View previous topic :: View next topic |
Author |
Message |
nlsa8z6zoz7lyih3ap Guru
Joined: 25 Sep 2007 Posts: 388 Location: Canada
|
Posted: Sat Oct 12, 2013 1:43 am Post subject: systemd + cryptsetup (Solved) (2 solutions given) |
|
|
I have an encrypted root and several other encrypted partions encrypted with cryptsetup.
This has worked flawlessly for years using openrc but I can not make it work with systemd.
Does anyone know how it can be done using systemd?
The way it worked with openrc
I use the following initramfs
which mounts / (usr is on the same root partition.)
Code: | #!/bin/busybox sh
# Mount the /proc and /sys filesystems.
mount -t proc none /proc
mount -t sysfs none /sys
mount -t devtmpfs none /dev
# Do your stuff here.
cryptsetup -T 5 luksOpen /dev/sda7 root
# Mount the root filesystem.
mount -t ext4 -o ro /dev/mapper/root /mnt/root
# Clean up.
umount /proc
umount /sys
# Boot the real thing.
exec switch_root /mnt/root /sbin|grep init
|
To cryptsetup the other partitions I have inserted the followinfg into /etc/init.d/fsck
Code: | start()
{
modprobe loop
cryptsetup --key-file=/root/.gnupg/sda9crypt create sda9 /dev/sda9
echo Iaxag1 |cryptsetup luksOpen /dev/sda8 sda8
cryptsetup --key-file=/root/.gnupg/sdbcrypt create sdb /dev/sdb
cryptsetup --key-file=/root/.gnupg/sdccrypt create sdc /dev/sdc
|
/etc/fstab contained lines such as
Code: | /dev/mapper/sda9 /sda9 ext4 etc etc |
The above works flawlessly with openrc
The way I tried to do it with systemd
I replaced the initramfs with
Code: | /bin/busybox sh
# Mount the /proc and /sys filesystems.
mount -t proc none /proc
mount -t sysfs none /sys
mount -t devtmpfs none /dev
# Do your stuff here.
cryptsetup -T 5 luksOpen /dev/sda7 root
# Mount the root filesystem.
mount -t ext4 -o ro /dev/mapper/root /mnt/root
# Clean up.
umount /proc
umount /sys
# Boot the real thing.
exec switch_root /mnt/root /usr/bin/systemd
|
Since systemd doesn't read /etc/init.d/fsck I edited /etc/cryptab to contain entries such as the following:
Code: | target=sda9
source='/dev/sda9'
key='/root/.gnupg/sda9crypt'
|
This does not work. When trying to boot with systemd I get
Quote: | a start job is running for dev-mapper-sda9.device[ |
And the boot process hangs.
Can anyone advise me as to whether or not it should be possible to boot my system using systemd?
Last edited by nlsa8z6zoz7lyih3ap on Thu Oct 17, 2013 3:21 pm; edited 3 times in total |
|
Back to top |
|
|
croutch n00b
Joined: 04 Aug 2012 Posts: 32 Location: göteborg
|
|
Back to top |
|
|
nlsa8z6zoz7lyih3ap Guru
Joined: 25 Sep 2007 Posts: 388 Location: Canada
|
Posted: Sat Oct 12, 2013 11:45 pm Post subject: |
|
|
Progress Report
I can now boot using systemd into a system that has all of the encrypted partitions except for / remove from /etc/fstab.
Using croutch's comment
Quote: | have init=/usr/lib/systemd/systemd in grub or initramfs |
I have replaced my initramfs with Code: | #!/bin/busybox sh
# Mount the /proc and /sys filesystems.
mount -t proc none /proc
mount -t sysfs none /sys
mount -t devtmpfs none /dev
# Do your stuff here.
cryptsetup -T 5 luksOpen /dev/sda7 root
# Mount the root filesystem.
mount -t ext4 -o ro /dev/mapper/root /mnt/root
# Clean up.
umount /proc
umount /sys
init=/usr/lib/systemd/systemd
export initand mount these partitions by hand.
# Boot the real thing.
exec switch_root /mnt/root $init
|
This boots me into the text console bash. I then cryptsetup and mount the other encyrpted partitions by hand.
My ethernet device (which has been persistently renamed to eeth0) does not come up, so I bring the internet up with
Code: | ifconfig eeth0 up
dhcpcd eeth0 |
I then start kdm manually.
So at this moment I am able to boot using systemd + a fair amount of manual work of my own. I am a far cry from have everything automated but intend to play around with it a bit more.
Ideas or comments from anyone would still be welcomed. |
|
Back to top |
|
|
croutch n00b
Joined: 04 Aug 2012 Posts: 32 Location: göteborg
|
|
Back to top |
|
|
nlsa8z6zoz7lyih3ap Guru
Joined: 25 Sep 2007 Posts: 388 Location: Canada
|
Posted: Mon Oct 14, 2013 12:40 am Post subject: |
|
|
Progress Report
By following the man page for crypttab I can get systemd to setup luks encrypted partions..
Specifically, by placing as a line in /etc/crypttab, systemd prompts me for a password during boot and all works just fine.
However man crypttab also gives instructions for giving a path to a file that contains the password and then not having to enter the password in the terminal during boot.
I can not make this work.
More importantly, two of my encrypted block devices are not in luks format. For example when using openrc
I put the following line in the appropriate place in /etc/init.d/fsck
Code: | cryptsetup --key-file=/root/.gnupg/sda9crypt create sda9 /dev/sda9 |
This worked just fine in openrc
However I have not been able to make it work using /etc/crypttab and systemd . In one of my attempts I added
Code: | sda9 /dev/sda9 none plain,key-file=/root/.gnupg/sda9crypt |
to /etc/crypttab.
and in another I added
Code: | sda9 /dev/sda9 plain,key-file=/root/.gnupg/sda9crypt |
In all of my attempts, I was prompted for a password during boot, which is ridiculous as there is none. Even when I typed in the path to the key rather than the non-existent password,
systemd failed to set this up for me.
Does anyone know if this is a bug or a failure on my part?
Comment thanks to croutch for all of the good suggestions regarding this and sytemd in general. Except for the encrypted partition problem, everything work very well and with great speed. I was happy with every aspect of systemd except for the encryption problem. However that failure is a deal breaker for me.
Unless someone has a solution, I will be removing systemd from my system and reverting to openrc in a few days.
I should point out that I really like openrc, but was also curious to give systemd a try. |
|
Back to top |
|
|
croutch n00b
Joined: 04 Aug 2012 Posts: 32 Location: göteborg
|
|
Back to top |
|
|
nlsa8z6zoz7lyih3ap Guru
Joined: 25 Sep 2007 Posts: 388 Location: Canada
|
Posted: Tue Oct 15, 2013 6:53 pm Post subject: |
|
|
Most of this post has been deleted to be replaced with one below.
Last edited by nlsa8z6zoz7lyih3ap on Tue Oct 15, 2013 10:15 pm; edited 1 time in total |
|
Back to top |
|
|
croutch n00b
Joined: 04 Aug 2012 Posts: 32 Location: göteborg
|
Posted: Tue Oct 15, 2013 8:49 pm Post subject: |
|
|
Well, i have no clue why everything working on your system now.
But that is very nice you got it working . |
|
Back to top |
|
|
nlsa8z6zoz7lyih3ap Guru
Joined: 25 Sep 2007 Posts: 388 Location: Canada
|
Posted: Wed Oct 16, 2013 1:21 am Post subject: |
|
|
Apparently I was using an initramfs that did the cryptsetup for me.
My searches on the internet have led me to believe that systemd's encryption setup does not support all of the of the encryption types that cryptsetup does, and in
particular does not support some of mine (plain) or luks with a keyfile rather than a password.. (added in edit Oct 17) I now know that it does support luks with a keyfile-see my next post
The following example is from man crypttab
Quote: | luks-2505567a-9e27-4efe-a4d5-15ad146c258b UUID=2505567a-9e27-4efe-a4d5-15ad146c258b - timeout=0
swap /dev/sda7 /dev/urandom swap
|
And this does not cover some of my encyrption types. I believe that this is why systemd hangs when trying to mount my encrypted partitions.
So here is what I now do to succeed (In fact nothing else that I have tried works.)
Mark all of the encrypted partitions as nonauto in the options section of /etc/fstab, so that systemd leaves them alone.
write a bash script (I called it /root/sys.sh) that does cryptsetup, fsck and then mounts the encrypted partitions.
At then end of the script add systemctl start kdm
It is possible to do the cryptsetup and mounting in the initramfs, but alas busybox does not support fsck.ext4, so this means that fsck would not be done on these partitions
Perhaps it is possible to have systemd run my sysd.sh script for me to automate everything for me, but I haven't delved enough into systemd yet to be able to do this.
The booting is really not noticeably fast given all of my customizations, but the shutdown is blinding fast.
I would like to thank croutch again for his responses and his blog http://croutchie.blogspot.se/ .
Last edited by nlsa8z6zoz7lyih3ap on Thu Oct 17, 2013 3:20 pm; edited 1 time in total |
|
Back to top |
|
|
188562 Apprentice
Joined: 22 Jun 2008 Posts: 186
|
Posted: Wed Oct 16, 2013 7:52 am Post subject: |
|
|
Read wiki and try my initramfs |
|
Back to top |
|
|
nlsa8z6zoz7lyih3ap Guru
Joined: 25 Sep 2007 Posts: 388 Location: Canada
|
Posted: Thu Oct 17, 2013 3:19 pm Post subject: |
|
|
Here are 2 full solutions to this topic.
(1) The one outline above by init_6.
Thank you init_6 for explaining how to do all of this in the initramfs. This solution has the advantage of not requiring changes to the partitions and encryption, which the 2nd solution does
(2) Redoing the partitions and encryptions to be compatible with systemd's crypttab.
I have identified what I believe are the 2 reasons that systemd did not mount my encrypted devices as they were set up before many years ago.
(i) one of my encrypted devices was /dev/sdb (an entire drive rather than a partition) I noticed that the command blkid does not even list /dev/sdb, tho' it does pick up partitions.
(ii) the encryption for /dev/sda9 was done previously with the command cryptsetup --key-file=/root/.gnupg/sdbcrypt create sda9 /dev/sda9
Despite many attempts and hints in the man crypttab page that this should be possible, I have been unable to make (ii) work under systemd and /etc/crypttab.
Therefore I tried the following, and found that it works:
(A) Change the type of encrypted partitions to luks (see man cryptsetup for details) To avoid having to enter a password at boot, I did this with the following command
Code: | cryptsetup luksFormat /dev/sda9 /root/.gnupg/sda9crypt |
for my /dev/sda9, add the following line to /etc/crypttab
Code: | sda9 /dev/sda9 /root/.gnupg/sda9crypt luks |
Of course I had to previously create the key /root/.gnupg/sda9crypt as per standard cryptsetup instructions. (There are many wikis on this)
(B) Partition any unpartitioned encrypted drives. For example /dev/sdb is partitioned to contain the single partition /dev/sdb1, and this is then encrypted as in (A).
Perhaps there are other solutions using /etc/crypttab, but this is the only thing that worked for me.
Of course, /etc/fstab willl need to be modified.
WARNING: Data must be backed up on drives and partitions that are being changed as above, and then restored after the changes have been made.
In may case with two 2 terabyte drives and a 500 gb drive, this took considerable time to do.
Thanks to everyone for their help. I am now marking this as "solved"
Added in edit Don't forget to set the cryptosetup use flag |
|
Back to top |
|
|
|