I have a separate disk in the system, which contains one LUKS-encrypted partition to be mounted as /home. After a world emerge some time ago (some months), dmcrypt fails when run in the boot runlevel (no password prompt appears). It then gets restarted in the default runlevel (password prompt appears, pw is entered and disk is decrypted), but that is too late, as localmount has already been run in boot, and the decrypted partition never gets mounted. The output during startup is: ... rc boot logging started at Tue Aug 23 20:10:13 2016 * Setting system clock using the hardware clock [UTC] ... [ ok ] * Loading module vboxdrv ... [ ok ] * Loading module vboxnetadp ... [ ok ] * Loading module vboxnetflt ... [ ok ] * Loading module vboxpci ... [ ok ] * Autoloaded 4 module(s) * Setting up dm-crypt mappings ... * crypt-swap using: -c aes -h sha1 -d /dev/urandom create crypt-swap /dev/nvme0n1p5 ... WARNING: The --hash parameter is being ignored in plain mode with keyfile specified. [ ok ] * pre_mount: mkswap /dev/mapper/crypt-swap ... [ ok ] * crypt-home using: open /dev/sda1 crypt-home ... * failure running cryptsetup [ !! ] * Failed to setup dm-crypt devices [ !! ] * ERROR: dmcrypt failed to start * Checking local filesystems ... GENTOO: clean, 856279/3276800 files, 6459752/13107200 blocks BOOT: clean, 326/61056 files, 64487/244224 blocks /dev/nvme0n1p3: clean, 277040/610800 files, 2124596/2441472 blocks DATA: clean, 10490/11124736 files, 27297710/44493393 blocks fsck.ext4: No such file or directory while trying to open /dev/mapper/crypt-home Possibly non-existent device? * Operational error [ !! ] ... rc boot logging stopped at Tue Aug 23 20:10:29 2016 rc default logging started at Tue Aug 23 20:10:29 2016 * Setting up dm-crypt mappings ... * dm-crypt mapping crypt-swap is already configured * crypt-home using: open /dev/sda1 crypt-home ... [ ok ] LUKS uses a keyfile on the root disk that is PGP-encrypted with a key in root's keyring (/root/.gnupg). /etc/conf.d/dmcrypt has: swap=crypt-swap source='/dev/nvme0n1p5' target=crypt-home source='/dev/sda1' key='/path/to/encrypted/keyfile:gpg' /etc/fstab has: /dev/mapper/crypt-home /home ext4 noatime,nodiratime 1 2 # rc-update gives: NetworkManager | default acpid | default alsasound | default binfmt | boot bootmisc | boot cupsd | default dbus | default devfs | sysinit dmcrypt | boot dmesg | sysinit dnsmasq | default fsck | boot hostname | boot hwclock | boot ip6tables | default iptables | default keymaps | boot killprocs | shutdown kmod-static-nodes | sysinit libvirtd | default local | default nonetwork localmount | boot loopback | boot modules | boot mount-ro | shutdown mtab | boot netmount | default pcscd | default procfs | boot root | boot savecache | shutdown swap | boot swapfiles | boot sysctl | boot sysfs | sysinit syslog-ng | default termencoding | boot tmpfiles.dev | sysinit tmpfiles.setup | boot udev | sysinit udev-trigger | sysinit urandom | boot vixie-cron | default xdm | default For debugging, I adjusted /etc/init.d/dmcrypt to not suppress gpg errors, and the following appears when dmcrypt is run in the boot runlevel: * Setting up dm-crypt mappings ... * crypt-swap using: -c aes -h sha1 -d /dev/urandom create crypt-swap /dev/nvme0n1p5 ... WARNING: The --hash parameter is being ignored in plain mode with keyfile specified. [ ok ] * pre_mount: mkswap /dev/mapper/crypt-swap ... [ ok ] * crypt-home using: open /dev/sda1 crypt-home ... gpg: failed to create temporary file '/root/.gnupg/.#lk0x0000000000c134b0.precise.2266': Read-only file system gpg: can't connect to the agent: Read-only file system gpg: decryption failed: No secret key gpg: failed to create temporary file '/root/.gnupg/.#lk0x0000000001f164b0.precise.2268': Read-only file system gpg: can't connect to the agent: Read-only file system gpg: decryption failed: No secret key gpg: failed to create temporary file '/root/.gnupg/.#lk0x0000000001d304b0.precise.2270': Read-only file system gpg: can't connect to the agent: Read-only file system gpg: decryption failed: No secret key gpg: failed to create temporary file '/root/.gnupg/.#lk0x0000000001a394b0.precise.2272': Read-only file system gpg: can't connect to the agent: Read-only file system gpg: decryption failed: No secret key gpg: failed to create temporary file '/root/.gnupg/.#lk0x00000000012184b0.precise.2274': Read-only file system gpg: can't connect to the agent: Read-only file system gpg: decryption failed: No secret key * failure running cryptsetup [ !! ] * Failed to setup dm-crypt devices [ !! ] * ERROR: dmcrypt failed to start It appears that gnupg attempts to create some files/sockets on disk, while the root device is still mounted read-only, and no other (writeable) partitions are available yet. There is no "use-agent" statement in /root/.gnupg/gpg.conf. Either there should be a way to stop gpg from attempting to create files, or dmcrypt needs to be started after /etc/init.d/root, afaict. Thanks for looking into this. Reproducible: Always Steps to Reproduce: 1. Set up dmcrypt with pgp-encrypted keyfiles 2. Reboot 3. Actual Results: dmcrypt fails in the boot runlevel, but succeeds in the default runlevel, when it is already too late. # emerge --info Portage 2.3.0 (python 3.4.5-final-0, default/linux/amd64/13.0/desktop/plasma, gcc-5.3.0, glibc-2.23-r2, 4.7.0-gentoo x86_64) ================================================================= System uname: Linux-4.7.0-gentoo-x86_64-Intel-R-_Core-TM-_i7-6820HQ_CPU_@_2.70GHz-with-gentoo-2.2 KiB Mem: 16230016 total, 13697488 free KiB Swap: 8388604 total, 8388604 free Timestamp of repository gentoo: Fri, 19 Aug 2016 17:30:01 +0000 sh bash 4.3_p46 ld GNU ld (Gentoo 2.25.1 p1.1) 2.25.1 app-shells/bash: 4.3_p46::gentoo dev-java/java-config: 2.2.0-r3::gentoo dev-lang/perl: 5.24.0-r1::gentoo dev-lang/python: 2.7.12::gentoo, 3.4.5::gentoo, 3.5.1-r2::gentoo dev-util/cmake: 3.6.1::gentoo dev-util/pkgconfig: 0.29.1::gentoo sys-apps/baselayout: 2.2-r1::gentoo sys-apps/openrc: 0.21.3::gentoo sys-apps/sandbox: 2.10-r2::gentoo sys-devel/autoconf: 2.13::gentoo, 2.69-r2::gentoo sys-devel/automake: 1.11.6-r2::gentoo, 1.12.6-r1::gentoo, 1.13.4-r1::gentoo, 1.14.1-r1::gentoo, 1.15-r2::gentoo sys-devel/binutils: 2.25.1-r1::gentoo, 2.26.1::gentoo sys-devel/gcc: 4.9.3::gentoo, 5.3.0::gentoo, 5.4.0::gentoo sys-devel/gcc-config: 1.8-r1::gentoo sys-devel/libtool: 2.4.6-r2::gentoo sys-devel/make: 4.2.1::gentoo sys-kernel/linux-headers: 4.7::gentoo (virtual/os-headers) sys-libs/glibc: 2.23-r2::gentoo Repositories: gentoo location: /usr/portage sync-type: rsync sync-uri: rsync://rsync.gentoo.org/gentoo-portage priority: -1000 ACCEPT_KEYWORDS="amd64 ~amd64" ACCEPT_LICENSE="*" CBUILD="x86_64-pc-linux-gnu" CFLAGS="-O2 -march=native -pipe -fomit-frame-pointer" CHOST="x86_64-pc-linux-gnu" CONFIG_PROTECT="/etc /usr/lib64/libreoffice/program/sofficerc /usr/share/config /usr/share/gnupg/qualified.txt /usr/share/themes/oxygen-gtk/gtk-2.0 /var/lib/hsqldb" CONFIG_PROTECT_MASK="/etc/ca-certificates.conf /etc/dconf /etc/env.d /etc/fonts/fonts.conf /etc/gconf /etc/gentoo-release /etc/revdep-rebuild /etc/sandbox.d /etc/terminfo" CXXFLAGS="-O2 -march=native -pipe -fomit-frame-pointer" DISTDIR="/usr/portage/distfiles" EMERGE_DEFAULT_OPTS="--autounmask-write=y" FCFLAGS="-O2 -pipe" FEATURES="assume-digests binpkg-logs config-protect-if-modified distlocks ebuild-locks fixlafiles merge-sync news parallel-fetch preserve-libs protect-owned sfperms strict unknown-features-warn unmerge-logs unmerge-orphans userfetch userpriv usersandbox usersync xattr" FFLAGS="-O2 -pipe" GENTOO_MIRRORS="http://sunsite.cnlab-switch.ch/ftp/mirror/gentoo/ ftp://sunsite.cnlab-switch.ch/mirror/gentoo/ http://de-mirror.org/gentoo/" LANG="en_US.utf8" LC_ALL="en_US.utf8" LDFLAGS="-Wl,-O1 -Wl,--as-needed" MAKEOPTS="-j9" PKGDIR="/usr/portage/packages" PORTAGE_CONFIGROOT="/" PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --omit-dir-times --compress --force --whole-file --delete --stats --human-readable --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages --exclude=/.git" PORTAGE_TMPDIR="/var/tmp" USE="X a52 aac acl acpi alsa amd64 bash-completion berkdb bluetooth branding bzip2 cairo caps cdda cdr cli consolekit cracklib crypt cups cxx dbus declarative dri dts dvd dvdr emboss encode exif fam firefox flac fortran gdbm gif glamor gpm gstreamer gtk http iconv imap ipv6 jce jpeg kde kipi lcms ldap libav libnotify mad mmx mmxext mng modules mp3 mp4 mpeg multilib multitarget ncurses networkmanager nls nptl nss ogg opengl openmp otr pam pango pcre pcsc pcsc-lite pdf phonon plasma png policykit ppds pulseaudio qml qt3support qt4 qt5 readline sdl seccomp session spell sse sse2 sse3 sse4_1 sse4_2 ssl ssse3 startup-notification subversion svg synaptics tcpd tiff tools truetype udev udisks unicode upower usb utils vorbis widgets wxwidgets x264 xattr xcb xcomposite xinerama xml xscreensaver xv xvid zlib" ABI_X86="64 32" ALSA_CARDS="hda-intel usb-audio" APACHE2_MODULES="authn_core authz_core socache_shmcb unixd actions alias auth_basic authn_alias authn_anon authn_dbm authn_default authn_file authz_dbm authz_default authz_groupfile authz_host authz_owner authz_user autoindex cache cgi cgid dav dav_fs dav_lock deflate dir disk_cache env expires ext_filter file_cache filter headers include info log_config logio mem_cache mime mime_magic negotiation rewrite setenvif speling status unique_id userdir usertrack vhost_alias" CALLIGRA_FEATURES="kexi words flow plan sheets stage tables krita karbon braindump author" CAMERAS="all" COLLECTD_PLUGINS="df interface irq load memory rrdtool swap syslog" CPU_FLAGS_X86="aes avx avx2 fma3 mmx mmxext popcnt sse sse2 sse3 sse4_1 sse4_2 ssse3" ELIBC="glibc" GPSD_PROTOCOLS="ashtech aivdm earthmate evermore fv18 garmin garmintxt gpsclock itrax mtk3301 nmea ntrip navcom oceanserver oldstyle oncore rtcm104v2 rtcm104v3 sirf superstar2 timing tsip tripmate tnt ublox ubx" GRUB_PLATFORMS="pc efi-64" INPUT_DEVICES="keyboard mouse evdev synaptics void alps" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" LIBREOFFICE_EXTENSIONS="presenter-console presenter-minimizer" LINGUAS="en de" NETBEANS_MODULES="apisupport java javafx profiler websvccommon enterprise" OFFICE_IMPLEMENTATION="libreoffice" PHP_TARGETS="php5-5" PYTHON_SINGLE_TARGET="python3_4" PYTHON_TARGETS="python2_7 python3_4" RUBY_TARGETS="ruby20 ruby21" USERLAND="GNU" VIDEO_CARDS="fbdev intel nouveau" XTABLES_ADDONS="quota2 psd pknock lscan length2 ipv4options ipset ipp2p iface geoip fuzzy condition tee tarpit sysrq steal rawnat logmark ipmark dhcpmac delude chaos account" Unset: CC, CPPFLAGS, CTARGET, CXX, INSTALL_MASK, PORTAGE_BUNZIP2_COMMAND, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS, USE_PYTHON
As a proof of concept, I've added a second passphrase to the LUKS container on /dev/sda1 and removed the key='/path/to/encrypted/keyfile:gpg' stanza from the target definition for crypt-home. Now the boot stops during running dmcrypt, and I can type in the new passphrase (no prompt is shown, so the splash functions seem not to work there). But the container is decrypted OK, and the mapper target crypt-home is created and mounted normally by localmount. dmcrypt is not started again in the default runlevel. krgds /markus
Same issue here. Drove me crazy for a couple of days. The problem is that GPG2 doesn't work well with a read-only filesystem (I believe it's something about the pgp-agent, which you can't disable in GPG2). Downgrade your GPG to a v1.x and you'll be fine. I believe this bug report should read "bring support for GPG 2.x" in dmcrypt, because at some point GPG 1.x will vanish and we'll be doomed :) Cheers ! Stéphane K