Is it possible to access a partition's content in GRUB_CMD_LINE

stoorky · 01-28-2023, 03:59 AM

TL;DR

I have Debian 11 with 2 LUKS encrypted partitions (root and swap), and an unencrypted boot partition. Swap is encrypted with a key file, located on the root partition, because I want to type the decryption passphrase only once.

My /etc/crypttab is empty. In grub.cfg, I have :

Code:

GRUB_CMDLINE_LINUX="resume=/dev/nvme0n1p6_crypt cryptopts=source=/dev/disk/by-partlabel/DEBIAN,target=nvme0n1p7_crypt cryptopts=source=/dev/disk/by-partlabel/SWAP,target=nvme0n1p6_crypt,key=/root/.keys/swap.key"

But GRUB can't access the key file :

Code:

Please unlock disk nvme0n1p7_crypt: (passphrase)
cryptsetup: nvme0n1p7_crypt: set up successfully
cryptsetup: ERROR: Skipping target nvme0n1p6_crypt: non-existing key file /root/.keys/swap.key
(...)

Given that the root partition has been successfully decrypted, I suppose there is a way to retrieve the key file from it and decrypt the swap partition. Can it be done ? How ? Is there a syntax like

Code:

... cryptopts=source=/dev/disk/by-partlabel/SWAP,target=nvme0n1p6_crypt,key=/path/to/keyfile/on/decrypted/nvme0n1p7"

PLEASE NOTE : this question is GRUB specific, I am NOT looking for other solutions to achieve my goals, I already successfully tested a few of them (read below THE FULL STORY for more details). I'd specifically like to know if what I try to do in GRUB can be done or not.

THE FULL STORY :

With a key file encrypted swap, resuming from hibernation doesn't work. From what I understand it's because systemd opens the swap partition too late, after the kernel has already given up looking for hibernation data in swap. In fact # update-initramfs -u even triggers a warning when encrypting swap with a keyfile :

Code:

# update-initramfs -u
(...)
WARNING: Resume target nvme0n1p6_crypt uses a key file

There are several ways to solve this problem. I successfully tested 2 of them : ditching the keyfile and using Debian's decrypt_keyctl script to cache the passphrase, or baking the keyfile into initramfs and encrypt the boot partition to ensure its security. Both work fine, so I am not looking for a solution to solve this hibernation problem, which I already solved.

I am specifically trying to know if that third solution I tried could work or not, and if yes, how. That third solution consists of decrypting the partitions through GRUB's GRUB_CMDLINE_LINUX options.

yancek · 01-28-2023, 05:10 AM

If the / partition is decrypted, you can access and read files from Grub with the cat command. To access the file in your case, you would go to the grub prompt (grub>) and enter: set root=(hd0,6) then hit the enter key and enter: cat /root/.keys/swap.key

Quote:

cryptsetup: ERROR: Skipping target nvme0n1p6_crypt: non-existing key file /root/.keys/swap.key

The error above which you report indicates the file swap.key does not exist. Does it exist at that location?

If you are looking for an entry to work in the grub.cfg file, I can't help with that.

stoorky · 01-28-2023, 07:08 AM

Thanks,

Quote:

Originally Posted by yancek

If you are looking for an entry to work in the grub.cfg file, I can't help with that.

Yes that's what I am looking for. I'd like to know if it's even possible or not.

stoorky · 02-04-2023, 12:41 AM

Quote:

Originally Posted by yancek

To access the file in your case, you would go to the grub prompt (grub>) and enter: set root=(hd0,6) then hit the enter key and enter: cat /root/.keys/swap.key

No need to set (hd0,6) as root, just type cat /(hd0,6)/.keys/swap.key