Bug #1416
cryptkey=rootfs:/etc/pass issue | keyfile is not added to initramfs somehow
100%
Description
Hello,
I followed this tutorial : https://wiki.parabola.nu/Installing_Parabola_on_Libreboot_with_full_disk_encryption_(including_/boot)
to install Parabola on my Thinkpad x200 with full disk encryption. I'm having issue with keyfile.
If booting linux-libre or linux-libre-lts with keyfile (to avoid typing password twice) :
linux /boot/vmlinuz-linux-libre root=/dev/matrix/rootvol cryptdevice=/dev/sda1:root:allow-discards cryptkey=rootfs:/etc/pass rw
-> The following error appears :
:: running hook [encrypt]
Waiting 10 seconds for device /dev/matrix/rootvol ...
ERROR: device '/dev/matrix/rootvol' not found. Skipping fsck.
:: mounting '/dev/matrix/rootvol' on real root
mount: you must specify the filesystem type
You are now being dropped into an emergency shell.
sh: can't access tty; job control turned off
[rootfs ]#
pass (the keyfile) is not present under /etc/
If booting without keyfile :
linux /boot/vmlinuz-linux-libre root=/dev/matrix/rootvol cryptdevice=/dev/sda1:root:allow-discards rw
I have to input my password twice but it boots fine.
I followed every steps :
pass added to luks
FILES="/etc/pass" in /etc/mkinitcpio.conf
initramfs creation with mkinitcpio -p linux-libre
Worth to mention that I had a working Parabola system a couple of months ago with the exact same setup and configuration.
Here is the full "boot" command in grub.cfg (inside CBFS in Libreboot rom) which worked fine the past months :
cryptomount -a
set root="lvm/matrix-rootvol"
linux /boot/vmlinuz-linux-libre root=/dev/matrix/rootvol cryptdevice=/dev/sda1:root:allow-discards cryptkey=rootfs:/etc/pass rw
initrd /boot/initramfs-linux-libre.img
boot
Related issues
History
Updated by isacdaavid over 5 years ago
mkinitcpio-busybox 1.26 broke the encrypt hook somehow.
people have had success reverting to 1.25.1-2, or renaming the keyfile to /crypto_keyfile.bin while removing the cryptkey parameter alltogether:
https://lists.parabola.nu/pipermail/assist/2017-July/000865.html
try one of those and tell us how it goes
Updated by fablamar78 over 5 years ago
isacdaavid wrote:
mkinitcpio-busybox 1.26 broke the encrypt hook somehow.
people have had success reverting to 1.25.1-2, or renaming the keyfile to/crypto_keyfile.binwhile removing the cryptkey parameter alltogether:
https://lists.parabola.nu/pipermail/assist/2017-July/000865.htmltry one of those and tell us how it goes
You remind me I should read the mailing list more often :)
I'll let you know it goes. Thanks !
Updated by isacdaavid over 5 years ago
fablamar78 wrote:
You remind me I should read the mailing list more often :)
maybe it's too late to suggest the following because it's been weeks since the mkinitcpio-busybox update; however this should have made it to the news section on the main website. i resisted because i don't feel like i have a full grasp of what's going on.
Updated by fablamar78 over 5 years ago
Alright, problem solved ! (Using /crypto_keyfile.bin)
Thanks for the tip isacdaavid ! Hope it will help other people.
Updated by isacdaavid over 5 years ago
- % Done changed from 0 to 100
- Assignee set to isacdaavid
- Status changed from open to fixed
Updated by isacdaavid over 5 years ago
- Related to Bug #1419: [cryptsetup] race condition => doesn't find key, waits for rootfs, and timeouts added