View previous topic :: View next topic |
Author |
Message |
nulltheliteralnothing n00b
Joined: 23 Feb 2024 Posts: 68
|
Posted: Sun Mar 10, 2024 3:45 pm Post subject: [RESOLVED] Luks + Grub: Invalid passphrase |
|
|
Hi Everyone,
I have installed (or trying) Gentoo on a tablet PC.
With concerns of the device ever being stolen, I want to ensure the thief only gets the hardware.
I have opt'd to use the Luks Rootfs Encryption tutorial.
https://wiki.gentoo.org/wiki/Rootfs_encryption
The issue:
Code: |
Enter passphrase for hd0,gpt3 (be7ace14-f459-47e3-98d4-c90f36d8ef7c):
error: Invalid passphrase.
error: disk "cryptouuid/be7ace14-f459-47e3-98d4-c90f36d8ef7c" not found.
Entering rescue mode...
grub rescue>
|
I am pretty confident that I am typing in the correct password.
Code: |
cryptsetup luksOpen /dev/sda3 root
|
Works with the password.
Here are my block devices:
Code: |
sda disk
├─sda1 part B64E-E473
├─sda2 part 5e8e0e47-fffc-4fba-9478-37b8fced2fde
└─sda3 part be7ace14-f459-47e3-98d4-c90f36d8ef7c
└─root crypt 39b60625-1949-49d1-b174-9b5b4f484fc6
|
Here is my grub config:
Code: |
# GRUB_CMDLINE_LINUX="root=UUID=39b60625-1949-49d1-b174-9b5b4f484fc6 rd.luks.uuid=be7ace14-f459-47e3-98d4-c90f36d8ef7c"
GRUB_CMDLINE_LINUX_DEFAULT="quiet splash"
GRUB_CMDLINE_LINUX="cryptdevice=UUID=be7ace14-f459-47e3-98d4-c90f36d8ef7c:root root=/dev/mapper/root"
GRUB_ENABLE_CRYPTODISK="yes"
GRUB_PRELOAD_MODULES="luks"
|
Here is my fstab:
Code: |
/dev/sda1 /efi vfat umask=0077 0 2
/dev/sda2 none swap sw 0 0
/dev/mapper/root / ext4 defaults 0 1
|
Any help would be appreciated.
Last edited by nulltheliteralnothing on Thu Mar 14, 2024 2:44 pm; edited 1 time in total |
|
Back to top |
|
|
NeddySeagoon Administrator
Joined: 05 Jul 2003 Posts: 54387 Location: 56N 3W
|
Posted: Sun Mar 10, 2024 4:12 pm Post subject: |
|
|
nulltheliteralnothing,
Random guess ... the keymap in the initrd is not the same as the keymap in the booted system.
That means if use a key in your pass phrase that is mapped differently in both keymaps, you will type the wrong thing unless you are aware of it.
It bites me. My initrd uses a USA keymap and my booted system is UK. _________________ Regards,
NeddySeagoon
Computer users fall into two groups:-
those that do backups
those that have never had a hard drive fail. |
|
Back to top |
|
|
nulltheliteralnothing n00b
Joined: 23 Feb 2024 Posts: 68
|
Posted: Sun Mar 10, 2024 4:57 pm Post subject: |
|
|
NeddySeagoon wrote: | nulltheliteralnothing,
Random guess ... the keymap in the initrd is not the same as the keymap in the booted system.
That means if use a key in your pass phrase that is mapped differently in both keymaps, you will type the wrong thing unless you are aware of it.
It bites me. My initrd uses a USA keymap and my booted system is UK. |
How would I debug that? There was a step in the installation that asked for a key mapping and pressed "return" for default. |
|
Back to top |
|
|
sMueggli Guru
Joined: 03 Sep 2022 Posts: 377
|
Posted: Sun Mar 10, 2024 5:03 pm Post subject: |
|
|
Grub is using the american keyboard layout. If your passphrase typed with the american keyboard layout differs from the one typed with your normal keyboard layout, it fails. In this case I would add another LUKS key slot with the "american keyboard" layout. In that case you will "always" be able to unlock the LUKS container. |
|
Back to top |
|
|
NeddySeagoon Administrator
Joined: 05 Jul 2003 Posts: 54387 Location: 56N 3W
|
Posted: Sun Mar 10, 2024 5:05 pm Post subject: |
|
|
nulltheliteralnothing,
Unless you set a keymap in the initrd, its US QWERTY.
If that's not what you would like, look at the two keymaps ani your pass phrase and see if your pass phrase works on US QWERTY.
If its a problem, do the translation as you type, fix the initrd keymap, or choose a new pass phrase that works on both keymaps.
I do that translation as I type, after the pass phrase has failed once. :) _________________ Regards,
NeddySeagoon
Computer users fall into two groups:-
those that do backups
those that have never had a hard drive fail. |
|
Back to top |
|
|
nulltheliteralnothing n00b
Joined: 23 Feb 2024 Posts: 68
|
Posted: Sun Mar 10, 2024 5:20 pm Post subject: |
|
|
Oh - I am using a US keymapping. That wouldn't likely be the issue. |
|
Back to top |
|
|
sMueggli Guru
Joined: 03 Sep 2022 Posts: 377
|
Posted: Sun Mar 10, 2024 5:39 pm Post subject: |
|
|
Are you using the numpad?
Your error happens before any initramfs or kernel are loaded. Nevertheless, where does the "cryptdevice" parameter come from? How do you build the initramfs? |
|
Back to top |
|
|
nulltheliteralnothing n00b
Joined: 23 Feb 2024 Posts: 68
|
Posted: Sun Mar 10, 2024 5:43 pm Post subject: |
|
|
sMueggli wrote: | Are you using the numpad?
Your error happens before any initramfs or kernel are loaded. Nevertheless, where does the "cryptdevice" parameter come from? How do you build the initramfs? |
Are you using the numpad?
The device is a Surface Pro 3, and thus does not have a numpad, but I see where you where going with that.
Your error happens before any initramfs or kernel are loaded. Nevertheless, where does the "cryptdevice" parameter come from? How do you build the initramfs?
I am using installkernel, which contains a call to dracut.
Code: |
gentoo / # cat /etc/dracut.conf.d/luks.conf
add_dracutmodules+=" crypt "
kernel_cmdline+=" root=UUID=39b60625-1949-49d1-b174-9b5b4f484fc6 rd.luks.uuid=be7ace14-f459-47e3-98d4-c90f36d8ef7c "
|
|
|
Back to top |
|
|
sMueggli Guru
Joined: 03 Sep 2022 Posts: 377
|
Posted: Sun Mar 10, 2024 5:51 pm Post subject: |
|
|
Is Secure Boot disabled? |
|
Back to top |
|
|
NeddySeagoon Administrator
Joined: 05 Jul 2003 Posts: 54387 Location: 56N 3W
|
Posted: Sun Mar 10, 2024 5:53 pm Post subject: |
|
|
nulltheliteralnothing,
sMueggli is mistaken.
Grub loads the kernel and initrd, then jumps to the kernel start address.
Regardless of if the kernel and initrd are two pieces or all in one, the kernel mounts the initrd as the root filesystem an passes control to the init script inside the iniitrd.
There is onlf the kernel and initrd in RAM, between them they need to do whatever it takes to mount the real root filesystem.
Is there rubbish on the input line before you add the pass phrase?
Try starting with a healthy dose of backspaces. _________________ Regards,
NeddySeagoon
Computer users fall into two groups:-
those that do backups
those that have never had a hard drive fail. |
|
Back to top |
|
|
nulltheliteralnothing n00b
Joined: 23 Feb 2024 Posts: 68
|
Posted: Sun Mar 10, 2024 6:01 pm Post subject: |
|
|
sMueggli wrote: | Is Secure Boot disabled? |
Yes, secure boot is disabled.
However, if it wasn’t the issues would have materialized long before the pass phrase request. |
|
Back to top |
|
|
sMueggli Guru
Joined: 03 Sep 2022 Posts: 377
|
Posted: Sun Mar 10, 2024 6:01 pm Post subject: |
|
|
NeddySeagoon wrote: | nulltheliteralnothing,
sMueggli is mistaken.
Grub loads the kernel and initrd, then jumps to the kernel start address.
|
How does Grub load the kernel and initrd if the kernel and initrd are encrypted on /dev/sda3? The boot is failing at the stage, where Grub needs to unlock the LUKS container to be able to load the grub.cfg. After loading the grub.cfg Grub knows which kernel and initrd need to be loaded. |
|
Back to top |
|
|
NeddySeagoon Administrator
Joined: 05 Jul 2003 Posts: 54387 Location: 56N 3W
|
Posted: Sun Mar 10, 2024 8:47 pm Post subject: |
|
|
sMueggli,
Code: | sda disk
├─sda1 part B64E-E473 |
That's the ESP it must be unencrypted vfat.
Ahh I missed that prompt.
You are correct. grub.efi has not yet loaded grub stage2. _________________ Regards,
NeddySeagoon
Computer users fall into two groups:-
those that do backups
those that have never had a hard drive fail. |
|
Back to top |
|
|
nulltheliteralnothing n00b
Joined: 23 Feb 2024 Posts: 68
|
Posted: Mon Mar 11, 2024 2:38 am Post subject: |
|
|
NeddySeagoon wrote: |
Is there rubbish on the input line before you add the pass phrase?
Try starting with a healthy dose of backspaces. |
Tried and no difference. Same result. |
|
Back to top |
|
|
nulltheliteralnothing n00b
Joined: 23 Feb 2024 Posts: 68
|
Posted: Mon Mar 11, 2024 2:39 am Post subject: |
|
|
NeddySeagoon wrote: | sMueggli,
Code: | sda disk
├─sda1 part B64E-E473 |
That's the ESP it must be unencrypted vfat.
Ahh I missed that prompt.
You are correct. grub.efi has not yet loaded grub stage2. |
Any other guesses? |
|
Back to top |
|
|
nulltheliteralnothing n00b
Joined: 23 Feb 2024 Posts: 68
|
Posted: Mon Mar 11, 2024 3:06 am Post subject: |
|
|
Yeah, something isn't right here. In my tiredness I made a very obvious mistake of supplying pathing /dev/mapper/root when a uuid is expected, and the passphrase prompt and response appeared to be exactly the same. That shouldn't be the case.
Edit:
I fixed the error.
I don't know much about efi.
However,
Code: |
gentoo /efi/EFI/gentoo # strings grubx64.efi | grep "9b5b4f484fc6"
gentoo /efi/EFI/gentoo # strings grubx64.efi | grep "c90f36d8ef7c"
cryptomount -u be7ace14-f459-47e3-98d4-c90f36d8ef7c
(cryptouuid/be7ace14f45947e398d4c90f36d8ef7c)/boot/grub
|
I can see that the encrypted partition /dev/sda3 is referenced with the UUID 'c90f36d8ef7c' but not the mapper block device.
Can the path (cryptouuid/be7ace14f45947e398d4c90f36d8ef7c)/boot/grub actually translate to the grub?
Code: |
sda
├─sda1 B64E-E473
├─sda2 5e8e0e47-fffc-4fba-9478-37b8fced2fde
└─sda3 be7ace14-f459-47e3-98d4-c90f36d8ef7c
└─root 39b60625-1949-49d1-b174-9b5b4f484fc6
|
As you can see it is mapped to the label "root" with the UUID 39b60625-1949-49d1-b174-9b5b4f484fc6.
Also, I am new to the while discovery thing with UUIDs.
I am used to the standard partitioning.
I do have devicemapper compiled into systemd.
Perhaps I am missing something else. |
|
Back to top |
|
|
nulltheliteralnothing n00b
Joined: 23 Feb 2024 Posts: 68
|
Posted: Mon Mar 11, 2024 4:58 pm Post subject: |
|
|
I followed a separate tutorial.
I updated GRUB_CMDLINE_LINUX to match their example.
Code: |
GRUB_CMDLINE_LINUX="init=/usr/lib/systemd/systemd crypt_root=UUID=be7ace14-f459-47e3-98d4-c90f36d8ef7c:root root=UUID=39b60625-1949-49d1-b174-9b5b4f484fc6"
|
I am still encountering the same issue.
I tried switching keyboards.
My USB keyboard was not detected on boot.
Only the Surface keyboard works. At least I can confirm the "return" key works. |
|
Back to top |
|
|
sMueggli Guru
Joined: 03 Sep 2022 Posts: 377
|
Posted: Mon Mar 11, 2024 5:18 pm Post subject: |
|
|
Can you please post your /boot/grub/grub.cfg?
And please post also Code: | cryptsetup luksDump /dev/sda3 | head -n7 | (and make sure, you are not sharing "sensitive" material like salts and digests). I am using LUKS1, but Grub2 has meanwhile also some limited support for LUKS2 and I wonder, whether this might be the case.
And I think that the kernel parameter "crypt_root" is used by genkernel. For Dracut you should use "rd.luks.name=be7ace14-f459-47e3-98d4-c90f36d8ef7c=root root=/dev/mapper/root". rd.luks.name is having the UUID of the LUKS-device and appended "=root" to map the unlocked device to /dev/mapper/root. |
|
Back to top |
|
|
nulltheliteralnothing n00b
Joined: 23 Feb 2024 Posts: 68
|
Posted: Mon Mar 11, 2024 5:37 pm Post subject: |
|
|
sMueggli wrote: | Can you please post your /boot/grub/grub.cfg?
And please post also Code: | cryptsetup luksDump /dev/sda3 | head -n7 | (and make sure, you are not sharing "sensitive" material like salts and digests). I am using LUKS1, but Grub2 has meanwhile also some limited support for LUKS2 and I wonder, whether this might be the case.
And I think that the kernel parameter "crypt_root" is used by genkernel. For Dracut you should use "rd.luks.name=be7ace14-f459-47e3-98d4-c90f36d8ef7c=root root=/dev/mapper/root". rd.luks.name is having the UUID of the LUKS-device and appended "=root" to map the unlocked device to /dev/mapper/root. |
Code: |
ubuntu / # cryptsetup luksDump /dev/sda3 | head -n7
LUKS header information
Version: 2
Epoch: 3
Metadata area: 16384 [bytes]
Keyslots area: 16744448 [bytes]
UUID: be7ace14-f459-47e3-98d4-c90f36d8ef7c
Label: (no label)
|
I see it is version 2.
Also, I am not rebuilding with dracut when changing grub. I assume that isn't relevant at this time. |
|
Back to top |
|
|
sMueggli Guru
Joined: 03 Sep 2022 Posts: 377
|
Posted: Mon Mar 11, 2024 6:10 pm Post subject: |
|
|
And which PBKDF is used?
Code: | cryptsetup luksDump /dev/sda3 | grep "PBKDF:" |
|
|
Back to top |
|
|
nulltheliteralnothing n00b
Joined: 23 Feb 2024 Posts: 68
|
Posted: Mon Mar 11, 2024 6:36 pm Post subject: |
|
|
sMueggli wrote: | And which PBKDF is used?
Code: | cryptsetup luksDump /dev/sda3 | grep "PBKDF:" |
|
(drops to his knees)
Nooooooooooooooooooooooooooooooooo (crys)
Dammit.
I will use luks type 1 |
|
Back to top |
|
|
nulltheliteralnothing n00b
Joined: 23 Feb 2024 Posts: 68
|
Posted: Mon Mar 11, 2024 6:46 pm Post subject: |
|
|
sMueggli, I appreciate you. Thanks for figuring this out. |
|
Back to top |
|
|
sublogic Apprentice
Joined: 21 Mar 2022 Posts: 222 Location: Pennsylvania, USA
|
Posted: Tue Mar 12, 2024 1:53 am Post subject: |
|
|
nulltheliteralnothing wrote: |
Nooooooooooooooooooooooooooooooooo (crys)
Dammit.
I will use luks type 1 |
Just add another key, this time specifying the pbkdf. You can even use the same passphrase. (Hmmm, I hope grub tries all the keys, like cryptsetup luksOpen does.) |
|
Back to top |
|
|
nulltheliteralnothing n00b
Joined: 23 Feb 2024 Posts: 68
|
Posted: Tue Mar 12, 2024 5:53 pm Post subject: |
|
|
I have change luks2 to luks1.
Grub is able to decrypt the volume and start initramfs; however, this is where it ends.
Code: |
[ 2.905473] dracut-initqueue[357]: Failed to start systemd-cryptsetup@luks\xdd7c44b01\xd14fe\xd4ae7\xd9ab8\xd6566903c71b4.service: Unit systemd-cryptsetup@luks\xdd7c44b01\xd14fe\xd4ae7\xd9ab8\xd6566903c71b4.service not found.
|
Which is true.
Question: What or how is the service generated?
for reference:
Code: |
sda
├─sda1 B64E-E473
├─sda2 5e8e0e47-fffc-4fba-9478-37b8fced2fde
└─sda3 d7c44b01-14fe-4ae7-9ab8-6566903c71b4
└─root e4b946d5-c2c2-4240-8820-ba0be85908bb
|
I have gone and created a crypttab
Code: |
gentoo / # cat /etc/crypttab
root UUID=d7c44b01-14fe-4ae7-9ab8-6566903c71b4 none luks,discard
|
I am struggling to find the last steps to build the service. |
|
Back to top |
|
|
nulltheliteralnothing n00b
Joined: 23 Feb 2024 Posts: 68
|
Posted: Thu Mar 14, 2024 2:46 pm Post subject: |
|
|
Hi Everyone,
Recompiling the Kernel resolved the issue.
I have to enter the passphrase twice:
* grub
* initramfs
But, everything works beyond that.
Thank you, Everyone, for the support. |
|
Back to top |
|
|
|