[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: luks, crypttab: why 3 partition only 2 passphrases entered

Hi,

On Aug/04/2018, David Christensen wrote:
> On 08/02/2018 12:07 AM, Carles Pina i Estany wrote:
> > On Aug/01/2018, David Christensen wrote:
> > > On 08/01/2018 03:47 PM, Carles Pina i Estany wrote:
> > > > I have a Debian Stretch and recently I added a new cyphered partition.
> > > > All works well but I don't understand why and it's bothering me.
> > > > 
> > > > Setup:
> > > > $ cat /etc/crypttab
> > > > m2_root_crypt UUID=4e655198-a111-... none luks,discard
> > > > m2_swap_crypt UUID=56485640-8a04-... none luks,discard
> > > > ssd_dades_crypt UUID=8d1d855d-17a7-... none luks,discard
> > > > 
> > > > All three partitions have the same passphrase.
> > > > 
> > > > On restart I'm asked for two passwords:
> > > > m2_root_crypt
> > > > m2_swap_crypt
> ...
> > > > The question is:
> > > > "Please unlock disk m2_root_crypt:"
> > > > 
> > > > I expcted to write the password three times.
> > > 
> > > My guess is that you made a mistake and stepped on your encrypted container
> > > (ssd_dades_crypt?) when you created the new file system.  Did you keep a
> > > copy of your console session?  Posting it would help.
> > 
> > Sadly I didn't keep a copy of my console session.
> 
> I got into the habit of cutting and pasting administrative console sessions
> into a log file (and putting the log file into a version control system).
> This technique has proven to be invaluable -- I recommend it to everyone.

I take note, thanks!

> > Commands and something extra:
> > root@pinux:~# grep crypt /etc/fstab
> > /dev/mapper/m2_root_crypt	/               ext4    errors=remount-ro 0       1
> > /dev/mapper/m2_swap_crypt	none            swap    sw              0       0
> > /dev/mapper/ssd_dades_crypt	/home/carles/dades	ext4	errors=remount-ro 0 1
> 
> Okay.
> 
> 
> > root@pinux:~# ls -l /dev/mapper/
> > total 0
> > crw------- 1 root root 10, 236 ago  1 23:34 control
> > lrwxrwxrwx 1 root root       7 ago  1 23:34 m2_root_crypt -> ../dm-0
> > lrwxrwxrwx 1 root root       7 ago  1 23:34 m2_swap_crypt -> ../dm-1
> > lrwxrwxrwx 1 root root       7 ago  1 23:34 ssd_dades_crypt -> ../dm-2
> 
> Okay.
> 
> 
> > root@pinux:~# mount | grep dades
> > /dev/mapper/ssd_dades_crypt on /home/carles/dades type ext4 (rw,relatime,errors=remount-ro,data=ordered)
> 
> Okay.
> 
> 
> Please run the following command to learn more about the device mapper
> nodes:
> 
> # dmsetup info /dev/dm-*

root@pinux:~# dmsetup info /dev/dm-*
Name:              m2_root_crypt
State:             ACTIVE
Read Ahead:        256
Tables present:    LIVE
Open count:        1
Event number:      0
Major, minor:      254, 0
Number of targets: 1
UUID: CRYPT-LUKS1-4e655198a11147b3985b4622af7a2b0f-m2_root_crypt

Name:              m2_swap_crypt
State:             ACTIVE
Read Ahead:        256
Tables present:    LIVE
Open count:        2
Event number:      0
Major, minor:      254, 1
Number of targets: 1
UUID: CRYPT-LUKS1-564856408a04403191d46f1620cc2c9e-m2_swap_crypt

Name:              ssd_dades_crypt
State:             ACTIVE
Read Ahead:        256
Tables present:    LIVE
Open count:        1
Event number:      0
Major, minor:      254, 2
Number of targets: 1
UUID: CRYPT-LUKS1-8d1d855d17a74cf2b29486172e407e35-ssd_dades_crypt

I can't see anything obviously wrong.

Since the last emails here I've kept investigating. Quick overview if someone is interested here (and let me know if it's something else!).
After booting keyctl has this:

root@pinux:~# keyctl show
Session Keyring
 479651357 --alswrv      0 65534  keyring: _uid_ses.0
 712333474 --alswrv      0 65534   \_ keyring: _uid.0
 711077095 --alswrv      0     0       \_ user: cryptsetup
root@pinux:~# 

See the cryptsetup line. This is what would make systemd able to mount/umount without asking for the passphrase and I can just boot and do:
systemctl stop systemd-cryptsetup@ssd_dades_crypt.service
systemctl start systemd-cryptsetup@ssd_dades_crypt.service

if the cryptsetup line is still there (it last I think 2.5 minutes) systemd second line is mounting the partition without me entering the password.

But the initial passwords are entered to initrd /lib/cryptsetup/askpass and
using plymouth for the password "asking" backend (not systemd related) and
actually if I boot with init=/bin/bash or break=init I would have the two (root
and swap) partitions mounted but no "dades" partition mounted either anything
in keyctl show.

So still a mystery how this is added there: by who, etc.

Any clues (or "you missed this obvious thing" are very welcomed!

Cheers,

-- 
Carles Pina i Estany
	Web: http://pinux.info || Blog: http://pintant.cat
	GPG Key 0x8CD5C157
Reply to: