[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Encrypted /boot password has to be entered twice

On 2/27/2020 1:25 AM, Guilhem Moulin wrote:
> On Wed, 26 Feb 2020 at 19:59:33 +0100, john doe wrote:
>> I don't understand why I get this error, the file is there
>
> Did you triple-check that? :-)  `sudo cryptdisks_start sda1_crypt` will
> do the checking logic for you, but you can also run the cryptsetup(8)
> binary manually:
>
>     $ sudo cryptsetup luksOpen --key-file /etc/keys/boot.key --key-slot 1 \
>         --test-passphrase --verbose /dev/sda1 sda1_crypt
>

The keyfile was present but not "added".

> If it that doesn't work, then no wonder systemd-cryptsetup@sda1_crypt
> fails :-)  Is the key file really used on key slot #1?  (If you're
> unsure, just remove ‘--key-slot 1’ from the above command, it'll tell
> you the index of the right keyslot, assuming it can open with that key
> file.)
>
> Otherwise, do you perhaps have /etc in a separate partition which is not
> mounted yet by the time systems tries to unlock the device?  That said
> systemd should be clever enough to setup the correct .mount dependencies
> on that unit.
>

I'm pasting here the commands that got me going to only enter the boot
passphrase once, that is, you only get prompted one time for a password:


Debian Buster was installed with encrypted LVM in one partition.


Commands to encrypt the boot partition:

mount -oremount,ro /boot || exit $?
install -m0600 /dev/null /tmp/boot.tar || exit $?
tar -C /boot --acls --xattrs --one-file-system -cf /tmp/boot.tar . ||
exit $?
umount /boot || exit $?
dd if=/dev/urandom of=/dev/sda1 bs=1M status=none
cryptsetup luksFormat --type luks1 /dev/sda1 || exit $?
uuid="$(blkid -o value -s UUID /dev/sda1)" || exit $?
echo "sda1_crypt UUID=$uuid none luks" | tee -a /etc/crypttab || exit $?
cryptdisks_start sda1_crypt || exit $?
uuid=$(awk '/UUID/ && /\/boot/{print substr($1,6)}' /etc/fstab) || exit $?
mkfs.ext2 -m0 -U $uuid /dev/mapper/sda1_crypt || exit $?
mount -v /boot || exit $?
tar -C /boot --acls --xattrs -xf /tmp/boot.tar || exit $?
echo "GRUB_ENABLE_CRYPTODISK=y" >>/etc/default/grub || exit $?
update-grub || exit $?
grub-install /dev/sda || exit $?


Commands to use a keyfile for the root partition:

mkdir -m 0700 /etc/keys || exit $?
( umask 0077 && dd if=/dev/urandom bs=1 count=64 of=/etc/keys/root.key
conv=excl,fsync ) || exit $?
cryptsetup luksAddKey /dev/sda5 /etc/keys/root.key || exit $?
sed -i '/sda5_crypt/s/none/\/etc\/keys\/root.key/' /etc/crypttab || exit $?
chmod 0644 /etc/crypttab || exit $?
echo "KEYFILE_PATTERN=\"/etc/keys/root.key\""
>>/etc/cryptsetup-initramfs/conf-hook || exit $?
echo UMASK=0077 >>/etc/initramfs-tools/initramfs.conf || exit $?
update-initramfs -u || exit $?


Commands to use a keyfile for the boot partition:

( umask 0077 && dd if=/dev/urandom bs=1 count=64 of=/etc/keys/boot.key
conv=excl,fsync ) || exit $?
cryptsetup luksAddKey /dev/sda1 /etc/keys/boot.key --key-slot=1 || exit $?
sed -i
'/sda1_crypt/s/none/\/etc\/keys\/boot.key/;/sda1_crypt/s/luks/key-slot=1/'
/etc/crypttab || exit $?
chmod 0644 /etc/crypttab || exit $?


The above commands are taken from a script, '|| exit $?' will abort on
any commands failure, that might not be what you want if the commands
are entered manually.


The commands are taken from (1).

A big thank you to 'Guilhem Moulin <guilhem@debian.org>' for his help
and to the others who has contributed in this thread.


This e-mail is folded by my mailer.


1)  https://cryptsetup-team.pages.debian.net/cryptsetup/encrypted-boot.html

--
John Doe
Reply to: