Project

General

Profile

Bug #1419

[cryptsetup] race condition => doesn't find key, waits for rootfs, and timeouts

GNUtoo - almost 7 years ago - . Updated over 6 years ago.

Status:
fixed
Priority:
bug
Assignee:
-
% Done:

0%

Description

Before pacman -Syu everything was working.
After, at each boot, the initramfs drops me to a shell because it doesn't find the rootfs

Here's are my settings:

$ cat /proc/cmdline
BOOT_IMAGE=/boot/vmlinuz-linux-libre-nand root=/dev/mapper/internal-rootfs cryptdevice=/dev/disk/by-uuid/12345678-1234-1234-abcd-012345abcdef:internal-cleartext rw systemd.show_status=false loglevel=8 console=tty0 cryptkey=rootfs:/etc/keys/internal.key nopat
$ file /etc/crypttab
/etc/crypttab: empty
$ cat /etc/mkinitcpio.conf
MODULES="i915" 
BINARIES="ext4magic extundelete" 
FILES="/etc/keys/internal.key" 
HOOKS="base udev autodetect modconf block encrypt lvm2 filesystems keyboard fsck" 
COMPRESSION="gzip"

Workaround:
Add "set -x" inside /usr/lib/initcpio/hooks/encrypt, on the line following "#!/usr/bin/ash"

Related issues

Related to Packages - Bug #1416: cryptkey=rootfs:/etc/pass issue | keyfile is not added to initramfs somehowfixed2017-07-14

Actions

History

#1

Updated by fablamar78 almost 7 years ago

You can read this : https://labs.parabola.nu/issues/1416

Other workaround :

"mkinitcpio-busybox 1.26 broke the encrypt hook somehow.
people have had success reverting to 1.25.1-2, or renaming the keyfile to /crypto_keyfile.bin while removing the cryptkey parameter alltogether:
https://lists.parabola.nu/pipermail/assist/2017-July/000865.html"

How I solved the issue on my setup :

1. Show keys
cryptsetup luksDump /dev/sda1

2. Remove old key in luks (in my case, the key was in Key Slot 1, make sure it is..)

cryptsetup luksKillSlot /dev/sda1 1

3. Remove old key in FS :

rm /etc/yourkey (mine was /etc/pass)

4. Create a new keyfile as /crypto_keyfile.bin

dd bs=512 count=4 if=/dev/urandom of=/crypto_keyfile.bin iflag=fullblock

5. Add it to luks :

cryptsetup luksAddKey /dev/sda1 /crypto_keyfile.bin

chmod 000 /crypto_keyfile.bin

6. Edit "FILES=" in mkinitcpio.conf so it reflects the location of the new key :

FILES="/crypto_keyfile.bin"

7. Create initramfs again

mkinitpcio -p linux-libre #Or other kernel..

8. Remove "cryptkey=rootfs:/path/to/key" arg from your linux cmd (not needed anymore as now using /crypto_keyfile.bin which is default path)

Reboot

#2

Updated by Anonymous over 6 years ago

what should I do if I have no key in slot 1 but only in slot 0.

It keeps dropping me to a shell for the same reason...

#3

Updated by isacdaavid over 6 years ago

  • Related to Bug #1416: cryptkey=rootfs:/etc/pass issue | keyfile is not added to initramfs somehow added
#4

Updated by GNUtoo over 6 years ago

Now it seems to work again with:
  • cryptsetup 1.7.5-1
  • mkinitcpio 23-2
  • mkinitcpio-busybox 1.27.2-1

I don't know what fixed it.

Denis.

#5

Updated by isacdaavid over 6 years ago

  • Status changed from open to fixed

overcome by circumstances that we never quite figured out S:

Also available in: Atom PDF