[solved...sort of] Unlocks multiple luks volume at boot

[rem5]

Hello,

I have 2 LUKS volumes to decrypt at boot (for /home and /home/elvire FS) :

Code: Select all

NAME                  MAJ:MIN RM   SIZE RO TYPE  MOUNTPOINTS
sda                     8:0    0 232.9G  0 disk  
└─ssd_mx500           253:4    0 232.9G  0 crypt 
  └─VG_home-LV_elvire 253:5    0 232.9G  0 lvm   /home/elvire
zram0                 252:0    0   5.9G  0 disk  [SWAP]
zram1                 252:1    0   5.9G  0 disk  [SWAP]
nvme1n1               259:0    0 476.9G  0 disk  
├─nvme1n1p1           259:1    0    16M  0 part  
├─nvme1n1p2           259:2    0 476.2G  0 part  
└─nvme1n1p3           259:3    0   777M  0 part  
nvme0n1               259:4    0 465.8G  0 disk  
├─nvme0n1p1           259:5    0    50M  0 part  
├─nvme0n1p2           259:6    0     1G  0 part  /boot
└─nvme0n1p3           259:7    0 464.7G  0 part  
  ├─gentoo-root       253:0    0    60G  0 lvm   /
  ├─gentoo-var        253:1    0    40G  0 lvm   /var
  └─gentoo-home       253:2    0 364.7G  0 lvm   
    └─gentoo-home_enc 253:3    0 364.7G  0 crypt /home

I used /etc/conf.d/dmcrypt with these parameters :

Code: Select all

target=gentoo-home_enc
#source='/dev/mapper/gentoo-home'
source=UUID="42d9aec1-920d-454c-a9ce-9c0b7d5c3cf3"
options="--allow-discards"

target=ssd_mx500
#source='/dev/mapper/gentoo-home'
source=UUID="75227dd2-4b8c-458d-8b67-6d8bbcf78178"
options="--allow-discards"

but as expected I needed to enter the password 2 times.

As root FS is not encrypted, I didn't use a plain text keyfile.

So I tried to use a gpg crypted one :

Code: Select all

target=gentoo-home_enc
#source='/dev/mapper/gentoo-home'
source=UUID="42d9aec1-920d-454c-a9ce-9c0b7d5c3cf3"
options="--allow-discards"
key='/etc/cryptkeys/homekey.gpg.enc:gpg'

target=ssd_mx500
#source='/dev/mapper/gentoo-home'
source=UUID="75227dd2-4b8c-458d-8b67-6d8bbcf78178"
options="--allow-discards"
key='/etc/cryptkeys/homekey.gpg.enc:gpg'

but at boot it doesn't ask me for gpg password when trying to unlock luks volumes :

Code: Select all

 * Setting up dm-crypt mappings ...
 *   gentoo-home_enc using:  --allow-discards open /dev/mapper/gentoo-home gentoo-home_enc ...
Nothing to read on input. 
Nothing to read on input.
Nothing to read on input.
Nothing to read on input.
Nothing to read on input.
 * failure running cryptsetup
 [ !! ]
 *   ssd_mx500 using:  --allow-discards open /dev/sda ssd_mx500 ...
Nothing to read on input.
Nothing to read on input.
Nothing to read on input.
Nothing to read on input.
Nothing to read on input.
 * failure running cryptsetup 
 [ !! ]
 * Failed to setup dm-crypt devices 
 [ !! ]
 * ERROR: dmcrypt failed to start
 * Starting the Logical Volume Manager ...
  Found volume group "gentoo" using metadata type lvm2
  3 logical volume(s) in volume group "gentoo" now active
 [ ok ]
 * Checking local filesystems  ...
/dev/mapper/gentoo-root: clean, 634856/3932160 files, 7426742/15728640 blocks
/dev/mapper/gentoo-var: clean, 360033/2621440 files, 3282768/10485760 blocks
fsck.ext4: Unable to resolve 'UUID=b15d88b9-ee98-4ac6-8074-e966fa5c8447'
fsck.ext4: Unable to resolve 'UUID=7c4ef372-f761-436a-bfa5-f7100a157ff2'
/dev/nvme0n1p2: clean, 694/65536 files, 159213/262144 blocks
fsck.fat 4.2 (2021-01-31)
/dev/nvme0n1p1: 198 files, 16148/25534 clusters
 * Operational error
 [ !! ]
 * Remounting root filesystem read/write ...
 [ ok ]

but later on boot the password prompt appear and decryption is made :

Code: Select all

* Create Volatile Files and Directories ...
 [ ok ]
 * Loading zram module...
 [ ok ]
 * Swap->zram0
 [ ok ]
 * Swap->zram1
 [ ok ]

rc boot logging stopped at Sun Feb 22 11:40:34 2026


rc default logging started at Sun Feb 22 11:40:34 2026

 * Setting up dm-crypt mappings ...
 *   gentoo-home_enc using:  --allow-discards open /dev/mapper/gentoo-home gentoo-home_enc ...
Nothing to read on input.
 [ ok ]
 *   ssd_mx500 using:  --allow-discards open /dev/sda ssd_mx500 ...
 [ ok ]
 [ ok ]
 * Starting dbus ...
 [ ok ]
 * Starting NetworkManager ...
 [ ok ]
Connecting.                  1sConnecting..                 1sConnecting...                1sConnecting....               1sConnecting.....              1sConnecting......             1sConnecting.......            1sConnecting........           1sConnecting.........          1sConnecting..........         1sConnecting...........        1sConnecting............       1sConnecting.............      1sConnecting..............     1sConnecting...............    1sConnecting...............    0s [offline]
 * Marking NetworkManager as inactive. It will automatically be marked
 * as started after a network connection has been established.
 * WARNING: NetworkManager has started, but is inactive
 * Checking your configfile (/etc/syslog-ng/syslog-ng.conf) ...
 [ ok ]
 * Starting syslog-ng ...
 [ ok ]
 * Starting acpid ...

I don't see why the password prompt doesn't appear when dmcrypt service start but later (maybe a dependency try to restart dmcrypt service as it's not started ?)

But I don't want to use pgp if not needed, if the password can be used for the two volumes with one prompt, it's perfect (maybe some /etc/conf.d/dmcrypt parameter ?)




by example with debian and /etc/crypttab, the password is used for the 3 volumes :

Code: Select all

mmcblk0p3_crypt UUID=74fcfa5d-8dfe-44d4-a8df-884bcb25ea33 none luks,discard,x-initrd.attach,keyscript=decrypt_keyctl
data1_crypt     UUID=f45bab4b-f4e7-4d61-a62f-edc6517895ed       none    luks,nofail
data2_crypt     UUID=a2e1513a-304e-4a6e-9502-292261ff074c       none    luks,nofail

Do you have some idea for this problem ?

Thanks

[rem5]

Hello,

The cause of this problem seems to be that pgp need RW access to FS, but " * Remounting root filesystem read/write ... " is later in boot process.


gpg: failed to create temporary file '/root/.gnupg/.#lk0xxxxxxxxx.(none).xxxx': Read-only file system
gpg: can't connect to the gpg-agent: Read-only file system
gpg: problem with the agent: No agent running
gpg: decryption failed: Bad session key

[rem5]

I will encrypt all the system, it will be better and faster to setup ...

But I think there is a bug somewhere in the initscript as there is an example in dmcrypt conf file of this exact solution :

Code: Select all

 
## /home with gpg protected key
#target=crypt-home
#source='/dev/hda5'
#key='/full/path/to/homekey:gpg'

[rem5]

A little bit late, but it is fixed (sort of..)

root FS is now encrypted too, so key for second drive is in clear...