Created attachment 306313 [details] emerge --info output I use a encrypted LUKS as root, a gpg-encrypted key is on a external disk (using the guide on http://en.gentoo-wiki.com/wiki/DM-Crypt_with_LUKS ) I create a dracut-initramfs (and setup rd.luks.key) and all looks fine, but it can not open the LUKS device. I tracked this down to the module 90crypt. in the file cryptroot-ask.sh we have 96 info "Using '$keypath' on '$keydev'" 97 readkey "$keypath" "$keydev" "$device" \ 98 | cryptsetup -d - luksOpen "$device" "$luksname" 99 unset keypath keydev 100 ask_passphrase=0 101 break https://git.kernel.org/?p=boot/dracut/dracut.git;a=blob;f=modules.d/90crypt/cryptroot-ask.sh;h=aba1331cf7522933813a4172f6a5f79288e715a2;hb=HEAD The cryptsetup on line 98 fails due to "-d -" with the Error: "No Key available with this passphrase" (thats the generic error from cryptsetup if a bad key is given). It drops me into the initramfs, and if i issue the command it fails the same way. Removing the "-d -" option makes it work for me (however, i don't know if it breaks using a non-encrypted keyfile). This too works on the initramfs shell. my dracut info (from eix dracut): Installed versions: 017-r1!t(21:55:42 19.03.2012)(device-mapper dracut_modules_crypt dracut_modules_crypt-gpg dracut_modules_lvm -debug -dracut_modules_biosdevname -dracut_modules_btrfs -dracut_modules_caps -dracut_modules_dmraid -dracut_modules_dmsquash-live -dracut_modules_gensplash -dracut_modules_iscsi -dracut_modules_livenet -dracut_modules_mdraid -dracut_modules_multipath -dracut_modules_nbd -dracut_modules_nfs -dracut_modules_plymouth -dracut_modules_ssh-client -dracut_modules_syslog -net -selinux) Homepage: http://dracut.wiki.kernel.org Description: Generic initramfs generation tool maybe IMPORTANT: i use cryptsetup with "-static" USE Flag. Additional Info: kernel boot cmdline from /proc/cmdline: BOOT_IMAGE=/vmlinuz-3.3.0-rc7 root=/dev/mapper/hanfi-root ro console=tty1 quiet dracut build command: dracut -H -L 5 -a "crypt-gpg" "" 3.3.0-rc7 -v --force 2>&1 | less dracut cmdline settings (those are written by the lvm and crypt module, i added some code to the crypt-module setup script so it looks for the gpg-key on the boot device and adds the key if one is found): rd.luks.uuid=luks-5b1049c3-ae7c-4b4c-99e7-240ba4a76f94 rd.luks.key=/.gnupg/5b1049c3-ae7c-4b4c-99e7-240ba4a76f94.gpg:UUID=468fc485-3aca-4b80-96cd-5b1a4bc5fe60:UUID=5b1049c3-ae7c-4b4c-99e7-240ba4a76f94 rd.lvm.lv=hanfi/root My fstab: # NOTE: If your BOOT partition is ReiserFS, add the notail option to opts. /dev/hanfi/root / ext4 noatime 0 1 /dev/hanfi/home /home ext4 noatime 0 1 /dev/hanfi/swap none swap sw 0 0 /dev/cdrom /mnt/cdrom auto noauto,ro 0 0 #proc /proc proc defaults 0 0 #none /sys sysfs defaults 0 0 # use those 8GB of RAM none /dev/shm tmpfs nodev,nosuid,noexec 0 0 none /tmp tmpfs nodev,nosuid 0 0 none /var/tmp tmpfs nodev,nosuid 0 0 dmsetup ls --tree: hanfi-home (254:3) └─luks-5b1049c3-ae7c-4b4c-99e7-240ba4a76f94 (254:0) └─ (8:1) hanfi-swap (254:2) └─luks-5b1049c3-ae7c-4b4c-99e7-240ba4a76f94 (254:0) └─ (8:1) hanfi-root (254:1) └─luks-5b1049c3-ae7c-4b4c-99e7-240ba4a76f94 (254:0) └─ (8:1) blkid -o udev: ID_FS_UUID=5b1049c3-ae7c-4b4c-99e7-240ba4a76f94 ID_FS_UUID_ENC=5b1049c3-ae7c-4b4c-99e7-240ba4a76f94 ID_FS_TYPE=crypto_LUKS ID_FS_UUID=5b1049c3-ae7c-4b4c-99e7-240ba4a76f94 ID_FS_UUID_ENC=5b1049c3-ae7c-4b4c-99e7-240ba4a76f94 ID_FS_TYPE=crypto_LUKS ID_FS_LABEL=swap ID_FS_LABEL_ENC=swap ID_FS_UUID=b54eaa00-9820-46dc-804b-d36509a52687 ID_FS_UUID_ENC=b54eaa00-9820-46dc-804b-d36509a52687 ID_FS_TYPE=swap ID_FS_UUID=0ytFMB-tpel-KM2N-CArM-gIqq-Kyad-okMYGS ID_FS_UUID_ENC=0ytFMB-tpel-KM2N-CArM-gIqq-Kyad-okMYGS ID_FS_TYPE=LVM2_member ID_FS_LABEL=swap ID_FS_LABEL_ENC=swap ID_FS_UUID=b54eaa00-9820-46dc-804b-d36509a52687 ID_FS_UUID_ENC=b54eaa00-9820-46dc-804b-d36509a52687 ID_FS_TYPE=swap ID_FS_LABEL=swap ID_FS_LABEL_ENC=swap ID_FS_UUID=b54eaa00-9820-46dc-804b-d36509a52687 ID_FS_UUID_ENC=b54eaa00-9820-46dc-804b-d36509a52687 ID_FS_TYPE=swap ID_FS_LABEL=home ID_FS_LABEL_ENC=home ID_FS_UUID=4a2b78c4-3e6f-4a40-b847-080a98906224 ID_FS_UUID_ENC=4a2b78c4-3e6f-4a40-b847-080a98906224 ID_FS_TYPE=ext4 ID_FS_LABEL=root ID_FS_LABEL_ENC=root ID_FS_UUID=b3d4200e-5a33-4b5f-98b6-1be4fac77535 ID_FS_UUID_ENC=b3d4200e-5a33-4b5f-98b6-1be4fac77535 ID_FS_TYPE=ext4
This is probably true. There's some weirdness on password processing between how it's done with "-d -" and without. Please read "NOTES ON PASSWORD PROCESSING" sections of cryptsetup man page. Does your decrypted key works with "cryptsetup -d /path/to/plain.key"?
(In reply to comment #1) > Does your decrypted key works with "cryptsetup -d /path/to/plain.key"? No, it fails with again the error "No Key available with this passphrase" 'cryptsetup -d /tmp/luks.key luksOpen /dev/sda1 crypto' 'cat /tmp/luks.key | cryptsetup luksOpen /dev/sda1 crypto' works. But this made me go debugging some more. reading about cryptsetup I think the problem lies in this (from manpage, as you suggested): "If --key-file=- is used for reading the key from stdin, no trailing newline is stripped from the input. Without that option, cryptsetup strips trailing newlines from stdin input." The problem lies how I added the key originally as described in http://en.gentoo-wiki.com/wiki/DM-Crypt_with_LUKS There it is suggested to use 'gpg --quiet --decrypt rootkey.gpg | cryptsetup -v --cipher serpent-cbc-essiv:sha256 --key-size 256 luksFormat /dev/sda3' However, this will behave as the std-in and strip the newline. At decryption stage, using "-d -" will not strip the newline, and it fails. As I had the key decrypted into /tmp/luks.key, I went on and added that key AS A FILE with 'cat /tmp/luks.key | cryptsetup luksAddKey /dev/sda1 /tmp/luks.key' (this uses the key as a password and then adds the key as a file) NOW I can do 'cryptsetup -d /tmp/luks.key luksOpen /dev/sda1 crypto' and it opens the device and after adding "-d -" to the cryptroot-ask.sh file again (as it was in the original script) works too! So basically the advice in that wiki page does not work correctly with dracut. I think the best solution to all of this is to edit the wiki page and tell people to add "-d -" at the key setup if using dracut. 'gpg --quiet --decrypt rootkey.gpg | cryptsetup -d - -v --cipher serpent-cbc-essiv:sha256 --key-size 256 luksFormat /dev/sda3'
Right, this should actually be documented. I'll leave it opened as reminder to do so.
I tried to add a short note in the wiki page, but as I do not have a account there, I horribly failed by adding it at the luksOpen command instead the luksFormat. And now it seems I can not repair that mistake (but my updates do not appear anyway). Sorry for the trouble. I should think before act. I let the people with knowledge/expertise do the work. On a side note, on the discuss page (http://en.gentoo-wiki.com/wiki/Talk:DM-Crypt_with_LUKS ) they give a reasoning for using "-d -" instead just piping (it actually has security implications). So the whole page should be updated (not only about dracut)
(In reply to comment #4) > I tried to add a short note in the wiki page, but as I do not have a account > there, I horribly failed by adding it at the luksOpen command instead the > luksFormat. And now it seems I can not repair that mistake (but my updates > do not appear anyway). > Sorry for the trouble. I should think before act. I let the people with > knowledge/expertise do the work. And have you managed to update Wiki? I've added note to dracut.cmdline man page (you will find it in 023), therefore I'm closing the bug. diff --git a/dracut.cmdline.7.asc b/dracut.cmdline.7.asc index 0b1b8a2..884b223 100644 --- a/dracut.cmdline.7.asc +++ b/dracut.cmdline.7.asc @@ -233,6 +233,29 @@ rd.luks.key=/foo/bar.key ---- + As you see, you can skip colons in such a case. ++ +[NOTE] +=============================== +Dracut pipes key to cryptsetup with _-d -_ argument, therefore you need to pipe +to crypsetup luksFormat with _-d -_, too! + +Here follows example for key encrypted with GPG: + +---- +gpg --quiet --decrypt rootkey.gpg \ +| cryptsetup -d - -v \ +--cipher serpent-cbc-essiv:sha256 \ +--key-size 256 luksFormat /dev/sda3 +---- + +If you use plain keys, just add path to _-d_ option: + +---- +cryptsetup -d rootkey.key -v \ +--cipher serpent-cbc-essiv:sha256 \ +--key-size 256 luksFormat /dev/sda3 +---- +===============================