Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 591950 - sys-fs/cryptsetup does not work with PGP encrypted key files in boot runlevel: failed to create temporary file '/root/.gnupg/.#lk0x00.....': Read-only file system
Summary: sys-fs/cryptsetup does not work with PGP encrypted key files in boot runlevel...
Status: UNCONFIRMED
Alias: None
Product: Gentoo Linux
Classification: Unclassified
Component: Current packages (show other bugs)
Hardware: All Linux
: Normal normal
Assignee: Gentoo's Team for Core System packages
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2016-08-23 18:53 UTC by Markus Wernig
Modified: 2016-11-30 08:26 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Markus Wernig 2016-08-23 18:53:07 UTC
I have a separate disk in the system, which contains one LUKS-encrypted partition to be mounted as /home. After a world emerge some time ago (some months), dmcrypt fails when run in the boot runlevel (no password prompt appears). It then gets restarted in the default runlevel (password prompt appears, pw is entered and disk is decrypted), but that is too late, as localmount has already been run in boot, and the decrypted partition never gets mounted.

The output during startup is:
...
rc boot logging started at Tue Aug 23 20:10:13 2016

 * Setting system clock using the hardware clock [UTC] ...
 [ ok ]
 * Loading module vboxdrv ...
 [ ok ]
 * Loading module vboxnetadp ...
 [ ok ]
 * Loading module vboxnetflt ...
 [ ok ]
 * Loading module vboxpci ...
 [ ok ]
 * Autoloaded 4 module(s)
 * Setting up dm-crypt mappings ...
 *   crypt-swap using: -c aes -h sha1 -d /dev/urandom create crypt-swap /dev/nvme0n1p5 ...
WARNING: The --hash parameter is being ignored in plain mode with keyfile specified.
 [ ok ]
 *     pre_mount: mkswap /dev/mapper/crypt-swap ...
 [ ok ]
 *   crypt-home using:   open /dev/sda1 crypt-home ...
 * failure running cryptsetup
 [ !! ]
 * Failed to setup dm-crypt devices
 [ !! ]
 * ERROR: dmcrypt failed to start
 * Checking local filesystems  ...
GENTOO: clean, 856279/3276800 files, 6459752/13107200 blocks
BOOT: clean, 326/61056 files, 64487/244224 blocks
/dev/nvme0n1p3: clean, 277040/610800 files, 2124596/2441472 blocks
DATA: clean, 10490/11124736 files, 27297710/44493393 blocks
fsck.ext4: No such file or directory while trying to open /dev/mapper/crypt-home
Possibly non-existent device?
 * Operational error
 [ !! ]
...
rc boot logging stopped at Tue Aug 23 20:10:29 2016

rc default logging started at Tue Aug 23 20:10:29 2016

 * Setting up dm-crypt mappings ...
 * dm-crypt mapping crypt-swap is already configured
 *   crypt-home using:   open /dev/sda1 crypt-home ...
 [ ok ]


LUKS uses a keyfile on the root disk that is PGP-encrypted with a key in root's keyring (/root/.gnupg).

/etc/conf.d/dmcrypt has:

swap=crypt-swap
source='/dev/nvme0n1p5'

target=crypt-home
source='/dev/sda1'
key='/path/to/encrypted/keyfile:gpg'

/etc/fstab has:
/dev/mapper/crypt-home  /home           ext4            noatime,nodiratime  1 2

# rc-update gives:
       NetworkManager |      default                           
                acpid |      default                           
            alsasound |      default                           
               binfmt | boot                                   
             bootmisc | boot                                   
                cupsd |      default                           
                 dbus |      default                           
                devfs |                                 sysinit
              dmcrypt | boot                                   
                dmesg |                                 sysinit
              dnsmasq |      default                           
                 fsck | boot                                   
             hostname | boot                                   
              hwclock | boot                                   
            ip6tables |      default                           
             iptables |      default                           
              keymaps | boot                                   
            killprocs |                        shutdown        
    kmod-static-nodes |                                 sysinit
             libvirtd |      default                           
                local |      default nonetwork                 
           localmount | boot                                   
             loopback | boot                                   
              modules | boot                                   
             mount-ro |                        shutdown        
                 mtab | boot                                   
             netmount |      default                           
                pcscd |      default                           
               procfs | boot                                   
                 root | boot                                   
            savecache |                        shutdown        
                 swap | boot                                   
            swapfiles | boot                                   
               sysctl | boot                                   
                sysfs |                                 sysinit
            syslog-ng |      default                           
         termencoding | boot                                   
         tmpfiles.dev |                                 sysinit
       tmpfiles.setup | boot                                   
                 udev |                                 sysinit
         udev-trigger |                                 sysinit
              urandom | boot                                   
           vixie-cron |      default                           
                  xdm |      default 


For debugging, I adjusted /etc/init.d/dmcrypt to not suppress gpg errors, and the following appears when dmcrypt is run in the boot runlevel:

 * Setting up dm-crypt mappings ...
 *   crypt-swap using: -c aes -h sha1 -d /dev/urandom create crypt-swap /dev/nvme0n1p5 ...
WARNING: The --hash parameter is being ignored in plain mode with keyfile specified.
 [ ok ]
 *     pre_mount: mkswap /dev/mapper/crypt-swap ...
 [ ok ]
 *   crypt-home using:   open /dev/sda1 crypt-home ...
gpg: failed to create temporary file '/root/.gnupg/.#lk0x0000000000c134b0.precise.2266': Read-only file system
gpg: can't connect to the agent: Read-only file system
gpg: decryption failed: No secret key
gpg: failed to create temporary file '/root/.gnupg/.#lk0x0000000001f164b0.precise.2268': Read-only file system
gpg: can't connect to the agent: Read-only file system
gpg: decryption failed: No secret key
gpg: failed to create temporary file '/root/.gnupg/.#lk0x0000000001d304b0.precise.2270': Read-only file system
gpg: can't connect to the agent: Read-only file system
gpg: decryption failed: No secret key
gpg: failed to create temporary file '/root/.gnupg/.#lk0x0000000001a394b0.precise.2272': Read-only file system
gpg: can't connect to the agent: Read-only file system
gpg: decryption failed: No secret key
gpg: failed to create temporary file '/root/.gnupg/.#lk0x00000000012184b0.precise.2274': Read-only file system
gpg: can't connect to the agent: Read-only file system
gpg: decryption failed: No secret key
 * failure running cryptsetup
 [ !! ]
 * Failed to setup dm-crypt devices
 [ !! ]
 * ERROR: dmcrypt failed to start

It appears that gnupg attempts to create some files/sockets on disk, while the root device is still mounted read-only, and no other (writeable) partitions are available yet.

There is no "use-agent" statement in /root/.gnupg/gpg.conf.

Either there should be a way to stop gpg from attempting to create files, or dmcrypt needs to be started after /etc/init.d/root, afaict.

Thanks for looking into this.


Reproducible: Always

Steps to Reproduce:
1. Set up dmcrypt with pgp-encrypted keyfiles
2. Reboot
3.
Actual Results:  
dmcrypt fails in the boot runlevel, but succeeds in the default runlevel, when it is already too late.


# emerge --info
Portage 2.3.0 (python 3.4.5-final-0, default/linux/amd64/13.0/desktop/plasma, gcc-5.3.0, glibc-2.23-r2, 4.7.0-gentoo x86_64)
=================================================================
System uname: Linux-4.7.0-gentoo-x86_64-Intel-R-_Core-TM-_i7-6820HQ_CPU_@_2.70GHz-with-gentoo-2.2
KiB Mem:    16230016 total,  13697488 free
KiB Swap:    8388604 total,   8388604 free
Timestamp of repository gentoo: Fri, 19 Aug 2016 17:30:01 +0000
sh bash 4.3_p46
ld GNU ld (Gentoo 2.25.1 p1.1) 2.25.1
app-shells/bash:          4.3_p46::gentoo
dev-java/java-config:     2.2.0-r3::gentoo
dev-lang/perl:            5.24.0-r1::gentoo
dev-lang/python:          2.7.12::gentoo, 3.4.5::gentoo, 3.5.1-r2::gentoo
dev-util/cmake:           3.6.1::gentoo
dev-util/pkgconfig:       0.29.1::gentoo
sys-apps/baselayout:      2.2-r1::gentoo
sys-apps/openrc:          0.21.3::gentoo
sys-apps/sandbox:         2.10-r2::gentoo
sys-devel/autoconf:       2.13::gentoo, 2.69-r2::gentoo
sys-devel/automake:       1.11.6-r2::gentoo, 1.12.6-r1::gentoo, 1.13.4-r1::gentoo, 1.14.1-r1::gentoo, 1.15-r2::gentoo
sys-devel/binutils:       2.25.1-r1::gentoo, 2.26.1::gentoo
sys-devel/gcc:            4.9.3::gentoo, 5.3.0::gentoo, 5.4.0::gentoo
sys-devel/gcc-config:     1.8-r1::gentoo
sys-devel/libtool:        2.4.6-r2::gentoo
sys-devel/make:           4.2.1::gentoo
sys-kernel/linux-headers: 4.7::gentoo (virtual/os-headers)
sys-libs/glibc:           2.23-r2::gentoo
Repositories:

gentoo
    location: /usr/portage
    sync-type: rsync
    sync-uri: rsync://rsync.gentoo.org/gentoo-portage
    priority: -1000

ACCEPT_KEYWORDS="amd64 ~amd64"
ACCEPT_LICENSE="*"
CBUILD="x86_64-pc-linux-gnu"
CFLAGS="-O2 -march=native -pipe -fomit-frame-pointer"
CHOST="x86_64-pc-linux-gnu"
CONFIG_PROTECT="/etc /usr/lib64/libreoffice/program/sofficerc /usr/share/config /usr/share/gnupg/qualified.txt /usr/share/themes/oxygen-gtk/gtk-2.0 /var/lib/hsqldb"
CONFIG_PROTECT_MASK="/etc/ca-certificates.conf /etc/dconf /etc/env.d /etc/fonts/fonts.conf /etc/gconf /etc/gentoo-release /etc/revdep-rebuild /etc/sandbox.d /etc/terminfo"
CXXFLAGS="-O2 -march=native -pipe -fomit-frame-pointer"
DISTDIR="/usr/portage/distfiles"
EMERGE_DEFAULT_OPTS="--autounmask-write=y"
FCFLAGS="-O2 -pipe"
FEATURES="assume-digests binpkg-logs config-protect-if-modified distlocks ebuild-locks fixlafiles merge-sync news parallel-fetch preserve-libs protect-owned sfperms strict unknown-features-warn unmerge-logs unmerge-orphans userfetch userpriv usersandbox usersync xattr"
FFLAGS="-O2 -pipe"
GENTOO_MIRRORS="http://sunsite.cnlab-switch.ch/ftp/mirror/gentoo/ ftp://sunsite.cnlab-switch.ch/mirror/gentoo/ http://de-mirror.org/gentoo/"
LANG="en_US.utf8"
LC_ALL="en_US.utf8"
LDFLAGS="-Wl,-O1 -Wl,--as-needed"
MAKEOPTS="-j9"
PKGDIR="/usr/portage/packages"
PORTAGE_CONFIGROOT="/"
PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --omit-dir-times --compress --force --whole-file --delete --stats --human-readable --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages --exclude=/.git"
PORTAGE_TMPDIR="/var/tmp"
USE="X a52 aac acl acpi alsa amd64 bash-completion berkdb bluetooth branding bzip2 cairo caps cdda cdr cli consolekit cracklib crypt cups cxx dbus declarative dri dts dvd dvdr emboss encode exif fam firefox flac fortran gdbm gif glamor gpm gstreamer gtk http iconv imap ipv6 jce jpeg kde kipi lcms ldap libav libnotify mad mmx mmxext mng modules mp3 mp4 mpeg multilib multitarget ncurses networkmanager nls nptl nss ogg opengl openmp otr pam pango pcre pcsc pcsc-lite pdf phonon plasma png policykit ppds pulseaudio qml qt3support qt4 qt5 readline sdl seccomp session spell sse sse2 sse3 sse4_1 sse4_2 ssl ssse3 startup-notification subversion svg synaptics tcpd tiff tools truetype udev udisks unicode upower usb utils vorbis widgets wxwidgets x264 xattr xcb xcomposite xinerama xml xscreensaver xv xvid zlib" ABI_X86="64 32" ALSA_CARDS="hda-intel usb-audio" APACHE2_MODULES="authn_core authz_core socache_shmcb unixd actions alias auth_basic authn_alias authn_anon authn_dbm authn_default authn_file authz_dbm authz_default authz_groupfile authz_host authz_owner authz_user autoindex cache cgi cgid dav dav_fs dav_lock deflate dir disk_cache env expires ext_filter file_cache filter headers include info log_config logio mem_cache mime mime_magic negotiation rewrite setenvif speling status unique_id userdir usertrack vhost_alias" CALLIGRA_FEATURES="kexi words flow plan sheets stage tables krita karbon braindump author" CAMERAS="all" COLLECTD_PLUGINS="df interface irq load memory rrdtool swap syslog" CPU_FLAGS_X86="aes avx avx2 fma3 mmx mmxext popcnt sse sse2 sse3 sse4_1 sse4_2 ssse3" ELIBC="glibc" GPSD_PROTOCOLS="ashtech aivdm earthmate evermore fv18 garmin garmintxt gpsclock itrax mtk3301 nmea ntrip navcom oceanserver oldstyle oncore rtcm104v2 rtcm104v3 sirf superstar2 timing tsip tripmate tnt ublox ubx" GRUB_PLATFORMS="pc efi-64" INPUT_DEVICES="keyboard mouse evdev synaptics void alps" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" LIBREOFFICE_EXTENSIONS="presenter-console presenter-minimizer" LINGUAS="en de" NETBEANS_MODULES="apisupport java javafx profiler websvccommon enterprise" OFFICE_IMPLEMENTATION="libreoffice" PHP_TARGETS="php5-5" PYTHON_SINGLE_TARGET="python3_4" PYTHON_TARGETS="python2_7 python3_4" RUBY_TARGETS="ruby20 ruby21" USERLAND="GNU" VIDEO_CARDS="fbdev intel nouveau" XTABLES_ADDONS="quota2 psd pknock lscan length2 ipv4options ipset ipp2p iface geoip fuzzy condition tee tarpit sysrq steal rawnat logmark ipmark dhcpmac delude chaos account"
Unset:  CC, CPPFLAGS, CTARGET, CXX, INSTALL_MASK, PORTAGE_BUNZIP2_COMMAND, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS, USE_PYTHON
Comment 1 Markus Wernig 2016-08-26 20:47:41 UTC
As a proof of concept, I've added a second passphrase to the LUKS container on /dev/sda1 and removed the key='/path/to/encrypted/keyfile:gpg' stanza from the target definition for crypt-home.

Now the boot stops during running dmcrypt, and I can type in the new passphrase (no prompt is shown, so the splash functions seem not to work there).

But the container is decrypted OK, and the mapper target crypt-home is created and mounted normally by localmount. dmcrypt is not started again in the default runlevel.

krgds /markus
Comment 2 Stephane 2016-11-30 08:26:32 UTC
Same issue here. Drove me crazy for a couple of days.

The problem is that GPG2 doesn't work well with a read-only filesystem (I believe it's something about the pgp-agent, which you can't disable in GPG2).

Downgrade your GPG to a v1.x and you'll be fine.

I believe this bug report should read "bring support for GPG 2.x" in dmcrypt, because at some point GPG 1.x will vanish and we'll be doomed :)

Cheers !

Stéphane K