From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp2.migadu.com ([2001:41d0:403:4876::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by ms1.migadu.com with LMTPS id mKnWN4xdT2YyRwEAe85BDQ:P1 (envelope-from ) for ; Thu, 23 May 2024 17:15:25 +0200 Received: from aspmx1.migadu.com ([2001:41d0:403:4876::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp2.migadu.com with LMTPS id mKnWN4xdT2YyRwEAe85BDQ (envelope-from ) for ; Thu, 23 May 2024 17:15:24 +0200 X-Envelope-To: larch@yhetil.org Authentication-Results: aspmx1.migadu.com; dkim=pass header.d=wolfsden.cz header.s=mail header.b=yd5Nkvsy; dkim=pass header.d=wolfsden.cz header.s=mail header.b=h5XOvThN; spf=pass (aspmx1.migadu.com: domain of "help-guix-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="help-guix-bounces+larch=yhetil.org@gnu.org"; dmarc=pass (policy=none) header.from=wolfsden.cz ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=yhetil.org; s=key1; t=1716477324; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type:in-reply-to:in-reply-to: references:references:list-id:list-help:list-unsubscribe: list-subscribe:list-post:dkim-signature; bh=FtWoVUvwjQMro76gFZyBOuBdGW2u/8o7rwWlPgIR4zU=; b=tk3s9yWC8s+eytnkrdp2U4srPCZYZku6p1OihcXKi7NBd/jh1FYxOULfWgbZZYWvY+uMy9 fsfxPvxohf47bADkI+3pom9bLbebtv8lYmflmnS+VLh9EcmJBgIR3TN0xcTOn6f0gqKZ5q W+vlZxdmKXSdQr/PwlnBQ3izaiK9ldlGV2UdcLqkA87HwJILz8cULmht4cl6awcni4tfp9 4LdxDOlhrXauTlJIfaLvSVaHXf0i4KC6s7+xILZKrHspUmVVpPPp0vwYP2AdAnjdpidSrB s6HCtl0uXl7xfAjPHKqO8mvoolURuGnE4Mn8lY7Ut6tbVNp5YofMMMaC7Qt3KQ== ARC-Authentication-Results: i=1; aspmx1.migadu.com; dkim=pass header.d=wolfsden.cz header.s=mail header.b=yd5Nkvsy; dkim=pass header.d=wolfsden.cz header.s=mail header.b=h5XOvThN; spf=pass (aspmx1.migadu.com: domain of "help-guix-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="help-guix-bounces+larch=yhetil.org@gnu.org"; dmarc=pass (policy=none) header.from=wolfsden.cz ARC-Seal: i=1; s=key1; d=yhetil.org; t=1716477324; a=rsa-sha256; cv=none; b=EBq2IG11FBrmhTdoB+DtO3Uk9jjwkr+gOEWL7O58Gv29k+GgNWPFXBTLY7dKWxmM3TII6L 4q7EfcBY1s2qou4WHovWSQhVHrtSABLVdTzZuoDhh6R0WDYymHaoky6AE2trke0uIK5Ghz zme3C4izN5ne9B90NWqmGRtlrM9xDWjK8jZZZJWkty97l7ff9Rw7JLTMLQeA5nA0abJpjd 6wZSSj5bVcGFEEWviuSGb7mUmQun5SZ4jeQnXoL2NR8WpHP/5WUfMIzXwE1q8UFoZq5+kN xrdiD8IZWxiMJK0MUmZ71wFiteUDfdeBilMcXJR9Q0nplHV+jMxeiar4IDKkig== Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id 59258226AB for ; Thu, 23 May 2024 17:15:24 +0200 (CEST) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1sAA9c-0004ac-LG; Thu, 23 May 2024 11:14:52 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from <~@wolfsden.cz>) id 1sAA9Z-0004Yx-Nw for help-guix@gnu.org; Thu, 23 May 2024 11:14:49 -0400 Received: from wolfsden.cz ([37.205.8.62]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from <~@wolfsden.cz>) id 1sAA9X-0007AZ-DO for help-guix@gnu.org; Thu, 23 May 2024 11:14:49 -0400 Received: by wolfsden.cz (Postfix, from userid 104) id 9077B297F2B; Thu, 23 May 2024 15:14:43 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=wolfsden.cz; s=mail; t=1716477283; bh=f1uXOqGGc+2hLsW+BgIWAibB1uy8EaZFEqafg4DaWaQ=; h=Date:From:To:Cc:Subject:References:In-Reply-To; b=yd5NkvsyA6R5y2mbDedoUglfGRxZSiERKGndnCm2mIpTeTRlUxCRh/yxsAF/CvIhV zVjZPG9/azlaqQfxAomy1P75zUaMJHk0fytOMiIj+h1kfnAEU0nHOOHHz2x/HbBWmT Na8dHO9dEALINxTCaR76OAueIi4ypNcgfKhsvTvachbtUODH9X6tQw4fGkeYPLGS+S bJM+yrqfUeMvZv1pf8UWrdbJyI1sdPdL4ANxymZUH7YYb6chiRn0nmqrjc6Ee0e7Ri AbIaMVPbCEHPw+gQsakS5ccZW4rd8FyfXl0xMAAC26ALPAZ/falHXy1202a8ApyYZz mzJTLlEw2ReoT4twbMyDejxoSvhcjZRSv132NWvbEh3OXWlpzCZP+KKwAZOqBS35iU lC2358K8zhfo/fzZOV+PZ8BibyzbH3kpso3XazFFWCZXoCTrrcus4DPRyjF7PU5rSc v4OUPhvkXi2gxgNh8rFYgrXr4dW5cr+0i8W4sEJJSayhgNzL3sHL1WF31ox3XBkfhJ UKGfeoWvHiEd+blUrm5aEfzXQjyDC5Im8Pn9oPjpJnI49QeguDgt0ipZ8Sv5uxOuKU 6JrsA1LUdzpwJmrvcNM2il8kv/5kr67g3W74nQB7NnwRXp39IzL1iD9rOA8AZnc3yR yg5XApV8L9IHs9ZMnKw0kh1s= Received: from localhost (unknown [193.32.127.156]) by wolfsden.cz (Postfix) with ESMTPSA id 9F852297AA5; Thu, 23 May 2024 15:14:42 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=wolfsden.cz; s=mail; t=1716477282; bh=f1uXOqGGc+2hLsW+BgIWAibB1uy8EaZFEqafg4DaWaQ=; h=Date:From:To:Cc:Subject:References:In-Reply-To; b=h5XOvThNJk5sUNDf81W2KhZX/FQAC2lfeU4k0BQSbM3NlwVmBRocGvRl5uDkbCUQF x9TGQpvAHRNQrafeEiKXrtqOc8hvCSQ56vlFLw6irDtGOTshYx190U4Q4hncIcwsfp 8Fpox31KIn+uVIlDz++E2M0lW9mU0yBphhcJ5trtXAM9XUXWkAuZsFwcfgEkSTMsgy 2hPhaysZhtmuLUNqxofGtjV6n1gcybh9lHiscL5gre6faBqqAaMUkx8XVPdeXOxq4f yWKoIix7oafmgYkOlOzXujg0UyoAeLldJyOdNmbzun7MPI01o0adKx8d3BLLaDF6T0 Pcss4h+ikKkt17T5m91gqRaWGz8UcrjXgRZgtyS4kcaqoS5WHWS6KetvTeBRkUfyBI wlXgNvhmyeKhl2J/Zi93Y/Jqais2dQwnMNprOEVNDmHvjpOTcELiuSlrS41SacPkEC kmWfi3+PxdKJYir1sWgw+/d8nmowHy6WUrtXxlFZVixgGxoFQWzy++8vH+HhmopHWa XUwJlmQAiU6mePEy2qEaKtTmgcmzgGZvquwT7ooSOHgoFyvVZGY3WVAqeclQioC0cA ui2MXgQ8tkDJYfknF9+fvx7uVIS4znf+3NaS3DF4a3xxqcy3JIsUAtsOPamhaYcDff S7y8CKBXtj41EAABfvzx6MCg= Date: Thu, 23 May 2024 17:14:41 +0200 From: Tomas Volf <~@wolfsden.cz> To: Thomas Bennett Cc: help-guix@gnu.org Subject: Re: luks device keyfile passed but still ask for passphrase during boot Message-ID: Mail-Followup-To: Thomas Bennett , help-guix@gnu.org References: MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="rLKycNGAmXXxHjXT" Content-Disposition: inline In-Reply-To: Received-SPF: pass client-ip=37.205.8.62; envelope-from=~@wolfsden.cz; helo=wolfsden.cz X-Spam_score_int: -20 X-Spam_score: -2.1 X-Spam_bar: -- X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: help-guix@gnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: help-guix-bounces+larch=yhetil.org@gnu.org Sender: help-guix-bounces+larch=yhetil.org@gnu.org X-Migadu-Country: US X-Migadu-Flow: FLOW_IN X-Spam-Score: -11.50 X-Migadu-Queue-Id: 59258226AB X-Migadu-Scanner: mx10.migadu.com X-Migadu-Spam-Score: -11.50 X-TUID: TLuBKV4jO8Z9 --rLKycNGAmXXxHjXT Content-Type: text/plain; charset=iso-8859-1 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Hello, On 2024-05-20 20:07:43 +0200, Thomas Bennett wrote: > Hello Guix comunity, > > I would like to be able to mount external encrypted disk pasing key-files > located in the root partition. Thus it would prevent me to open those > external disks manually by entering passphrases during the boot sequence. > Keeping only the passphrase for the root partition is fine for now. > > I have the following in my config.scm file regarding mapping and mounting > one of the external disks, a backup one: > > =A0(mapped-devices (list (mapped-device > =A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0 (so= urce (uuid "$ROOT_PARTION_UUID")) > =A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0 (ta= rget "$ROOT_PARTITION_MAPPED_NAME") > =A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0 (ty= pe luks-device-mapping)) > =A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0 (mappe= d-device > =A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0 (so= urce (uuid "$BACKUP_PARTITION_UUID")) > =A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0 (ta= rget "$BACKUP_PARTITION_MAPPED_NAME") > =A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0 (ty= pe (luks-device-mapping-with-options > =A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0= =A0=A0=A0=A0=A0=A0 #:key-file > "$BACKUP_PARTITION_KEY_FILE_PATH"))))) > > > =A0(file-systems (cons* (file-system > =A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0 (mount= -point "$BOOT_PARTITION_MOUNTPOINT") > =A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0 (devic= e (uuid "$BOOT_PARTITION_UUID" 'fat32)) > =A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0 (type = "vfat")) > =A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0 (file-sys= tem > =A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0 (mount= -point "$ROOT_PARTITION_MOUNTPOINT") > =A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0 (devic= e "/dev/mapper/$ROOT_PARTITION_MAPPED_NAME") > =A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0 (type = "ext4") > =A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0 (depen= dencies mapped-devices)) > =A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0 (file-sys= tem > =A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0 (creat= e-mount-point? #t) > =A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0 (mount= -point "$BACKUP_PARTITION_MOUNTPOINT") > =A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0 (type = "ext4") > =A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0 (devic= e "/dev/mapper/$BACKUP_PARTITION_MAPPED_NAME") > =A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0 (depen= dencies mapped-devices)) > =A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0 %base-fil= e-systems))) > > And it doesn't work. The configuration loads, but when I boot the system,= it > seems to be unable to find the key file because it stills asks for my > passphrase to unlock the backup partition. > > May it be possible that the root partition is not yet mounted when the > system tries to map the backup partition? If so, It would explain why it > doesn't find the key file and asks for my passphrase. I think this is the correct conclusion. If you look into gnu/system/linux-initrd.scm at raw-initrd procedure, you will notice that everything is unlocked before the root being mounted. I did not test it in any way, but based just on browsing the source code, it looks like it unlocks only devices required for boot. Maybe. What you can therefore try is to split the dependencies, and instead of hav= ing full `mapped-devices' in both, you can try to put just the respective mapped-device as `dependencies' of $ROOT_PARTITION_MOUNTPOINT and $BACKUP_PARTITION_MOUNTPOINT filesystems (you can probably just filter the = list by mapped-device-target). Let me know if it worked, I am curious. As an alternative solution, you can just put the keyfile into the initrd, although that requires switching to encrypted boot. > > Do you know how to further investigate and/or what's wrong with the config > and how to achieve the expected result? > > Thank you, > Best, > Thomas Have a nice day, also Tomas :) -- There are only two hard things in Computer Science: cache invalidation, naming things and off-by-one errors. --rLKycNGAmXXxHjXT Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEt4NJs4wUfTYpiGikL7/ufbZ/wakFAmZPXWEACgkQL7/ufbZ/ wamW7xAAhTPKqziOLgd1O/DB592XZy07i4xensZSRi/HnKI0qD7LAZ/liw31BvZS xBLyb692Xo9vRdHKlVPp3k7Vw8+2GZrg2aZk/Z9Z1os/hz3jnzjNNx5IVG8Uzmyn PsUmG6DOpTNNYEKECpnPsDAiCkkar77LUjYQWhmb36OF79UoWjctD0OfYjgdb6Ud WleWLLcA/DrtsaxObRkUgBsPUWgU6YmIZfhzEZKKcmJ4uqbzTgv1+oH0++nx0ZDG fRN402vEGRxq4ur8/P6bmwp7ThnuYwolrYzCwwl1D7sumo5Xtf2aFhmpbqVAzFVs 1SQD7WB5RotxuRWm/NM3JczCKu8hgvAjV61R9zS+kX3iMG7Yb/kYZS80kRUb4plr TXpKpRCUfQasaB3GNjZ8h/j+7UNXzxETkVqB1/MRWgDBJym1D2Gd2PcDaJ3Ayxw4 dGjVv+LpFwwYgiYBE9E2G/lonIGJG2qeyYOA2sYDiMKuWqgttqahAhXXDpT8nDQq RQtUrAfEwlkL3lpepQYvygsc7woE8z9ylByk5U/l6yg0znw+t4U6kYRNpFstgbz1 +zRRdmU+3s+w0UVh07qhx2fWcqnXrvuF37UpfFHUVwRl4P3uh75FigIumUulXplX YZpuFw/VBTuNvY+BsuH/n2568G0xakGOKEOZ4ekXs9x7DAnoWGE= =oylB -----END PGP SIGNATURE----- --rLKycNGAmXXxHjXT--