LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Slackware (https://www.linuxquestions.org/questions/slackware-14/)
-   -   Can't unlock LUKS volume with a keyfile during boot (https://www.linuxquestions.org/questions/slackware-14/cant-unlock-luks-volume-with-a-keyfile-during-boot-4175451871/)

natharran 02-27-2013 03:53 AM
Can't unlock LUKS volume with a keyfile during boot
 
Guys, please, help.

I have a LUKS device with LVM on it. I unlock that with a passphrase every time I boot but since it's quite uncomfortable I decided to start using a keyfile. However, nothing I do works.

I created a keyfile with
Code:
dd if=/dev/urandom of=/boot/key.luks bs=4096 count=1
as Alien Bob suggested here and stored it to my /boot partition on /dev/sda2 with ext4 (not that it makes any sense, after testing, I'll move it to a usb stick, or similar). Then I added this keyfile to a LUKS header by
Code:
cryptsetup -v --key-slot 1 luksAddKey /dev/sda3 /boot/key.luks
and got a confirmation.

Next I ran mkinitrd. I read it's man and assigned my /dev/sda2 a BOOT label by e2label. So now it is
Code:
mkinitrd -c -k 3.4.33 -m ext4 -f ext4 -r /dev/encrypted/root -h /dev/encrypted/swap -C /dev/sda3 -K LABEL=BOOT:/key.luks -L
The -K option is the only new parameter compared to what I used before.

But it simply doesn't work. During boot I'm still being asked for a password. I googled the web, searched this forum, but found nothing except that what I do should work.

What am I missing?

Alien Bob 02-27-2013 05:45 AM
Are you the same person as "yenn" in that other thread or is it coïncidence that you're both Czech?

Looking at your explanation, I wonder if you configured /etc/lilo.conf for the use of your initrd.gz and also, it is not clear if you ever ran "lilo" after creating the initrd.

Eric

yenn 02-27-2013 11:30 AM
We are different people, it's just coincidence. Weird one indeed...

My guess is you saved key on ext4 partition and acording to this post (https://www.linuxquestions.org/quest...3/) ext (whatever version) can't be used for that. Mknitrd can only use VFAT partition.

Important line is:
Quote:
First of all: the use of a LUKS keyfile on a USB stick for booting a fully encrypted Slackware system only works if the USB key has a (V)FAT filesystem. If the USB stick has your LUKS keyfile on an ext partition then it will not work.
I'm not sure where does this came from as it definitely isn't present in README.mkinitrd, but maybe we should include it in that readme and manpage of mkinitrd (see https://www.linuxquestions.org/quest...3/) to avoid confusion.

And maybe I could write article about this on SlackDocs ;)

natharran 02-27-2013 02:00 PM
We are, indeed, two people from CZ :).
Quote:
Originally Posted by Alien Bob (Post 4900715)
...Looking at your explanation, I wonder if you configured /etc/lilo.conf for the use of your initrd.gz and also, it is not clear if you ever ran "lilo" after creating the initrd.

Eric
I've been using this LVM / LUKS solution for some time now and I don't know of any other way to do this than by using initram disk (but perhaps I'm just uninformed). So yes, I configured /etc/lilo.conf to load /boot/initrd.gz a ran lilo after every change ;).

Quote:
My guess is you saved key on ext4 partition and acording to this post (https://www.linuxquestions.org/quest...3/#post4505106) ext (whatever version) can't be used for that. Mknitrd can only use VFAT partition.
Yeah, my /boot is on ext4 partition. Thanks, I didn't know I can only use VFAT. It also explains why it didn't work with my NTFS external hdd.

Thank you both guys and sorry for lame question, I should have googled more, obviously. However, it would be nice if mkinitrd man page contained this information. Right now the FAT filesystem is only mentioned as an example, not as a necessity.

My regards to USA and back to CZ :D.

-natharran


All times are GMT -5. The time now is 11:27 AM.