Re: Fwd: Debian Stretch, no password prompt for luks-encrypted home partition during boot
- To: debian-user@lists.debian.org
- Subject: Re: Fwd: Debian Stretch, no password prompt for luks-encrypted home partition during boot
- From: David Wright <deblis@lionunicorn.co.uk>
- Date: Tue, 18 Jun 2019 11:20:44 -0500
- Message-id: <[🔎] 20190618162044.xjfnnkpwipexgmay@wren.corp>
- Reply-to: debian-user@lists.debian.org
- In-reply-to: <CAOe0RDy93iAEMAnvk_wWBH8nYCw-0uOVWqm4d+ODVyeoaX27ww@mail.gmail.com>
- References: <CAOe0RDweqpDQE54jyjVfjig6pD_Vk5hJJuY_bRuyzKvdQ6CrqQ@mail.gmail.com> <CAOe0RDys36hvFHx3hqg1U+zmT4uNQwLeWdr32TcVBHmY2Et_3A@mail.gmail.com> <CAK3NTRB2_BYdG34mq-JyO8oOokj0YU6u1JZgg=8+VBLE+vJP6A@mail.gmail.com> <CAOe0RDxaTYO3cDUAcR+z-Rmmtej6bEJ_Epfd=0nONrHg3q5krQ@mail.gmail.com> <qcij4j$5nmv$1@blaine.gmane.org> <CAOe0RDzNWDHUApL2N78jr_P9bxcWMdUwwCzTtHSENsx6QxnixQ@mail.gmail.com> <qcil0r$1mdq$1@blaine.gmane.org> <CAOe0RDx0Of7+SJZ6LNhZuOADam8FsxhJNEDYQaBg7rNdmnBHFg@mail.gmail.com> <CAOe0RDy93iAEMAnvk_wWBH8nYCw-0uOVWqm4d+ODVyeoaX27ww@mail.gmail.com>
On Tue 28 May 2019 at 14:13:42 (+0300), Sergey Belyashov wrote:
> As expected nothing is changed. I did not forget to run update-initramfs
> after change of fstab.
> Attached 3 photos: normal boot, recovery boot before pasword enter,
> recovery boot after password and Ctrl-D in recovery shell.
[I don't see any photos attached. (The entire email is only 4.3kB)]
But I have struggled to find out what program is expected to issue
the prompt and collect the passphrase under various circumstances
(eg unlocking at boot, or unlocking later).
> вт, 28 мая 2019 г., 9:38 deloptes <deloptes@gmail.com>:
> > Sergey Belyashov wrote:
> >
> > > Root partition is on mdraid but is not encrypted. Home is encrypted only.
> > > Modules are set to most already.
> >
> > I have this setup on my server, but I removed all crypted entries from fstab
> > because obviously I can not sit infront of the server to type the password
> > when booting. So I can not help in this case much. I put all of this in a
> > script that I execute after I ssh to the server.
Most of my machines are set up rather like this. I have a pseudo-user
called unlock whose /var/local/home/unlock/.bash_profile runs
sudo udisksctl unlock --block-device /dev/disk/by-id/…
mount /home
and then logs out.
However, this is unsuitable for this laptop, as explained below.
> > On the clients I have root encrypted. I had issues in the beginning after
> > transfering the system from dbootstrap to the disk. In that case the UUIDs
> > were not correct. I always did set the init=/bin/sh on the command line in
> > grub to get the shell and debugged. Sometimes it is useful to add
> > a "rootdelay" to wait for the root device to get available, but in your
> > setup it looks like it is not exactly what you would need.
I haven't had that problem, but that might be just because I don't
encrypt root, only /home.
> > When the system boots it would read whatever you have in your initrd. It
> > would load the drivers and perform the boot process. Then it will pass
> > control to init and run the rest from the root system. IMO mounting home
> > comes in this second stage, but I am not 100% sure. What do you see when
> > you enable debug or verbose - what does it say when booting.
On my servers (unlocking later), I get the prompt "Passphrase: ".
When I type the passphrase, there is no reflection at all. And this
would be a big problem for me, were I to do this on this laptop.
So on this laptop, I use /etc/crypttab and /etc/fstab to mount /home
at boot. The passphrase entry obviously gets called in a different
manner as the prompt is more detailed (presumably because one might be
unlocking several different partitions at the same time but in an
unknown order):
Please enter passphrase for disk Linux-Home (swanhome) on /home!
where "swanhome" is the crypttab target and "Linux-Home" is the GPT
Partition name. When I type the passphrase, an asterisk is reflected
for each character.
I've tried to figure out what programs are actually requesting the
passphrase and whether they have any arguments/options/environment
variables that can affect them. Things like, what's the prompt,
where is it printed, and what's reflected (if anything) when the
passphrase characters are being typed.
With unlocking later, the processes I see running are:
root 1026 808 ? sshd: unlock [priv]
unlock 1028 1 ? /lib/systemd/systemd --user
unlock 1029 1028 ? (sd-pam)
unlock 1035 1026 ? sshd: unlock@pts/0
unlock 1036 1035 pts/0 -bash
root 1043 1036 pts/0 sudo udisksctl unlock --block-device /dev/disk/by-id/…
root 1044 1043 pts/0 udisksctl unlock --block-device /dev/disk/by-id/…
root 1047 1 ? /usr/lib/udisks2/udisksd --no-debug
root 1051 1 ? /usr/lib/policykit-1/polkitd --no-debug
root 1065 1 ? /lib/systemd/systemd --user
root 1066 1065 ? (sd-pam)
root 1069 538 tty1 -bash
root 1575 1069 tty1 ps -ef
Once the passphrase has been entered, the processes before the empty
line all disappear.
It might be helpful for the OP to ascertain the answers for working on
their problem.
> > Also you have the fs type in fstab set to auto for your home - what happens
> > if you set the exact fs type like ext4 or xfs?
> >
> > Do a change at a time and test after this.
My problem: because of the keyboard's phantom typing, reported¹ at
https://lists.debian.org/debian-user/2018/03/msg01030.html
I have to know when spurious characters are being typed, by seeing
the asterisks. Therefore I unlock at boot. But to prevent locking
myself out with a bad passphrase, I've added nofail to /home's
fstab entry. I can then unlock /home in the same way as I use with
my servers. All this works, apart from some odd messages that I
don't fully understand, and may report sometime.
¹ I need to rereport this, with new information, but that too is
for another time.
Cheers,
David.
Reply to: