4000000065276d5f37157e95 s6-rc: info: service mount-procfs: starting
@4000000065276d5f3721a5cb s6-rc: info: service lvm2-pvscan: starting
@4000000065276d5f37257d4d s6-rc: info: service lvm2-monitor: starting
@4000000065276d5f37277fd6 s6-rc: info: service hwclock: starting
@4000000065276d5f378aa5af s6-rc: info: service s6rc-fdholder successfully started
@4000000065276d5f379100c5 s6-rc: info: service udevd-log: starting
@4000000065276d5f37a57352 s6-rc: info: service lvmpolld-log: starting
@4000000065276d5f37a856ed s6-rc: info: service dmesg-log: starting
@4000000065276d5f37b08ee5 s6-rc: info: service dbus-log: starting
@4000000065276d5f37b28a9c s6-rc: info: service connmand-log: starting
@4000000065276d5f37d13e36 s6-rc: info: service rc-local successfully started
@4000000065276d5f386b5cce s6-rc: info: service mount-procfs successfully started
@4000000065276d5f386d88cf s6-rc: info: service mount-sysfs: starting
@4000000065276d5f38b6df91 s6-rc: info: service mount-devfs: starting
@4000000065276d5f38bbfe74 s6-rc: info: service mount-cgroups: starting
@4000000065276d5f38cc5bd7 s6-rc: info: service hostname: starting
@4000000065276d5f38deb307 s6-rc: info: service binfmt: starting
@4000000065276d5f38df968f s6-rc: info: service sysctl successfully started
@4000000065276d5f38dfac62 s6-rc: info: service udevd-log successfully started
@4000000065276d5f38e072b9 s6-rc: info: service lvmpolld-log successfully started
@4000000065276d5f38e08775 s6-rc: info: service dmesg-log successfully started
@4000000065276d5f38e1f294 s6-rc: info: service dmesg-srv: starting
@4000000065276d5f38e274fc s6-rc: info: service dbus-log successfully started
@4000000065276d5f38fc36fc s6-rc: info: service dbus-srv: starting
@4000000065276d5f38fd08c7 s6-rc: info: service connmand-log successfully started
@4000000065276d5f391f1bd9 s6-rc: info: service dmesg-srv successfully started
@4000000065276d5f3948e6ee s6-rc: info: service hwclock successfully started
@4000000065276d5f39caa25f s6-rc: info: service mount-tmpfs successfully started
@4000000065276d5f39e81fc7 s6-rc: info: service binfmt successfully started
@4000000065276d5f3a2cdd0e s6-rc: info: service mount-sysfs successfully started
@4000000065276d5f3a593315 s6-rc: info: service hostname successfully started
@4000000065276d5f3a84837a s6-rc: info: service net-lo successfully started
@4000000065276d5f3abcbde0 s6-rc: info: service mount-devfs successfully started
@4000000065276d5f3abe44d3 s6-rc: info: service network-detection: starting
@4000000065276d5f3acf4e16 s6-rc: info: service kmod-static-nodes: starting
@4000000065276d5f3acf69e9 s6-rc: info: service ttyS: starting
@4000000065276d5f3ad2b68e s6-rc: info: service tty6: starting
@4000000065276d5f3ae26b57 s6-rc: info: service tty5: starting
@4000000065276d5f3af0253b s6-rc: info: service tty4: starting
@4000000065276d5f3af04c84 s6-rc: info: service tty3: starting
@4000000065276d5f3af071e4 s6-rc: info: service tty2: starting
@4000000065276d5f3afbd7f2 s6-rc: info: service tty1: starting
@4000000065276d5f3b2d1c93 s6-rc: info: service tty6 successfully started
@4000000065276d5f3b3bf761 s6-rc: info: service tty1 successfully started
@4000000065276d5f3b43fc54 s6-rc: info: service dbus-srv successfully started
@4000000065276d5f3b5247a1 s6-rc: info: service tty2 successfully started
@4000000065276d5f3b6a4bd9 s6-rc: info: service ttyS successfully started
@4000000065276d5f3b7393d0 s6-rc: info: service tty3 successfully started
@4000000065276d600000fbac s6-rc: info: service network-detection successfully started
@4000000065276d600007d8e4 s6-rc: info: service tty5 successfully started
@4000000065276d60000e3acb s6-rc: info: service tty4 successfully started
@4000000065276d6001403029 s6-rc: info: service kmod-static-nodes successfully started
@4000000065276d600150ee65 s6-rc: info: service tmpfiles-dev: starting
@4000000065276d6001d42ac8 s6-rc: info: service tmpfiles-dev successfully started
@4000000065276d60043a37f7 s6-rc: info: service mount-cgroups successfully started
@4000000065276d6004502f02 s6-rc: info: service udevd-srv: starting
@4000000065276d60045d2ced s6-rc: info: service udevd-srv successfully started
@4000000065276d600462c5c3 s6-rc: info: service udevadm: starting
@4000000065276d600462e569 s6-rc: info: service connmand-srv: starting
@4000000065276d600484c2bc s6-rc: info: service connmand-srv successfully started
@4000000065276d6014715d3d s6-rc: info: service lvm2-pvscan successfully started
@4000000065276d6019b6cb55 s6-rc: info: service lvm2-monitor successfully started
@4000000065276d6028d39ac9 s6-rc: info: service udevadm successfully started
@4000000065276d6028dcbf04 s6-rc: info: service modules: starting
@4000000065276d6028dcdb63 s6-rc: info: service cryptsetup: starting
@4000000065276d6028dd040a s6-rc: info: service lvmpolld-srv: starting
@4000000065276d6029123bba s6-rc: info: service lvmpolld-srv successfully started
@4000000065276d6029c56589 s6-rc: info: service modules successfully started
@4000000065276d602ac945ff Enter passphrase for /dev/volgroup/lvcrypthome: Error reading passphrase from terminal.
@4000000065276d603318ffea Enter passphrase for /dev/nvme0n1p2: Error reading passphrase from terminal.
@4000000065276d6038974ca5 s6-rc: info: service cryptsetup successfully started
@4000000065276d60389df57b s6-rc: info: service mount-filesystems: starting
@4000000065276d6039162ed8 mount: /home: can't find UUID=98fbd180-3cba-47bc-a318-45617e99585d.
@4000000065276d6039209aba mount: /boot: can't find UUID=a0beb33d-51c8-43c7-8f3a-fdda4718db18.
@4000000065276d603a795f90 mount: /boot/efi: mount point does not exist.
@4000000065276d603a79864d        dmesg(1) may have more information after failed mount system call.
@4000000065276d603a8bae4b s6-rc: info: service mount-filesystems successfully started
@4000000065276d603a8bcc4d s6-rc: info: service remount-root: starting
@4000000065276d603af88fc9 s6-rc: info: service remount-root successfully started
@4000000065276d603affbcab s6-rc: info: service tmpfiles-setup: starting
@4000000065276d603affe0ae s6-rc: info: service sysusers: starting
@4000000065276d603b0007b1 s6-rc: info: service swap: starting
@4000000065276d603b3011c2 s6-rc: info: service random-seed: starting
@4000000065276d603b302e22 s6-rc: info: service locale: starting
@4000000065276d603b3de24b s6-rc: info: service console-setup: starting
@4000000065276d603b3e041f s6-rc: info: service cleanup: starting
@4000000065276d603b7369eb s6-rc: info: service swap successfully started
@4000000065276d610076dfaf s6-rc: info: service tmpfiles-setup successfully started
@4000000065276d61008bcee9 s6-rc: info: service cleanup successfully started
@4000000065276d6100a66c41 s6-rc: info: service random-seed successfully started
@4000000065276d6100adf487 s6-rc: info: service locale successfully started
@4000000065276d6100b3aad5 s6-rc: info: service sysusers successfully started
@4000000065276d6100f3d389 s6-rc: info: service console-setup successfully started


I had also tried on mounting them via /etc/s6/rc.local although it didn't work(same error) so I just commented them out:

/etc/s6/rc.local:
Code: [Select]
#!/bin/sh
#
# Enter custom commands here. By default, they will be executed on startup in parallel
# with the other services. If you need these commands to wait on certain services before
# being up, you can add empty files named after the wanted services in the
# /etc/s6/adminsv/rc-local/dependencies.d directory and then recompile the database.
#
#cryptsetup open /dev/nvme0n1p2 cryptboot
#
#cryptsetup open /dev/volgroup/lvcrypthome openedhome
#
#mount /dev/mapper/openedhome /mnt/home
#
#mount /dev/mapper/cryptboot /boot
#
#mount /dev/nvme0n1p1 /boot/efi
#


Here's the configuration of the files that I think are relevant:

/etc/mkinitcpio.conf:
Code: [Select]
# vim:set ft=sh
# MODULES
# The following modules are loaded before any boot hooks are
# run.  Advanced users may wish to specify all system modules
# in this array.  For instance:
#     MODULES=(usbhid xhci_hcd)
MODULES=()

# BINARIES
# This setting includes any additional binaries a given user may
# wish into the CPIO image.  This is run last, so it may be used to
# override the actual binaries included by a given hook
# BINARIES are dependency parsed, so you may safely ignore libraries
BINARIES=()

# FILES
# This setting is similar to BINARIES above, however, files are added
# as-is and are not parsed in any way.  This is useful for config files.
FILES=()

# HOOKS
# This is the most important setting in this file.  The HOOKS control the
# modules and scripts added to the image, and what happens at boot time.
# Order is important, and it is recommended that you do not change the
# order in which HOOKS are added.  Run 'mkinitcpio -H <hook name>' for
# help on a given hook.
# 'base' is _required_ unless you know precisely what you are doing.
# 'udev' is _required_ in order to automatically load modules
# 'filesystems' is _required_ unless you specify your fs modules in MODULES
# Examples:
##   This setup specifies all modules in the MODULES setting above.
##   No RAID, lvm2, or encrypted root is needed.
#    HOOKS=(base)
#
##   This setup will autodetect all modules for your system and should
##   work as a sane default
#    HOOKS=(base udev autodetect modconf block filesystems fsck)
#
##   This setup will generate a 'full' image which supports most systems.
##   No autodetection is done.
#    HOOKS=(base udev modconf block filesystems fsck)
#
##   This setup assembles a mdadm array with an encrypted root file system.
##   Note: See 'mkinitcpio -H mdadm_udev' for more information on RAID devices.
#    HOOKS=(base udev modconf keyboard keymap consolefont block mdadm_udev encrypt filesystems fsck)
#
##   This setup loads an lvm2 volume group.
#    HOOKS=(base udev modconf block lvm2 filesystems fsck)
#
##   NOTE: If you have /usr on a separate partition, you MUST include the
#    usr and fsck hooks.
HOOKS=(base udev autodetect modconf kms keyboard keymap consolefont block lvm2 encrypt filesystems fsck)

# COMPRESSION
# Use this to compress the initramfs image. By default, zstd compression
# is used. Use 'cat' to create an uncompressed image.
#COMPRESSION="zstd"
#COMPRESSION="gzip"
#COMPRESSION="bzip2"
#COMPRESSION="lzma"
#COMPRESSION="xz"
#COMPRESSION="lzop"
#COMPRESSION="lz4"
COMPRESSION="cat"

# COMPRESSION_OPTIONS
# Additional options for the compressor
#COMPRESSION_OPTIONS=()

# MODULES_DECOMPRESS
# Decompress kernel modules during initramfs creation.
# Enable to speedup boot process, disable to save RAM
# during early userspace. Switch (yes/no).
#MODULES_DECOMPRESS="yes"


/etc/default/grub:
Code: [Select]
# GRUB boot loader configuration

GRUB_DEFAULT=0
GRUB_TIMEOUT=5
GRUB_DISTRIBUTOR="Artix"
GRUB_CMDLINE_LINUX_DEFAULT="loglevel=3"
GRUB_CMDLINE_LINUX="cryptdevice=UUID=9955a55c-f7ee-418b-b262-4afbaf5b8695:openedroot root=/dev/mapper/openedroot"

# Preload both GPT and MBR modules so that they are not missed
GRUB_PRELOAD_MODULES="part_gpt part_msdos"

# Uncomment to enable booting from LUKS encrypted devices
GRUB_ENABLE_CRYPTODISK=y

# Set to 'countdown' or 'hidden' to change timeout behavior,
# press ESC key to display menu.
GRUB_TIMEOUT_STYLE=menu

# Uncomment to use basic console
GRUB_TERMINAL_INPUT=console

# Uncomment to disable graphical terminal
#GRUB_TERMINAL_OUTPUT=console

# The resolution used on graphical terminal
# note that you can use only modes which your graphic card supports via VBE
# you can see them in real GRUB with the command `videoinfo'
GRUB_GFXMODE=auto

# Uncomment to allow the kernel use the same resolution used by grub
GRUB_GFXPAYLOAD_LINUX=keep

# Uncomment if you want GRUB to pass to the Linux kernel the old parameter
# format "root=/dev/xxx" instead of "root=/dev/disk/by-uuid/xxx"
#GRUB_DISABLE_LINUX_UUID=true

# Uncomment to disable generation of recovery mode menu entries
GRUB_DISABLE_RECOVERY=true

# Uncomment and set to the desired menu colors.  Used by normal and wallpaper
# modes only.  Entries specified as foreground/background.
#GRUB_COLOR_NORMAL="light-blue/black"
#GRUB_COLOR_HIGHLIGHT="light-cyan/blue"

# Uncomment one of them for the gfx desired, a image background or a gfxtheme
#GRUB_BACKGROUND="/path/to/wallpaper"
#GRUB_THEME="/path/to/gfxtheme"

# Uncomment to get a beep at GRUB start
#GRUB_INIT_TUNE="480 440 1"

# Uncomment to make GRUB remember the last selection. This requires
# setting 'GRUB_DEFAULT=saved' above.
#GRUB_SAVEDEFAULT=true

# Uncomment to disable submenus in boot menu
#GRUB_DISABLE_SUBMENU=y

# Probing for other operating systems is disabled for security reasons. Read
# documentation on GRUB_DISABLE_OS_PROBER, if still want to enable this
# functionality install os-prober and uncomment to detect and include other
# operating systems.
#GRUB_DISABLE_OS_PROBER=false


/etc/crypttab: (see note 2)
Code: [Select]
# Configuration for encrypted block devices.
# See crypttab(5) for details.

# NOTE: Do not list your root (/) partition here, it must be set up
#       beforehand by the initramfs (/etc/mkinitcpio.conf).

# <name>       <device>                                     <password>              <options>
# home         UUID=b8ad5c18-f445-495d-9095-c9ec4f9d2f37    /etc/mypassword1
# data1        /dev/sda3                                    /etc/mypassword2
# data2        /dev/sda5                                    /etc/cryptfs.key
# swap         /dev/sdx4                                    /dev/urandom            swap,cipher=aes-cbc-essiv:sha256,size=256
# vol          /dev/sdb7                                    none

openedhome /dev/volgroup/lvcrypthome none luks,timeout=180,tries=10,password-echo=no
#openedhome UUID=91a439fb-8e30-44c6-a7d7-6c56c0e2ca2a none luks

#cryptboot /dev/nvme0n1p2
cryptboot UUID=4a5629bd-f3e6-461d-8adc-b068411a6eac none luks,timeout=180,tries=10,password-echo=no


/etc/fstab
Code: [Select]
# Static information about the filesystems.
# See fstab(5) for details.

# <file system> <dir> <type> <options> <dump> <pass>
# /dev/mapper/openedroot
UUID=6e7ee192-bc59-4497-81d5-e1d53a7cb8c9 /         ext4      rw,relatime 0 1

# /dev/mapper/openedhome
UUID=98fbd180-3cba-47bc-a318-45617e99585d /home     ext4      rw,relatime 0 2

# /dev/mapper/cryptboot
UUID=a0beb33d-51c8-43c7-8f3a-fdda4718db18 /boot     ext4      rw,relatime 0 2

# /dev/nvme0n1p1
UUID=002D-C4AC /boot/efi vfat rw,relatime 0 0

references used:
For installation (see note 1): https://www.unixsheikh.com/tutorials/real-full-disk-encryption-using-grub-on-artix-linux-for-bios-and-uefi.html
LUKS on LVM: https://wiki.archlinux.org/title/Dm-crypt/Encrypting_an_entire_system#LUKS_on_LVM


notes:
1.) The official guide on the wiki (https://wiki.artixlinux.org/Main/InstallationWithFullDiskEncryption) for full disk encryption does not work for me, on both the BIOS and UEFI configurations (grub will not install)

2.) I have tried with both UUID and /dev/device formats and with <password> and <options> sections both filled and blanked out

3.) Although I don't think this is relevant as everything boots fine and that it had decrypted on both /boot (upon booting) and /root (upon the init stage) here are the encryption options I've used:

Code: [Select]
(encryption option for /boot only) 
cryptsetup --verbose --type luks1 --cipher serpent-xts-plain64 --key-size 512 --hash=whirlpool --iter-time 20000 --use-random --verify-passphrase luksFormat /dev/<device name>

(encryption for non /boot directories)
doas cryptsetup --type=luks2 --pbkdf=argon2id --cipher serpent-xts-plain64 --pbkdf-memory=4194302 --pbkdf-parallel=4 --pbkdf-force-iterations=20 --hash=whirlpool luksFormat /dev/<device name>


4.) I had set this up with btrfs and linux-zen kernel before but since I had the same problem I figured I should just used ext4 and linux kernel to keep things simple, but the problem persisted so I figured the kernel variant and the filesystem chosen wasn't the issue.

5.) Feel free to ask if there are more data that needs to be mentioned to solve the issue.



Edit 1 Saturday, 14 October, 2023 02:03:00 UTC:

1.) If crypttab is used with a keyfile it works like a charm everything boots up as intended. The downside to this configuration is that the keyfile will be stored in the device (possible security issue) although it may be mitigated if stored in an external storage device. It would seem that the interactive mode (manually typing the passphrase) is the problem. This is just my guess  but it maybe that s6-rc does not yet have an interactive mode function or that it doesn't play well with cryptsetup/crypttab.

2.) iso used for this current installation is: artix-xfce-s6-20231002-x86_64.iso


Re: crypttab error: LUKS on LVM install (need help/guidance/assistance)

Reply #2
Thanks for the respone :D

This is a very good alternative/solution, but it is more of a band-aid type of fix than more of a long term/permanent solution.
I don't trust much of the AUR grub for stability reasons ('cause if something gets broken I don't think I have enough skill to DIY fix it on the spot if something happens so I'm more relying on Artix's official repos). I need both home and root to be separate in case an update botches up my root partition and can't be saved via snapshots(btrfs) is there a way to make crypttab work or make s6-rc work with crypttab? Not sure if this is an s6-rc or a crypttab not working well with s6-rc type of issue.

 

Re: crypttab error: LUKS on LVM install (need help/guidance/assistance)

Reply #3
I may have figured out why it doesn't work, silly me.  :-[

Check the site (and the comparison table) for full context.
https://skarnet.com/projects/service-manager.html#comparison

bottom right:
Quote
Interfaces with external events?
OpenRC: No, which is a main reason why Alpine aims to replace it.
systemd: systemd supports dynamic events internally, and provides its own network manager, but does not interface with other software.
s6-rc: No. The 0.5.2.1 version of s6-rc uses a static service database and does not accommodate external events.

Note that the version indicated on the table maybe older than the current (0.5.4.1) it may have not yet been implemented. Although stated that he does plan on implementing it.

If I am understanding this correctly then this maybe why.