[opensuse] Encrypted root with LUKSdon't work anymore with opensuse-Leap-42.1. Help?
Hello, I am using the scheme outlined below to install opensuse with encrypted root partition. The detailed description how I do this, is described below in this post. This scheme worked great since about 2008 (don't remember which opensuse release it was in 2008) up to opensuse-13.1, with minor tweaks at every new opensuse release. Unfortunately, with opensuse-Leap-42.1 it don't work anymore. When booting the new encrypted root, it won't ask for the passphrase. It just hangs. It looks as if the contents of initrd don't know how to ask for the passphrase. Any ideas how to track down the problem? Here is the procedure how I do it: Install base system with a partitioning scheme like this: /dev/sda1 1g ext2 /boot (unencrypted) /dev/sda2 20g ext4 / (unencrypted) /dev/sda3 20g swap swap (encrypted) /dev/sda4 20g none (encrypted root will go here later) (device names are just examples here) When the base system is installed, I do the following: # create new encrypted filesystem # cryptsetup -v --key-size 256 luksFormat /dev/sda4 cryptsetup luksOpen /dev/sda4 cr_sda4 mkfs.ext4 -O dir_index /dev/mapper/cr_sda4 # mount old (unencrypted) and new (crypted) root filesystems # SRCMNT=/tmp/root-src-$$ DSTMNT=/tmp/root-dst-$$ mkdir -p $SRCMNT $DSTMNT mount -obind / $SRCMNT mount /dev/mapper/cr_sda4 $DSTMNT # copy contents from unencrypted root to encrypted root # rsync -ax $SRCMNT/ $DSTMNT sync cp /boot/initrd /boot/initrd.backup # Fix up /etc/fstab on new root (remove old root and add new root to fstab) # perl -ani.bak -e "s#^\S+#/dev/mapper/cr_sda4# if \$F[1] eq '/'; \ print unless \$F[0] eq '/dev/mapper/cr_sda4'" \ $DSTMNT/etc/fstab # set grub2 defaults on new root (no splash, no resume, quiet boot) # perl -pi.bak -e "s#splash=\S+##; s#resume=\S+#noresume#; s#quiet##;" \ $DSTMNT/etc/default/grub # make sure grub2-mkconfig can search for operating systems within encrypted root # mount -obind /dev $DSTMNT/dev mount -obind /sys $DSTMNT/sys mount -obind /proc $DSTMNT/proc mount -obind /boot $DSTMNT/boot # Create /boot/grub2/grub.cfg # cp /boot/grub2/grub.cfg /boot/grub2/grub.cfg.backup chroot $DSTMNT /usr/sbin/grub2-mkconfig --output=/boot/grub2/grub.cfg # add crypt modules to initrd # mkinitrd -d /dev/mapper/cr_sda4 -f "dm luks" # Clean up and reboot # sync umount $DSTMNT/proc umount $DSTMNT/boot umount $DSTMNT/dev umount $DSTMNT/sys/fs/fuse/connections # FIXME: what the heck? umount $DSTMNT/sys umount $DSTMNT && rmdir $DSTMNT umount $SRCMNT && rmdir $SRCMNT cryptsetup luksClose cr_sda4 sync reboot -- Josef Wolf jw@raven.inka.de -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On Wed, Oct 12, 2016 at 3:34 PM, Josef Wolf <jw@raven.inka.de> wrote:
Hello,
I am using the scheme outlined below to install opensuse with encrypted root partition.
The detailed description how I do this, is described below in this post.
This scheme worked great since about 2008 (don't remember which opensuse release it was in 2008) up to opensuse-13.1, with minor tweaks at every new opensuse release.
Unfortunately, with opensuse-Leap-42.1 it don't work anymore. When booting the new encrypted root, it won't ask for the passphrase. It just hangs.
Without any output at all? You do not even see bootloader?
It looks as if the contents of initrd don't know how to ask for the passphrase.
Any ideas how to track down the problem?
Start with describing in more details what happens.
Here is the procedure how I do it:
I do not see anything related to /etc/crypttab modification (creation) for new encrypted root.
Install base system with a partitioning scheme like this:
/dev/sda1 1g ext2 /boot (unencrypted) /dev/sda2 20g ext4 / (unencrypted) /dev/sda3 20g swap swap (encrypted) /dev/sda4 20g none (encrypted root will go here later)
(device names are just examples here)
When the base system is installed, I do the following:
# create new encrypted filesystem # cryptsetup -v --key-size 256 luksFormat /dev/sda4 cryptsetup luksOpen /dev/sda4 cr_sda4 mkfs.ext4 -O dir_index /dev/mapper/cr_sda4
# mount old (unencrypted) and new (crypted) root filesystems # SRCMNT=/tmp/root-src-$$ DSTMNT=/tmp/root-dst-$$ mkdir -p $SRCMNT $DSTMNT mount -obind / $SRCMNT mount /dev/mapper/cr_sda4 $DSTMNT
# copy contents from unencrypted root to encrypted root # rsync -ax $SRCMNT/ $DSTMNT sync cp /boot/initrd /boot/initrd.backup
# Fix up /etc/fstab on new root (remove old root and add new root to fstab) # perl -ani.bak -e "s#^\S+#/dev/mapper/cr_sda4# if \$F[1] eq '/'; \ print unless \$F[0] eq '/dev/mapper/cr_sda4'" \ $DSTMNT/etc/fstab
# set grub2 defaults on new root (no splash, no resume, quiet boot) # perl -pi.bak -e "s#splash=\S+##; s#resume=\S+#noresume#; s#quiet##;" \ $DSTMNT/etc/default/grub
# make sure grub2-mkconfig can search for operating systems within encrypted root # mount -obind /dev $DSTMNT/dev mount -obind /sys $DSTMNT/sys mount -obind /proc $DSTMNT/proc mount -obind /boot $DSTMNT/boot
# Create /boot/grub2/grub.cfg # cp /boot/grub2/grub.cfg /boot/grub2/grub.cfg.backup chroot $DSTMNT /usr/sbin/grub2-mkconfig --output=/boot/grub2/grub.cfg
# add crypt modules to initrd # mkinitrd -d /dev/mapper/cr_sda4 -f "dm luks"
# Clean up and reboot # sync umount $DSTMNT/proc umount $DSTMNT/boot umount $DSTMNT/dev umount $DSTMNT/sys/fs/fuse/connections # FIXME: what the heck? umount $DSTMNT/sys umount $DSTMNT && rmdir $DSTMNT umount $SRCMNT && rmdir $SRCMNT
cryptsetup luksClose cr_sda4
sync reboot
-- Josef Wolf jw@raven.inka.de
-- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
-- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On Wed, Oct 12, 2016 at 03:48:24PM +0300, Andrei Borzenkov wrote:
On Wed, Oct 12, 2016 at 3:34 PM, Josef Wolf <jw@raven.inka.de> wrote:
Unfortunately, with opensuse-Leap-42.1 it don't work anymore. When booting the new encrypted root, it won't ask for the passphrase. It just hangs.
Without any output at all? You do not even see bootloader?
There is output about found USB/sata drives, but nothing related to the problem. The last message is from the kernel: [ 17.090231] random: nonblocking pool is initialized I just noticed: if I leave the system for a long time in this state, following output appears: Warning: /dev/disk/by-uuid/XXXXXXX does not exist Warning: Boot has failed. To debug this issue add "rd.shell rd.debug" to the kernel command line [FAILED] Failed to start Dracut Emergency Shell. See "systemctl status Dracut-emergency.service" for details [ OK ] Started dracut initqueue hook [ OK ] Reached target Remote File System (Pre) [ OK ] Reached target Remote File System It then waits for the above mentioned disk to spin up. Unfortunately, I can't invoke "systemctl status", since I cant boot into this system
I do not see anything related to /etc/crypttab modification (creation) for new encrypted root.
This was not needed in earlier releases, since when it comes to work through crypttab, the root partition is already decrypted. I also tried to add it, but this did not make any difference -- Josef Wolf jw@raven.inka.de -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
I now booted with "rd.shell rd.debug" options and are thrown into the dracut debug console. Within this, I can use "cryptsetup luksOpen" to unlock the encrypted root partition manually and mount it.
From this I conclude that the initrd contains everything what is needed to unlock/mount the encrypted root.
So the question is: who is in charge to call cryptsetup from within dracut? I also added the partition to /etc/crypttab, but this did not make any difference -- Josef Wolf jw@raven.inka.de -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
12.10.2016 19:38, Josef Wolf пишет:
I now booted with "rd.shell rd.debug" options and are thrown into the dracut debug console.
Within this, I can use "cryptsetup luksOpen" to unlock the encrypted root partition manually and mount it.
From this I conclude that the initrd contains everything what is needed to unlock/mount the encrypted root.
So the question is: who is in charge to call cryptsetup from within dracut?
I also added the partition to /etc/crypttab, but this did not make any difference
Did you recreate initrd after that? /etc/crypttab is needed there as well. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 2016-10-12 14:34, Josef Wolf wrote:
Unfortunately, with opensuse-Leap-42.1 it don't work anymore. When booting the new encrypted root, it won't ask for the passphrase. It just hangs.
Try removing plymouth.
When the base system is installed, I do the following:
# create new encrypted filesystem # cryptsetup -v --key-size 256 luksFormat /dev/sda4
If you use yast for this step, the initrd should get the information automatically. I think. -- Cheers / Saludos, Carlos E. R. (from 13.1 x86_64 "Bottle" at Telcontar)
On Wed, Oct 12, 2016 at 02:49:18PM +0200, Carlos E. R. wrote:
On 2016-10-12 14:34, Josef Wolf wrote:
Unfortunately, with opensuse-Leap-42.1 it don't work anymore. When booting the new encrypted root, it won't ask for the passphrase. It just hangs.
Try removing plymouth.
This doesn't make a difference
When the base system is installed, I do the following:
# create new encrypted filesystem # cryptsetup -v --key-size 256 luksFormat /dev/sda4
If you use yast for this step, the initrd should get the information automatically. I think.
You mean from the installer? It won't let me create an encrypted root -- Josef Wolf jw@raven.inka.de -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 2016-10-12 16:57, Josef Wolf wrote:
On Wed, Oct 12, 2016 at 02:49:18PM +0200, Carlos E. R. wrote:
If you use yast for this step, the initrd should get the information automatically. I think.
You mean from the installer? It won't let me create an encrypted root
No, a data partition at that point, but encrypted. It makes yast add the components needed to the initrd, I think. -- Cheers / Saludos, Carlos E. R. (from 13.1 x86_64 "Bottle" at Telcontar)
participants (3)
-
Andrei Borzenkov -
Carlos E. R. -
Josef Wolf