* luks device keyfile passed but still ask for passphrase during boot
@ 2024-05-20 18:07 Thomas Bennett
2024-05-23 12:53 ` Felix Lechner via
2024-05-23 15:14 ` Tomas Volf
0 siblings, 2 replies; 3+ messages in thread
From: Thomas Bennett @ 2024-05-20 18:07 UTC (permalink / raw)
To: help-guix
Hello Guix comunity,
I would like to be able to mount external encrypted disk pasing
key-files located in the root partition. Thus it would prevent me to
open those external disks manually by entering passphrases during the
boot sequence. Keeping only the passphrase for the root partition is
fine for now.
I have the following in my config.scm file regarding mapping and
mounting one of the external disks, a backup one:
(mapped-devices (list (mapped-device
(source (uuid "$ROOT_PARTION_UUID"))
(target "$ROOT_PARTITION_MAPPED_NAME")
(type luks-device-mapping))
(mapped-device
(source (uuid "$BACKUP_PARTITION_UUID"))
(target "$BACKUP_PARTITION_MAPPED_NAME")
(type (luks-device-mapping-with-options
#:key-file
"$BACKUP_PARTITION_KEY_FILE_PATH")))))
(file-systems (cons* (file-system
(mount-point "$BOOT_PARTITION_MOUNTPOINT")
(device (uuid "$BOOT_PARTITION_UUID" 'fat32))
(type "vfat"))
(file-system
(mount-point "$ROOT_PARTITION_MOUNTPOINT")
(device "/dev/mapper/$ROOT_PARTITION_MAPPED_NAME")
(type "ext4")
(dependencies mapped-devices))
(file-system
(create-mount-point? #t)
(mount-point "$BACKUP_PARTITION_MOUNTPOINT")
(type "ext4")
(device "/dev/mapper/$BACKUP_PARTITION_MAPPED_NAME")
(dependencies mapped-devices))
%base-file-systems)))
And it doesn't work. The configuration loads, but when I boot the
system, it seems to be unable to find the key file because it stills
asks for my passphrase to unlock the backup partition.
May it be possible that the root partition is not yet mounted when the
system tries to map the backup partition? If so, It would explain why it
doesn't find the key file and asks for my passphrase.
Do you know how to further investigate and/or what's wrong with the
config and how to achieve the expected result?
Thank you,
Best,
Thomas
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: luks device keyfile passed but still ask for passphrase during boot
2024-05-20 18:07 luks device keyfile passed but still ask for passphrase during boot Thomas Bennett
@ 2024-05-23 12:53 ` Felix Lechner via
2024-05-23 15:14 ` Tomas Volf
1 sibling, 0 replies; 3+ messages in thread
From: Felix Lechner via @ 2024-05-23 12:53 UTC (permalink / raw)
To: Thomas Bennett, help-guix
Hi Thomas,
On Mon, May 20 2024, Thomas Bennett wrote:
> it stills asks for my passphrase to unlock the backup partition.
I don't use LUKS personally, but I have seen enough message traffic to
believe the Guix does not (or perhaps, did not) support some common key
types for LUKS2. A fix via GRUB may be in the works.
LUKS2 trouble is the most common question on this list and on IRC.
Kind regards
Felix
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: luks device keyfile passed but still ask for passphrase during boot
2024-05-20 18:07 luks device keyfile passed but still ask for passphrase during boot Thomas Bennett
2024-05-23 12:53 ` Felix Lechner via
@ 2024-05-23 15:14 ` Tomas Volf
1 sibling, 0 replies; 3+ messages in thread
From: Tomas Volf @ 2024-05-23 15:14 UTC (permalink / raw)
To: Thomas Bennett; +Cc: help-guix
[-- Attachment #1: Type: text/plain, Size: 3521 bytes --]
Hello,
On 2024-05-20 20:07:43 +0200, Thomas Bennett wrote:
> Hello Guix comunity,
>
> I would like to be able to mount external encrypted disk pasing key-files
> located in the root partition. Thus it would prevent me to open those
> external disks manually by entering passphrases during the boot sequence.
> Keeping only the passphrase for the root partition is fine for now.
>
> I have the following in my config.scm file regarding mapping and mounting
> one of the external disks, a backup one:
>
> (mapped-devices (list (mapped-device
> (source (uuid "$ROOT_PARTION_UUID"))
> (target "$ROOT_PARTITION_MAPPED_NAME")
> (type luks-device-mapping))
> (mapped-device
> (source (uuid "$BACKUP_PARTITION_UUID"))
> (target "$BACKUP_PARTITION_MAPPED_NAME")
> (type (luks-device-mapping-with-options
> #:key-file
> "$BACKUP_PARTITION_KEY_FILE_PATH")))))
>
>
> (file-systems (cons* (file-system
> (mount-point "$BOOT_PARTITION_MOUNTPOINT")
> (device (uuid "$BOOT_PARTITION_UUID" 'fat32))
> (type "vfat"))
> (file-system
> (mount-point "$ROOT_PARTITION_MOUNTPOINT")
> (device "/dev/mapper/$ROOT_PARTITION_MAPPED_NAME")
> (type "ext4")
> (dependencies mapped-devices))
> (file-system
> (create-mount-point? #t)
> (mount-point "$BACKUP_PARTITION_MOUNTPOINT")
> (type "ext4")
> (device "/dev/mapper/$BACKUP_PARTITION_MAPPED_NAME")
> (dependencies mapped-devices))
> %base-file-systems)))
>
> And it doesn't work. The configuration loads, but when I boot the system, it
> seems to be unable to find the key file because it stills asks for my
> passphrase to unlock the backup partition.
>
> May it be possible that the root partition is not yet mounted when the
> system tries to map the backup partition? If so, It would explain why it
> doesn't find the key file and asks for my passphrase.
I think this is the correct conclusion. If you look into
gnu/system/linux-initrd.scm at raw-initrd procedure, you will notice that
everything is unlocked before the root being mounted.
I did not test it in any way, but based just on browsing the source code, it
looks like it unlocks only devices required for boot. Maybe.
What you can therefore try is to split the dependencies, and instead of having
full `mapped-devices' in both, you can try to put just the respective
mapped-device as `dependencies' of $ROOT_PARTITION_MOUNTPOINT and
$BACKUP_PARTITION_MOUNTPOINT filesystems (you can probably just filter the list
by mapped-device-target). Let me know if it worked, I am curious.
As an alternative solution, you can just put the keyfile into the initrd,
although that requires switching to encrypted boot.
>
> Do you know how to further investigate and/or what's wrong with the config
> and how to achieve the expected result?
>
> Thank you,
> Best,
> Thomas
Have a nice day,
also Tomas :)
--
There are only two hard things in Computer Science:
cache invalidation, naming things and off-by-one errors.
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2024-05-23 15:15 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2024-05-20 18:07 luks device keyfile passed but still ask for passphrase during boot Thomas Bennett
2024-05-23 12:53 ` Felix Lechner via
2024-05-23 15:14 ` Tomas Volf
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).