[RESOLVED] Luks + Grub: Invalid passphrase

[nulltheliteralnothing]

Hi Everyone,

I have installed (or trying) Gentoo on a tablet PC.

With concerns of the device ever being stolen, I want to ensure the thief only gets the hardware.

I have opt'd to use the Luks Rootfs Encryption tutorial.

https://wiki.gentoo.org/wiki/Rootfs_encryption

The issue:

Code: Select all

Enter passphrase for hd0,gpt3 (be7ace14-f459-47e3-98d4-c90f36d8ef7c):
error: Invalid passphrase.
error: disk "cryptouuid/be7ace14-f459-47e3-98d4-c90f36d8ef7c" not found.
Entering rescue mode...
grub rescue>

I am pretty confident that I am typing in the correct password.

Code: Select all

cryptsetup luksOpen /dev/sda3 root

Works with the password.

Here are my block devices:

Code: Select all

sda      disk  
├─sda1   part  B64E-E473
├─sda2   part  5e8e0e47-fffc-4fba-9478-37b8fced2fde
└─sda3   part  be7ace14-f459-47e3-98d4-c90f36d8ef7c
  └─root crypt 39b60625-1949-49d1-b174-9b5b4f484fc6

Here is my grub config:

Code: Select all

# GRUB_CMDLINE_LINUX="root=UUID=39b60625-1949-49d1-b174-9b5b4f484fc6 rd.luks.uuid=be7ace14-f459-47e3-98d4-c90f36d8ef7c"
GRUB_CMDLINE_LINUX_DEFAULT="quiet splash"
GRUB_CMDLINE_LINUX="cryptdevice=UUID=be7ace14-f459-47e3-98d4-c90f36d8ef7c:root root=/dev/mapper/root"
GRUB_ENABLE_CRYPTODISK="yes"
GRUB_PRELOAD_MODULES="luks"

Here is my fstab:

Code: Select all

/dev/sda1	/efi	vfat	umask=0077	0 2
/dev/sda2	none	swap	sw		0 0
/dev/mapper/root	/	ext4	defaults	0 1

Any help would be appreciated.

[NeddySeagoon]

nulltheliteralnothing,

Random guess ... the keymap in the initrd is not the same as the keymap in the booted system.
That means if use a key in your pass phrase that is mapped differently in both keymaps, you will type the wrong thing unless you are aware of it.

It bites me. My initrd uses a USA keymap and my booted system is UK.

[nulltheliteralnothing]

nulltheliteralnothing,

Random guess ... the keymap in the initrd is not the same as the keymap in the booted system.
That means if use a key in your pass phrase that is mapped differently in both keymaps, you will type the wrong thing unless you are aware of it.

It bites me. My initrd uses a USA keymap and my booted system is UK.

How would I debug that? There was a step in the installation that asked for a key mapping and pressed "return" for default.

[sMueggli]

Grub is using the american keyboard layout. If your passphrase typed with the american keyboard layout differs from the one typed with your normal keyboard layout, it fails. In this case I would add another LUKS key slot with the "american keyboard" layout. In that case you will "always" be able to unlock the LUKS container.

[NeddySeagoon]

nulltheliteralnothing,

Unless you set a keymap in the initrd, its US QWERTY.
If that's not what you would like, look at the two keymaps ani your pass phrase and see if your pass phrase works on US QWERTY.

If its a problem, do the translation as you type, fix the initrd keymap, or choose a new pass phrase that works on both keymaps.
I do that translation as I type, after the pass phrase has failed once. :)

[nulltheliteralnothing]

Oh - I am using a US keymapping. That wouldn't likely be the issue.

[sMueggli]

Are you using the numpad?

Your error happens before any initramfs or kernel are loaded. Nevertheless, where does the "cryptdevice" parameter come from? How do you build the initramfs?

[nulltheliteralnothing]

Are you using the numpad?

Your error happens before any initramfs or kernel are loaded. Nevertheless, where does the "cryptdevice" parameter come from? How do you build the initramfs?

Are you using the numpad?

The device is a Surface Pro 3, and thus does not have a numpad, but I see where you where going with that.

Your error happens before any initramfs or kernel are loaded. Nevertheless, where does the "cryptdevice" parameter come from? How do you build the initramfs?

I am using installkernel, which contains a call to dracut.

Code: Select all

gentoo / # cat /etc/dracut.conf.d/luks.conf 
add_dracutmodules+=" crypt "
kernel_cmdline+=" root=UUID=39b60625-1949-49d1-b174-9b5b4f484fc6 rd.luks.uuid=be7ace14-f459-47e3-98d4-c90f36d8ef7c "

[sMueggli]

Is Secure Boot disabled?

[NeddySeagoon]

nulltheliteralnothing,

sMueggli is mistaken.

Grub loads the kernel and initrd, then jumps to the kernel start address.
Regardless of if the kernel and initrd are two pieces or all in one, the kernel mounts the initrd as the root filesystem an passes control to the init script inside the iniitrd.

There is onlf the kernel and initrd in RAM, between them they need to do whatever it takes to mount the real root filesystem.

Is there rubbish on the input line before you add the pass phrase?
Try starting with a healthy dose of backspaces.

[nulltheliteralnothing]

Is Secure Boot disabled?

Yes, secure boot is disabled.

However, if it wasn’t the issues would have materialized long before the pass phrase request.

[sMueggli]

nulltheliteralnothing,

sMueggli is mistaken.

Grub loads the kernel and initrd, then jumps to the kernel start address.

How does Grub load the kernel and initrd if the kernel and initrd are encrypted on /dev/sda3? The boot is failing at the stage, where Grub needs to unlock the LUKS container to be able to load the grub.cfg. After loading the grub.cfg Grub knows which kernel and initrd need to be loaded.

[NeddySeagoon]

sMueggli,

Code: Select all

sda      disk 
├─sda1   part  B64E-E473 

That's the ESP it must be unencrypted vfat.

Ahh

Code: Select all

grub rescue>

I missed that prompt.

You are correct. grub.efi has not yet loaded grub stage2.

[nulltheliteralnothing]

Is there rubbish on the input line before you add the pass phrase?
Try starting with a healthy dose of backspaces.

Tried and no difference. Same result.

[nulltheliteralnothing]

sMueggli,

Code: Select all

sda      disk 
├─sda1   part  B64E-E473 

That's the ESP it must be unencrypted vfat.

Ahh

Code: Select all

grub rescue>

I missed that prompt.

You are correct. grub.efi has not yet loaded grub stage2.

Any other guesses?

[nulltheliteralnothing]

Yeah, something isn't right here. In my tiredness I made a very obvious mistake of supplying pathing /dev/mapper/root when a uuid is expected, and the passphrase prompt and response appeared to be exactly the same. That shouldn't be the case.

Edit:

I fixed the error.

I don't know much about efi.

However,

Code: Select all

gentoo /efi/EFI/gentoo # strings grubx64.efi | grep "9b5b4f484fc6"
gentoo /efi/EFI/gentoo # strings grubx64.efi | grep "c90f36d8ef7c"
cryptomount -u be7ace14-f459-47e3-98d4-c90f36d8ef7c
(cryptouuid/be7ace14f45947e398d4c90f36d8ef7c)/boot/grub

I can see that the encrypted partition /dev/sda3 is referenced with the UUID 'c90f36d8ef7c' but not the mapper block device.

Can the path (cryptouuid/be7ace14f45947e398d4c90f36d8ef7c)/boot/grub actually translate to the grub?

Code: Select all

sda      
├─sda1   B64E-E473
├─sda2   5e8e0e47-fffc-4fba-9478-37b8fced2fde
└─sda3   be7ace14-f459-47e3-98d4-c90f36d8ef7c
  └─root 39b60625-1949-49d1-b174-9b5b4f484fc6

As you can see it is mapped to the label "root" with the UUID 39b60625-1949-49d1-b174-9b5b4f484fc6.

Also, I am new to the while discovery thing with UUIDs.

I am used to the standard partitioning.

I do have devicemapper compiled into systemd.

Perhaps I am missing something else.

[nulltheliteralnothing]

I followed a separate tutorial.

I updated GRUB_CMDLINE_LINUX to match their example.

Code: Select all

GRUB_CMDLINE_LINUX="init=/usr/lib/systemd/systemd crypt_root=UUID=be7ace14-f459-47e3-98d4-c90f36d8ef7c:root root=UUID=39b60625-1949-49d1-b174-9b5b4f484fc6"

I am still encountering the same issue.

I tried switching keyboards.

My USB keyboard was not detected on boot.

Only the Surface keyboard works. At least I can confirm the "return" key works.

[sMueggli]

Can you please post your /boot/grub/grub.cfg?

And please post also

Code: Select all

cryptsetup luksDump /dev/sda3 | head -n7

(and make sure, you are not sharing "sensitive" material like salts and digests). I am using LUKS1, but Grub2 has meanwhile also some limited support for LUKS2 and I wonder, whether this might be the case.

And I think that the kernel parameter "crypt_root" is used by genkernel. For Dracut you should use "rd.luks.name=be7ace14-f459-47e3-98d4-c90f36d8ef7c=root root=/dev/mapper/root". rd.luks.name is having the UUID of the LUKS-device and appended "=root" to map the unlocked device to /dev/mapper/root.

[nulltheliteralnothing]

Can you please post your /boot/grub/grub.cfg?

And please post also

Code: Select all

cryptsetup luksDump /dev/sda3 | head -n7

(and make sure, you are not sharing "sensitive" material like salts and digests). I am using LUKS1, but Grub2 has meanwhile also some limited support for LUKS2 and I wonder, whether this might be the case.

And I think that the kernel parameter "crypt_root" is used by genkernel. For Dracut you should use "rd.luks.name=be7ace14-f459-47e3-98d4-c90f36d8ef7c=root root=/dev/mapper/root". rd.luks.name is having the UUID of the LUKS-device and appended "=root" to map the unlocked device to /dev/mapper/root.

Code: Select all

ubuntu / # cryptsetup luksDump /dev/sda3 | head -n7
LUKS header information
Version:       	2
Epoch:         	3
Metadata area: 	16384 [bytes]
Keyslots area: 	16744448 [bytes]
UUID:          	be7ace14-f459-47e3-98d4-c90f36d8ef7c
Label:         	(no label)

I see it is version 2.

Also, I am not rebuilding with dracut when changing grub. I assume that isn't relevant at this time.

[sMueggli]

And which PBKDF is used?

Code: Select all

cryptsetup luksDump /dev/sda3 | grep "PBKDF:"

[nulltheliteralnothing]

And which PBKDF is used?

Code: Select all

cryptsetup luksDump /dev/sda3 | grep "PBKDF:"

(drops to his knees)

Code: Select all

PBKDF:      argon2id

Nooooooooooooooooooooooooooooooooo (crys)

Dammit.

I will use luks type 1

[nulltheliteralnothing]

sMueggli, I appreciate you. Thanks for figuring this out.

[sublogic]

Code: Select all

PBKDF:      argon2id

Nooooooooooooooooooooooooooooooooo (crys)

Dammit.

I will use luks type 1

Just add another key, this time specifying the pbkdf. You can even use the same passphrase. (Hmmm, I hope grub tries all the keys, like cryptsetup luksOpen does.)

[nulltheliteralnothing]

I have change luks2 to luks1.

Grub is able to decrypt the volume and start initramfs; however, this is where it ends.

Code: Select all

[   2.905473] dracut-initqueue[357]: Failed to start systemd-cryptsetup@luks\xdd7c44b01\xd14fe\xd4ae7\xd9ab8\xd6566903c71b4.service: Unit systemd-cryptsetup@luks\xdd7c44b01\xd14fe\xd4ae7\xd9ab8\xd6566903c71b4.service not found.

Which is true.

Question: What or how is the service generated?

for reference:

Code: Select all

sda      
├─sda1   B64E-E473
├─sda2   5e8e0e47-fffc-4fba-9478-37b8fced2fde
└─sda3   d7c44b01-14fe-4ae7-9ab8-6566903c71b4
  └─root e4b946d5-c2c2-4240-8820-ba0be85908bb

I have gone and created a crypttab

Code: Select all

gentoo / # cat /etc/crypttab 
root UUID=d7c44b01-14fe-4ae7-9ab8-6566903c71b4 none luks,discard

I am struggling to find the last steps to build the service.

[nulltheliteralnothing]

Hi Everyone,

Recompiling the Kernel resolved the issue.

I have to enter the passphrase twice:

* grub
* initramfs

But, everything works beyond that.

Thank you, Everyone, for the support.