I have OpenRC and not systemd on my live system. However, it seems dracut anticipates systemd? One of the reason LUKKS partition decryption fails for me is likely that there is no /dev/disk/by-partuuid/ at all! [ 5.319231] dracut: dracut-044 [ 5.366397] dracut: rd.luks.key: keypath='/sda6key.gpg' keydev='/dev/sda5' luksdev='/dev/sda6' [ 5.527262] random: systemd-udevd urandom read with 30 bits of entropy available [ 5.555805] dracut: rd.md=0: removing MD RAID activation [ 6.767873] dracut: Probing /dev/sda5 for /sda6key.gpg... [ 6.805826] EXT4-fs (sda5): mounted filesystem with ordered data mode. Opts: (null) [ 6.891684] dracut: Found /sda6key.gpg on /dev/sda5 [ 133.406842] random: nonblocking pool is initialized [ 133.644584] EXT4-fs (sda5): mounted filesystem with ordered data mode. Opts: (null) [ 133.648982] dracut: Mounted rootfallback /dev/sda5 [ 133.659172] dracut Warning: Signal caught! [ 133.665248] dracut Warning: /dev/disk/by-partuuid/87391709-06 does not exist + '[' -f /run/initramfs/init.log ']' /dev/disk: total 0 drwxr-xr-x 15 root 0 13300 Aug 4 22:33 .. drwxr-xr-x 6 root 0 120 Aug 4 22:33 . drwxr-xr-x 2 root 0 100 Aug 4 22:33 by-label drwxr-xr-x 2 root 0 160 Aug 4 22:33 by-uuid drwxr-xr-x 2 root 0 240 Aug 4 22:33 by-path drwxr-xr-x 2 root 0 420 Aug 4 22:33 by-id /dev/disk/by-label: total 0 lrwxrwxrwx 1 root 0 10 Aug 4 22:33 DELLUTILITY -> ../../sda1 drwxr-xr-x 6 root 0 120 Aug 4 22:33 .. lrwxrwxrwx 1 root 0 10 Aug 4 22:33 OS -> ../../sda3 lrwxrwxrwx 1 root 0 10 Aug 4 22:33 Recovery -> ../../sda2 drwxr-xr-x 2 root 0 100 Aug 4 22:33 . /dev/disk/by-uuid: total 0 lrwxrwxrwx 1 root 0 10 Aug 4 22:33 c9031918-c48b-43ca-b621-e5c669e4160d -> ../../sda5 lrwxrwxrwx 1 root 0 10 Aug 4 22:33 067d6953-349e-49fc-9aae-2bb2b48dbf45 -> ../../sda6 lrwxrwxrwx 1 root 0 10 Aug 4 22:33 3030-3030 -> ../../sda1 drwxr-xr-x 6 root 0 120 Aug 4 22:33 .. lrwxrwxrwx 1 root 0 10 Aug 4 22:33 AC7C4EC27C4E86D4 -> ../../sda3 lrwxrwxrwx 1 root 0 10 Aug 4 22:33 CC70378A703779F2 -> ../../sda2 lrwxrwxrwx 1 root 0 10 Aug 4 22:33 67e0a12b-8a1b-4a60-981c-5c6b5dda5619 -> ../../sda7 drwxr-xr-x 2 root 0 160 Aug 4 22:33 . /dev/disk/by-path: total 0 lrwxrwxrwx 1 root 0 9 Aug 4 22:33 pci-0000:00:1f.2-ata-5 -> ../../sr0 lrwxrwxrwx 1 root 0 9 Aug 4 22:33 pci-0000:00:1f.2-ata-1 -> ../../sda lrwxrwxrwx 1 root 0 10 Aug 4 22:33 pci-0000:00:1f.2-ata-1-part4 -> ../../sda4 lrwxrwxrwx 1 root 0 10 Aug 4 22:33 pci-0000:00:1f.2-ata-1-part5 -> ../../sda5 lrwxrwxrwx 1 root 0 10 Aug 4 22:33 pci-0000:00:1f.2-ata-1-part6 -> ../../sda6 lrwxrwxrwx 1 root 0 10 Aug 4 22:33 pci-0000:00:1f.2-ata-1-part1 -> ../../sda1 drwxr-xr-x 6 root 0 120 Aug 4 22:33 .. lrwxrwxrwx 1 root 0 10 Aug 4 22:33 pci-0000:00:1f.2-ata-1-part3 -> ../../sda3 lrwxrwxrwx 1 root 0 10 Aug 4 22:33 pci-0000:00:1f.2-ata-1-part8 -> ../../sda8 lrwxrwxrwx 1 root 0 10 Aug 4 22:33 pci-0000:00:1f.2-ata-1-part2 -> ../../sda2 lrwxrwxrwx 1 root 0 10 Aug 4 22:33 pci-0000:00:1f.2-ata-1-part7 -> ../../sda7 drwxr-xr-x 2 root 0 240 Aug 4 22:33 . /dev/disk/by-id: total 0 lrwxrwxrwx 1 root 0 9 Aug 4 22:33 ata-PLDS_DVD+_-RW_DS-8A8SH_G0V0C550811AI40P2A00 -> ../../sr0 lrwxrwxrwx 1 root 0 9 Aug 4 22:33 wwn-0x50004cf20ef6ec36 -> ../../sda lrwxrwxrwx 1 root 0 9 Aug 4 22:33 ata-ST2000LM003_HN-M201RAD_S321J9CG102269 -> ../../sda lrwxrwxrwx 1 root 0 10 Aug 4 22:33 wwn-0x50004cf20ef6ec36-part4 -> ../../sda4 lrwxrwxrwx 1 root 0 10 Aug 4 22:33 ata-ST2000LM003_HN-M201RAD_S321J9CG102269-part4 -> ../../sda4 lrwxrwxrwx 1 root 0 10 Aug 4 22:33 wwn-0x50004cf20ef6ec36-part5 -> ../../sda5 lrwxrwxrwx 1 root 0 10 Aug 4 22:33 ata-ST2000LM003_HN-M201RAD_S321J9CG102269-part5 -> ../../sda5 lrwxrwxrwx 1 root 0 10 Aug 4 22:33 wwn-0x50004cf20ef6ec36-part6 -> ../../sda6 lrwxrwxrwx 1 root 0 10 Aug 4 22:33 ata-ST2000LM003_HN-M201RAD_S321J9CG102269-part6 -> ../../sda6 lrwxrwxrwx 1 root 0 10 Aug 4 22:33 wwn-0x50004cf20ef6ec36-part1 -> ../../sda1 lrwxrwxrwx 1 root 0 10 Aug 4 22:33 ata-ST2000LM003_HN-M201RAD_S321J9CG102269-part1 -> ../../sda1 drwxr-xr-x 6 root 0 120 Aug 4 22:33 .. lrwxrwxrwx 1 root 0 10 Aug 4 22:33 wwn-0x50004cf20ef6ec36-part3 -> ../../sda3 lrwxrwxrwx 1 root 0 10 Aug 4 22:33 ata-ST2000LM003_HN-M201RAD_S321J9CG102269-part3 -> ../../sda3 lrwxrwxrwx 1 root 0 10 Aug 4 22:33 wwn-0x50004cf20ef6ec36-part8 -> ../../sda8 lrwxrwxrwx 1 root 0 10 Aug 4 22:33 ata-ST2000LM003_HN-M201RAD_S321J9CG102269-part8 -> ../../sda8 lrwxrwxrwx 1 root 0 10 Aug 4 22:33 wwn-0x50004cf20ef6ec36-part2 -> ../../sda2 lrwxrwxrwx 1 root 0 10 Aug 4 22:33 ata-ST2000LM003_HN-M201RAD_S321J9CG102269-part2 -> ../../sda2 lrwxrwxrwx 1 root 0 10 Aug 4 22:33 wwn-0x50004cf20ef6ec36-part7 -> ../../sda7 lrwxrwxrwx 1 root 0 10 Aug 4 22:33 ata-ST2000LM003_HN-M201RAD_S321J9CG102269-part7 -> ../../sda7 drwxr-xr-x 2 root 0 420 Aug 4 22:33 . Now I know that about after 2 minutes dracut at least returns me to the rescue shell, so I can at least inspect what is going on a bit. I think the dracut scripts should not try to use /dev/disk/by-partuuid/87391709-06 at all if there is not event a parent directory /dev/disk/by-partuuid/ present. # emerge -pv dracut openrc Calculating dependencies... done! [ebuild R ] sys-kernel/dracut-044::gentoo USE="-debug (-selinux) -systemd" 0 KiB [ebuild U ] sys-apps/openrc-0.21.7::gentoo [0.21.3::gentoo] USE="ncurses netifrc pam unicode -audit -debug -newnet (-prefix) (-selinux) -static-libs -tools" 165 KiB # emerge --info Portage 2.3.0 (python 2.7.11-final-0, default/linux/amd64/13.0, gcc-5.4.0, glibc-2.23-r2, 4.6.3-default-pciehp x86_64) ================================================================= System uname: Linux-4.6.3-default-pciehp-x86_64-Intel-R-_Core-TM-_i7-2640M_CPU_@_2.80GHz-with-gentoo-2.2 KiB Mem: 16375816 total, 3512652 free KiB Swap: 0 total, 0 free Timestamp of repository gentoo: Thu, 01 Sep 2016 12:30:01 +0000 sh bash 4.3_p46 ld GNU ld (Gentoo 2.25.1 p1.1) 2.25.1 app-shells/bash: 4.3_p46::gentoo dev-java/java-config: 2.2.0-r3::gentoo dev-lang/perl: 5.20.2-r1::gentoo dev-lang/python: 2.7.11-r1::gentoo, 3.4.3-r7::gentoo, 3.5.1-r2::gentoo dev-util/cmake: 3.6.1::gentoo dev-util/pkgconfig: 0.29.1::gentoo sys-apps/baselayout: 2.2-r1::gentoo sys-apps/openrc: 0.21.3::gentoo sys-apps/sandbox: 2.10-r2::gentoo sys-devel/autoconf: 2.13::gentoo, 2.69-r2::gentoo sys-devel/automake: 1.11.6-r2::gentoo, 1.12.6-r1::gentoo, 1.13.4-r1::gentoo, 1.14.1-r1::gentoo, 1.15-r2::gentoo sys-devel/binutils: 2.25.1-r1::gentoo, 2.26.1::gentoo sys-devel/gcc: 4.3.6-r1::gentoo, 4.4.7::gentoo, 4.6.4::gentoo, 4.7.4::gentoo, 4.8.5::gentoo, 4.9.3::gentoo, 5.3.0::gentoo, 5.4.0::gentoo sys-devel/gcc-config: 1.8-r1::gentoo sys-devel/libtool: 2.4.6-r2::gentoo sys-devel/make: 4.2.1::gentoo sys-kernel/linux-headers: 4.6::gentoo (virtual/os-headers) sys-libs/glibc: 2.23-r2::gentoo Repositories: gentoo location: /scratch/usr/portage sync-type: rsync sync-uri: rsync://rsync.gentoo.org/gentoo-portage priority: -1000 science location: /home/mmokrejs/proj/sci masters: gentoo priority: 0 x-portage location: /usr/local/portage masters: gentoo priority: 1 layman location: /var/lib/layman masters: gentoo priority: 2 haskell location: /var/lib/layman/haskell masters: gentoo priority: 50 ACCEPT_KEYWORDS="amd64 ~amd64" ACCEPT_LICENSE="* -@EULA dlj-1.1 sun-bcla-java-vm Oracle-BCLA-JavaSE IBM-J1.6 skype-eula Nero-EULA-US AdobeFlash-10.3 skype-4.0.0.7-copyright AdobeFlash-11.x OPERA-2014" CBUILD="x86_64-pc-linux-gnu" CFLAGS="-O2 -pipe -maes -mpclmul -mpopcnt -mavx -march=native" CHOST="x86_64-pc-linux-gnu" CONFIG_PROTECT="/etc /etc/stunnel/stunnel.conf /usr/lib64/libreoffice/program/sofficerc /usr/share/easy-rsa /usr/share/gnupg/qualified.txt /usr/share/maven-bin-3.2/conf /var/bind /var/lib/hsqldb /var/spool/torque" CONFIG_PROTECT_MASK="/etc/ca-certificates.conf /etc/dconf /etc/env.d /etc/fonts/fonts.conf /etc/gconf /etc/gentoo-release /etc/php/apache2-php5.4/ext-active/ /etc/php/apache2-php5.5/ext-active/ /etc/php/apache2-php5.6/ext-active/ /etc/php/cgi-php5.4/ext-active/ /etc/php/cgi-php5.5/ext-active/ /etc/php/cgi-php5.6/ext-active/ /etc/php/cli-php5.4/ext-active/ /etc/php/cli-php5.5/ext-active/ /etc/php/cli-php5.6/ext-active/ /etc/revdep-rebuild /etc/sandbox.d /etc/terminfo /etc/texmf/language.dat.d /etc/texmf/language.def.d /etc/texmf/updmap.d /etc/texmf/web2c" CXXFLAGS="-O2 -pipe -maes -mpclmul -mpopcnt -mavx -march=native" DISTDIR="/scratch/usr/portage/distfiles" FCFLAGS="-O2 -pipe" FEATURES="assume-digests binpkg-logs config-protect-if-modified distlocks ebuild-locks fixlafiles merge-sync news noclean nostrip parallel-fetch preserve-libs protect-owned sandbox sfperms splitdebug strict unknown-features-warn unmerge-logs unmerge-orphans userfetch userpriv usersandbox usersync xattr" FFLAGS="-O2 -pipe" GENTOO_MIRRORS="http://gentoo.wheel.sk/ http://ftp.fi.muni.cz/pub/linux/gentoo/ http://gentoo.mirror.web4u.cz/ rsync://gentoo.mirror.dkm.cz/gentoo/ ftp://gentoo.mirror.web4u.cz/" LDFLAGS="-Wl,-O1 -Wl,--as-needed" MAKEOPTS="-j2" PKGDIR="/usr/portage/packages" PORTAGE_CONFIGROOT="/" PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --omit-dir-times --compress --force --whole-file --delete --stats --human-readable --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages --exclude=/.git" PORTAGE_TMPDIR="/scratch/var/tmp" USE="X acpi alsa amd64 amr apache apache2 apulse avx berkdb bindist bluetooth boost bzip2 cairo cgi cli coin consolekit cracklib crypt cryptlib cups cxx dbus device-mapper dhcp directfb dri drm dvd emboss encode fax fbcon ffmpeg flac fontconfig fortran gbm gd gdbm geoip gimp glpk gnutls gpm gtk hal hpijs hwdb iconv id3tag imaging innodb java javafx javascript jce jpeg jpg js jscript keymap ladspa lapack laptop lcms libnotify lm_sensors mad matroska mmx mmxext modules mpi mpich2 multilib mysql ncurses nfs nls nptl nptlonly nscd nsplugin ntfsprogs ocr ogg opengl openmp pam parport pcre pdf perl php png policykit polkit ppds pppd python qt3support readline rendering resolvconf scanner seccomp server session slideshow sndfile sqlite sse sse2 sse3 sse4_1 sse4_2 ssl ssse3 suexec svg syslog tcl tcpd threads tiff tk truetype udev unicode usb v4l v4l2 vim-syntax vnc wavpack wifi x11 xattr xcb xml xorg xrandr xv xvid xvmc zlib" ABI_X86="64 32" ALSA_CARDS="ali5451 als4000 atiixp atiixp-modem bt87x ca0106 cmipci emu10k1x ens1370 ens1371 es1938 es1968 fm801 hda-intel intel8x0 intel8x0m maestro3 trident usb-audio via82xx via82xx-modem ymfpci" APACHE2_MODULES="alias authz_host auth_basic auth_digest cgi cgid deflate dir env filter include info mem_cache mime mime_magic negotiation remoteip setenvif status userdir vhost_alias rewrite usertrack cache file_cache disk_cache charset_lite log_config log_forensic" CALLIGRA_FEATURES="kexi words flow plan sheets stage tables krita karbon braindump author" CAMERAS="ptp2" COLLECTD_PLUGINS="df interface irq load memory rrdtool swap syslog" CPU_FLAGS_X86="aes avx mmx mmxext popcnt sse sse2 sse3 sse4_1 sse4_2 ssse3" DRACUT_MODULES="crypt crypt-gpg" ELIBC="glibc" GPSD_PROTOCOLS="ashtech aivdm earthmate evermore fv18 garmin garmintxt gpsclock itrax mtk3301 nmea ntrip navcom oceanserver oldstyle oncore rtcm104v2 rtcm104v3 sirf superstar2 timing tsip tripmate tnt ublox ubx" GRUB_PLATFORMS="pc" INPUT_DEVICES="keyboard mouse evdev" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" LIBREOFFICE_EXTENSIONS="presenter-console presenter-minimizer" LINGUAS="en en_US en_GB cs cz" OFFICE_IMPLEMENTATION="libreoffice" PYTHON_SINGLE_TARGET="python2_7" PYTHON_TARGETS="python2_7 python3_5" RUBY_TARGETS="ruby20 ruby21" USERLAND="GNU" VIDEO_CARDS="vesa vmware fbdev intel i915 i965" XTABLES_ADDONS="quota2 psd pknock lscan length2 ipv4options ipset ipp2p iface geoip fuzzy condition tee tarpit sysrq steal rawnat logmark ipmark dhcpmac delude chaos account" USE_PYTHON="2.7" Unset: CC, CPPFLAGS, CTARGET, CXX, EMERGE_DEFAULT_OPTS, INSTALL_MASK, LANG, LC_ALL, PORTAGE_BUNZIP2_COMMAND, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS #
What version of udev?
Support for DOS partitions using partuuid was added in systemd-230 and udev-230. What parameters are you passing on the kernel command line? What does your fstab contain?
# emerge -pv udev Calculating dependencies... done! [ebuild R ] sys-fs/udev-230-r1::gentoo USE="kmod -acl (-selinux) -static-libs" ABI_X86="32 (64) (-x32)" 0 KiB BTW, I tried many dracut commandline options, but to give out just a few: dracut -a "crypt crypt-gpg dm" --kver 4.6.3-default-pciehp --force -I "/usr/bin/gpg-agent /usr/bin/ssh /sbin/fsck.ext4 /usr/bin/strace" dracut -a "crypt crypt-gpg" --kver 4.6.3-default-pciehp --force --hostonly dracut -a "crypt crypt-gpg lvm dm" --kver 4.0.6-default-pciehp --force -I "/usr/bin/gpg-agent /usr/bin/ssh /sbin/fsck.ext4 /usr/bin/strace" --add-fstab=/boot/fstab # grep -v "^#" /etc/fstab UUID="067d6953-349e-49fc-9aae-2bb2b48dbf45" / ext4 noatime 0 1 /dev/sda7 /scratch ext4 noatime 0 0 /dev/mapper/swap none swap sw 0 0 /dev/cdrom /mnt/cdrom auto noauto,ro 0 0 shm /dev/shm tmpfs nodev,nosuid,noexec 0 0 /dev/sda5 /boot ext4 noatime 0 0 /dev/sda3 /mnt/ntfs ntfs-3g default 0 0 Kernel commandline: /vmlinuz-4.6.3 ro docrypt root=PARTUUID=87391709-06 rootfallback=/dev/sda5 rd.luks.key=/sda6key.gpg:/dev/sda5:/dev/sda6 slub_debug=AFPZ pciehp.pciehp_debug=1 pciehp_debug=1 intel_idle.max_cstate=c3 i915.i915_enable_rc6=1 usbcore.autosuspend=-1 rd.shell It also fails with unprotected key (to avoid issues with gpg-agent) for which I showed the dmesg snippet. /vmlinuz-4.6.3 ro docrypt root=PARTUUID=87391709-06 rootfallback=/dev/sda5 rd.luks.key=/sda6key:/dev/sda5:/dev/sda6 slub_debug=AFPZ pciehp.pciehp_debug=1 pciehp_debug=1 intel_idle.max_cstate=c3 i915.i915_enable_rc6=1 usbcore.autosuspend=-1 rd.shell Basically, dracut should fetch key from sda5 filesystem, from a file sda6key placed in its root. and, call luksOpen to decrypt sda6. I am slightly off-topic in this bug report but IMHO dracut should not bother about the UUID because I said clearly which /dev/sda* device it should have opened (via kernel commandline). But I saw the code somewhere in the dracut scripts, so it behaves as I reported (it looks for a non-existing file without care). Seems dracut is developed for RedHat and for systemd, so could be a Gentoo issue. Initially I thought I cannot decrypt my device because of gpg-agent and sometimes it seemed it is because it cannot find pinentry (I don't have it in the ramdisk, indeed, I do not want gpg-agent to require pinentry either). But the real issue is that gpg-agent aims to decrypt a non-existing partuuid file, just asks for a passphrase. Once it receives it, nothing happens. Probably a bug in gpg could be filed as well so that gpg-agent checks it has a file to work with before even asking for a passphrase. # emerge -pv gnupg These are the packages that would be merged, in order: Calculating dependencies... done! [ebuild U ] dev-libs/libgcrypt-1.7.3:0/20::gentoo [1.7.2:0/20::gentoo] USE="-doc -static-libs" ABI_X86="32 (64) (-x32)" 0 KiB [ebuild U ] app-crypt/gnupg-2.1.15::gentoo [2.1.14-r1::gentoo] USE="bzip2 doc gnutls nls readline tools usb -ldap (-selinux) -smartcard -tofu" 0 KiB To show my kernel commandline and system works, here is what I execute once dracut gives me its emergency shell: $ cat /boot/luksmount.sh #! /bin/sh cat /sysroot/sda6key | cryptsetup luksOpen /dev/sda6 root umount /sysroot mount /dev/mapper/root /sysroot exit # exit from emerge shell and continue booting $ So, dracut is happy with the /dev/mapper/root created manually and with the layout of the decrypted filesystem in /sysroot. I do not understand why it even wants to create /dev/mapper/$someotherfilename . Sorry for being so verbose, Mike.
> # grep -v "^#" /etc/fstab > > UUID="067d6953-349e-49fc-9aae-2bb2b48dbf45" / ext4 > noatime 0 1 And did had there /dev/sda6 as well, that did not work and therefore I tried the above UUID approach. Doesn't work either.
I'm confused; why are you passing root=PARTUUID=87391709-06 on the kernel command line?
(In reply to Mike Gilbert from comment #5) > I'm confused; why are you passing root=PARTUUID=87391709-06 on the kernel > command line? Sorry, I tried so many tricks that I managed to paste a commandline from a different attempt. Here is the commandline which does not work either, and IMHO the real issue has nothing to do with my kernel commandline, because dracut does under the hood something different. Command line: BOOT_IMAGE=/vmlinuz-4.6.3 ro docrypt root=/dev/sda6 root=/dev/mapper/root fallback=/dev/sda5 rd.luks.key=/sda6key:/dev/sda5:/dev/sda6 slub_debug=AFPZ pciehp.pciehp_debug=1 pciehp_debug=1 intel_idle.max_cstate=c3 i915.i915_enable_rc6=1 usbcore.autosuspend=-1 rd.shell Why I have two "root=" items in there? I do not know, but that prevent kernel panicking because it cannot mount root filesystem. I assume the latter takes precedence. dracut fails to its job but after 5 minutes gives me the emergency shell. From that shell I call the short shellscript I pasted above, and the system boots up because /sysroot filesystem seems reasonable. Probably it has nothing to do with /dev/mapper/root being available (decrypted by me manually).
Please follow instructions from [1] and attach rdsosreport.txt to this bug. You can also add "rd.retry=4" to the kernel cmdline - dracut will drop you to rescue shell much faster. [1] https://www.kernel.org/pub/linux/utils/boot/dracut/dracut.html#identifying-your-problem-area
Created attachment 444804 [details] rdsosreport.txt
(In reply to Martin Mokrejš from comment #8) You forgot to append "rd.debug log_buf_len=1M" to the kernel cmdline.
Created attachment 444806 [details] rdsosreport.txt11 Yes, I also realized that meanwhile, sorry, here we go.
So... You don't have /etc/crypttab in initramfs and expect that dracut will magically give the name "root" to the luks device? :)
You should try hostonly initramfs: pass "-H" option to dracut or add hostonly="yes" to /etc/(dracut.conf|dracut.conf.d/*). Of course ensure first that you have a proper /etc/crypttab on the real root. Another option is to use "root=/dev/mapper/luks-067d6953-349e-49fc-9aae-2bb2b48dbf45".
(In reply to Alexander Tsoy from comment #11) > So... You don't have /etc/crypttab in initramfs and expect that dracut will > magically give the name "root" to the luks device? :) Seemed optional, dracut can just respect the kernel commandline arguments, so it knows where to get the key from, and what partition to decrypt. It seemed from manual pages that /dev/mapper/root is the common device name. Why isn't this enough? [ 5.366397] dracut: rd.luks.key: keypath='/sda6key.gpg' keydev='/dev/sda5' luksdev='/dev/sda6' You did not comment on the /dev/disk/by-partuuid/87391709-06 does not exist eroor message. Clearly the /dev/disk/by-partuuid/ is misisng in my Gentoo case, and I doubt it has to do with wrong kernel comandline or wrong dracut arguments used to create the ramdisk. What am I missing?
(In reply to Martin Mokrejš from comment #13) > Seemed optional, dracut can just respect the kernel commandline arguments, > so it knows where to get the key from, and what partition to decrypt. It > seemed from manual pages that /dev/mapper/root is the common device name. > > Why isn't this enough? You can specify multiple luks devices on the cmdline and neither of them is required to be a root device: it may be /usr or a custom mount point. > You did not comment on the > > /dev/disk/by-partuuid/87391709-06 does not exist > > eroor message. Clearly the /dev/disk/by-partuuid/ is misisng in my Gentoo > case, and I doubt it has to do with wrong kernel comandline or wrong dracut > arguments used to create the ramdisk. What am I missing? Looks like partuuid symlinks only created for GPT partitions. I just checked latest systemd from git: $ grep -r by-partuuid rules/ rules/60-persistent-storage.rules:# by-partlabel/by-partuuid links (partition metadata) rules/60-persistent-storage.rules:ENV{ID_PART_ENTRY_SCHEME}=="gpt", ENV{ID_PART_ENTRY_UUID}=="?*", SYMLINK+="disk/by-partuuid/$env{ID_PART_ENTRY_UUID}"
Hmm < I do not how that translates to my openrc situation but although I wanted to answer that I have GPT partition on the 1.8TiB drive, there is some problem: # gdisk /dev/sda GPT fdisk (gdisk) version 1.0.1 Partition table scan: MBR: MBR only BSD: not present APM: not present GPT: not present *************************************************************** Found invalid GPT and valid MBR; converting MBR to GPT format in memory. THIS OPERATION IS POTENTIALLY DESTRUCTIVE! Exit by typing 'q' if you don't want to convert your MBR partitions to GPT format! *************************************************************** Exact type match not found for type code DE00; assigning type code for 'Linux filesystem' Warning! Secondary partition table overlaps the last partition by 33 blocks! You will need to delete this partition or resize it in another utility. Command (? for help): p Disk /dev/sda: 3907029168 sectors, 1.8 TiB Logical sector size: 512 bytes Disk identifier (GUID): 45932B6C-CAEC-47A8-874D-D92A28E314D8 Partition table holds up to 128 entries First usable sector is 34, last usable sector is 3907029134 Partitions will be aligned on 2048-sector boundaries Total free space is 10206 sectors (5.0 MiB) Number Start (sector) End (sector) Size Code Name 1 2048 206847 100.0 MiB 8300 Linux filesystem 2 206848 30926847 14.6 GiB 0700 Microsoft basic data 3 30926848 235726847 97.7 GiB 0700 Microsoft basic data 5 235728896 237826047 1024.0 MiB 8300 Linux filesystem 6 237828096 2385311743 1024.0 GiB 8300 Linux filesystem 7 2385313792 3853320191 700.0 GiB 8300 Linux filesystem 8 3853322240 3907029167 25.6 GiB 8200 Linux swap Command (? for help): q Maybe that is confusing some scripts if I had systemd. But I have openrc installed so it may not even apply.
(In reply to Alexander Tsoy from comment #12) > You should try hostonly initramfs: pass "-H" option to dracut or add > hostonly="yes" to /etc/(dracut.conf|dracut.conf.d/*). Of course ensure first > that you have a proper /etc/crypttab on the real root. Another option is to > use "root=/dev/mapper/luks-067d6953-349e-49fc-9aae-2bb2b48dbf45". So I did: $ cat /etc/dracut.conf.d/crypt-gpg.conf hostonly="yes" root=UUID=luks-067d6953-349e-49fc-9aae-2bb2b48dbf45 rootfstype=ext4 rootfallback=/dev/sda5 # encrypted LUKS partition from outside # rd.luks.uuid=luks-067d6953-349e-49fc-9aae-2bb2b48dbf45 # # decrypted LUKS filesystem # UUID="637c34b3-85dc-4d35-a5da-3f9588aaf41c" add_dracutmodules+="crypt-gpg crypt-loop crypt" omit_dracutmodules+="systemd" $ $ cat /etc/crypttab root UUID=067d6953-349e-49fc-9aae-2bb2b48dbf45 /sda6key luks $ $ dracut -a "crypt crypt-gpg lvm dm" --kver 4.6.3-default-pciehp --force --hostonly dracut: Executing: /usr/bin/dracut -a "crypt crypt-gpg lvm dm" --kver 4.6.3-default-pciehp --force --hostonly dracut: dracut module 'bootchart' will not be installed, because command '/sbin/bootchartd' could not be found! dracut: dracut module 'dash' will not be installed, because command '/bin/dash' could not be found! dracut: dracut module 'network' will not be installed, because command 'arping' could not be found! dracut: dracut module 'plymouth' will not be installed, because command 'plymouthd' could not be found! dracut: dracut module 'plymouth' will not be installed, because command 'plymouth' could not be found! dracut: dracut module 'plymouth' will not be installed, because command 'plymouth-set-default-theme' could not be found! dracut: dracut module 'btrfs' will not be installed, because command 'btrfs' could not be found! dracut: dracut module 'dmraid' will not be installed, because command 'dmraid' could not be found! dracut: dracut module 'iscsi' will not be installed, because command 'iscsistart' could not be found! dracut: dracut module 'iscsi' will not be installed, because command 'iscsi-iname' could not be found! dracut: dracut module 'biosdevname' will not be installed, because command 'biosdevname' could not be found! dracut: dracut module 'dash' will not be installed, because command '/bin/dash' could not be found! dracut: dracut module 'network' will not be installed, because command 'arping' could not be found! dracut: dracut module 'btrfs' will not be installed, because command 'btrfs' could not be found! dracut: dracut module 'dmraid' will not be installed, because command 'dmraid' could not be found! dracut: dracut module 'iscsi' will not be installed, because command 'iscsistart' could not be found! dracut: dracut module 'iscsi' will not be installed, because command 'iscsi-iname' could not be found! dracut: *** Including module: bash *** dracut: *** Including module: caps *** dracut: *** Including module: i18n *** dracut: *** Including module: crypt *** dracut: *** Including module: dm *** dracut: Skipping udev rule: 64-device-mapper.rules dracut: Skipping udev rule: 60-persistent-storage-dm.rules dracut: Skipping udev rule: 55-dm.rules dracut: *** Including module: kernel-modules *** dracut: *** Including module: lvm *** dracut: Skipping udev rule: 64-device-mapper.rules dracut: Skipping udev rule: 56-lvm.rules dracut: Skipping udev rule: 60-persistent-storage-lvm.rules dracut: *** Including module: crypt-gpg *** dracut: *** Including module: crypt-loop *** dracut: *** Including module: rootfs-block *** dracut: *** Including module: terminfo *** dracut: *** Including module: udev-rules *** dracut: Skipping udev rule: 40-redhat.rules dracut: Skipping udev rule: 50-firmware.rules dracut: Skipping udev rule: 50-udev.rules dracut: Skipping udev rule: 91-permissions.rules dracut: Skipping udev rule: 80-drivers-modprobe.rules dracut: *** Including module: usrmount *** dracut: *** Including module: base *** dracut: *** Including module: fs-lib *** dracut: *** Including module: shutdown *** dracut: *** Including modules done *** dracut: *** Installing kernel module dependencies and firmware *** dracut: *** Installing kernel module dependencies and firmware done *** dracut: *** Resolving executable dependencies *** dracut: *** Resolving executable dependencies done*** dracut: *** Pre-linking files *** dracut: *** Pre-linking files done *** dracut: *** Stripping files *** dracut: *** Stripping files done *** dracut: *** Store current command line parameters *** dracut: Stored kernel commandline: dracut: rd.luks.uuid=luks-067d6953-349e-49fc-9aae-2bb2b48dbf45 dracut: root=/dev/mapper/root rootfstype=ext4 rootflags=rw,relatime,data=ordered dracut: ro dracut: *** Creating image file '/boot/initramfs-4.6.3-default-pciehp.img' *** dracut: *** Creating initramfs image file '/boot/initramfs-4.6.3-default-pciehp.img' done *** $ grub.cfg contains: linux /vmlinuz-4.6.3 ro docrypt root=/dev/mapper/luks-067d6953-349e-49fc-9aae-2bb2b48dbf45 fallback=/dev/sda5 rd.luks.key=/sda6key:/dev/sda5:/dev/sda6 ... rd.shell rd.debug log_buf_len=1M rd.retry=4 Let's see.
Created attachment 444820 [details] rdsosreport.txt13 Doesn't work.
(In reply to Martin Mokrejš from comment #13) > You did not comment on the > > /dev/disk/by-partuuid/87391709-06 does not exist I'm pretty sure that warning was being output because you were passing root=PARTUUID=... on the kernel command line.
I would suggest you find the UUID of the filesystem that is on your luks device, and pass that as the kernel root parameter. That will allow dracut to find it regardless of what the /dev/mappper device gets called. You can get the UUID from the output of blkid once the /dev/mapper device has been created. root=UUID=...
(In reply to Alexander Tsoy from comment #14) > Looks like partuuid symlinks only created for GPT partitions. I just checked > latest systemd from git: As of systemd-230, the get created for DOS partitions as well. https://github.com/systemd/systemd/commit/cf1d3efce9ada4a7401a273b215896bce32610d1 Regardless, passing a PARTUUID for root when root is on an encrypted block device makes absolutely no sense. The luks device will not have a PARTUUID since it is a virtual device to begin with.
(In reply to Mike Gilbert from comment #19) > I would suggest you find the UUID of the filesystem that is on your luks > device, and pass that as the kernel root parameter. That will allow dracut > to find it regardless of what the /dev/mappper device gets called. > > You can get the UUID from the output of blkid once the /dev/mapper device > has been created. > > root=UUID=... /dev/sda6: UUID="067d6953-349e-49fc-9aae-2bb2b48dbf45" TYPE="crypto_LUKS" PARTUUID="87391709-06" I thought that I followed the manual properly and used the PARTUUID as it seemed more general approach, is is accessible before filesystem UUID. I know I was following some other manuals from the internet, just do not remember now. man7.org/linux/man-pages/man7/dracut.cmdline.7.html > Regardless, passing a PARTUUID for root when root is on an encrypted block > device makes absolutely no sense. The luks device will not have a PARTUUID > since it is a virtual device to begin with. But is that my case? /dev/sda is visible, /dev/sda6 as well, so why is not PARTUUID of /dev/sda6 is not visible to luks/dracut? Notably, if UUID of /dev/sda6 is visible. # blkid /dev/sda1: SEC_TYPE="msdos" LABEL="DELLUTILITY" UUID="3030-3030" TYPE="vfat" PARTUUID="87391709-01" /dev/sda2: LABEL="Recovery" UUID="CC70378A703779F2" TYPE="ntfs" PARTUUID="87391709-02" /dev/sda3: LABEL="OS" UUID="AC7C4EC27C4E86D4" TYPE="ntfs" PARTUUID="87391709-03" /dev/sda5: UUID="c9031918-c48b-43ca-b621-e5c669e4160d" TYPE="ext4" PARTUUID="87391709-05" /dev/sda6: UUID="067d6953-349e-49fc-9aae-2bb2b48dbf45" TYPE="crypto_LUKS" PARTUUID="87391709-06" /dev/sda7: UUID="67e0a12b-8a1b-4a60-981c-5c6b5dda5619" TYPE="ext4" PARTUUID="87391709-07" /dev/sda8: PARTUUID="87391709-08" /dev/mapper/root: UUID="637c34b3-85dc-4d35-a5da-3f9588aaf41c" TYPE="ext4" # From the many attempts for which I kept the rdsosreport* file it seems I did not try "root=UUID=067d6953-349e-49fc-9aae-2bb2b48dbf45" on the kernel commandline. Thank you. At least I got it right in /etc/dracut.conf.d/crypt-gpg.conf shown in comment #16. Would have been a breeze if the docs spoke about 'TYPE="crypto_LUKS"' instead of 'real root'. 'Real root' does not mean (to me, not a native speaker) if that: 1. is the encrypted UUID as seen from the outside 2. or the decrypted UUID which dracut should obtain after luksOpen 3. or if that is the /boot partition which kernel needs to initially mount.
Created attachment 444822 [details] rdsosreport.txt14 > root=UUID=... Doesn't work.
Try root=UUID=637c34b3-85dc-4d35-a5da-3f9588aaf41c.
Created attachment 444904 [details] rdsosreport.txt15 > Try root=UUID=637c34b3-85dc-4d35-a5da-3f9588aaf41c. No way, /dev/disk/by-uuid/637c34b3-85dc-4d35-a5da-3f9588aaf41c does not exist. See e.g. lines: [ 5.825671] dracut: ///lib/dracut/hooks/pre-udev/30-block-genrules.sh@14(source): wait_for_dev /dev/disk/by-uuid/637c34b3-85dc-4d35-a5da-3f9588aaf41c [ 9.011186] dracut: //lib/dracut/hooks/initqueue/settled/blocksymlink.sh@1(source): '[' -e /dev/disk/by-uuid/637c34b3-85dc-4d35-a5da-3f9588aaf41c ']' [ 12.632140] dracut Warning: /dev/disk/by-uuid/637c34b3-85dc-4d35-a5da-3f9588aaf41c does not exist [ 12.732099] dracut: ///lib/dracut/hooks/emergency/80-x2fdevx2fdiskx2fby-uuidx2f637c34b3-85dc-4d35-a5da-3f9588aaf41c.sh@1(source): warn '/dev/disk/by-uuid/637c34b3-85dc-4d35-a5da-3f9588aaf41c does not exist' Is openrc-0.21.3 really supported? # emerge -pv openrc These are the packages that would be merged, in order: Calculating dependencies... done! [ebuild U ] sys-apps/openrc-0.21.7::gentoo [0.21.3::gentoo] USE="ncurses netifrc pam unicode -audit -debug -newnet (-prefix) (-selinux) -static-libs -tools" 165 KiB
I'm not an expert on configuring luks, but it looks like dracut is not successfully opening the luks device. Perhaps something is wrong with your rd.luks.key parameter.
(In reply to Mike Gilbert from comment #20) > (In reply to Alexander Tsoy from comment #14) > > Looks like partuuid symlinks only created for GPT partitions. I just checked > > latest systemd from git: > > As of systemd-230, the get created for DOS partitions as well. > > https://github.com/systemd/systemd/commit/ > cf1d3efce9ada4a7401a273b215896bce32610d1 Ah, right. I pulled sources from freedesktop.org git repo which is outdated. =/ > > Regardless, passing a PARTUUID for root when root is on an encrypted block > device makes absolutely no sense. The luks device will not have a PARTUUID > since it is a virtual device to begin with. Yes, indeed.
(In reply to Martin Mokrejš from comment #24) > Is openrc-0.21.3 really supported? Dracut doesn't make use of anything from openrc.
(In reply to Martin Mokrejš from comment #17) > Created attachment 444820 [details] > rdsosreport.txt13 > > Doesn't work. Yes, the second issue is that for some reason cryptsetup refuses the key. No idea what's wrong here. Maybe readkey function outputs some garbage, but this is very unlikely. [ 6.954940] dracut: /sbin/cryptroot-ask@141(main): cryptsetup -d - luksOpen /dev/sda6 root ... ... [ 6.971468] dracut: /lib/dracut-crypt-lib.sh@188(readkey): local mntp=/mnt/keydev--dev-sda5--sda6key [ 6.972161] dracut: /lib/dracut-crypt-lib.sh@190(readkey): '[' '!' -d /mnt/keydev--dev-sda5--sda6key ']' [ 6.972855] dracut: /lib/dracut-crypt-lib.sh@191(readkey): mkdir /mnt/keydev--dev-sda5--sda6key [ 6.973552] dracut: /lib/dracut-crypt-lib.sh@192(readkey): mount -r /dev/sda5 /mnt/keydev--dev-sda5--sda6key [ 6.974259] dracut: /lib/dracut-crypt-lib.sh@195(readkey): case "${keypath##*.}" in [ 6.974972] dracut: /lib/dracut-crypt-lib.sh@215(readkey): cat /mnt/keydev--dev-sda5--sda6key//sda6key [ 6.975690] dracut: /lib/dracut-crypt-lib.sh@220(readkey): umount /mnt/keydev--dev-sda5--sda6key [ 6.976404] dracut: /lib/dracut-crypt-lib.sh@221(readkey): rmdir /mnt/keydev--dev-sda5--sda6key [ 7.752662] dracut: No key available with this passphrase.
Do you have all necessary crypto modules compiled into the kernel, or have you compiled them as modules? You can find needed cipher suite with the following command: "cryptsetup status /dev/mapper/<name of the luks device>".
(In reply to Alexander Tsoy from comment #29) > Do you have all necessary crypto modules compiled into the kernel, or have > you compiled them as modules? You can find needed cipher suite with the > following command: "cryptsetup status /dev/mapper/<name of the luks device>". First of all, even if I had some only as module I assume I couldn't bootup from the emergency shell with just the few commands: $ cat /boot/luksmount.sh #! /bin/sh cat /sysroot/sda6key | cryptsetup luksOpen /dev/sda6 root umount /sysroot mount /dev/mapper/root /sysroot exit # exit from emerge shell and continue booting $ I just need to decrypt the disk and make it available under anticipated /dev/mapper/blah filename, then exiting from emergency shell force dracut to re-check for presence of the file, or maybe just re-checks the mounted filesystem to ensure it looks like a root filesystem. Due the course of this bugreport, as you may see from the attached logs, I now need to do this instead: $ cat /boot/luksmount2.sh #! /bin/sh cat /sysroot/sda6key | cryptsetup luksOpen /dev/sda6 luks-067d6953-349e-49fc-9aae-2bb2b48dbf45 umount /sysroot mount /dev/mapper/luks-067d6953-349e-49fc-9aae-2bb2b48dbf45 /sysroot $ anyway, to answer your suggestions: # cryptsetup status /dev/mapper/luks-067d6953-349e-49fc-9aae-2bb2b48dbf45 /dev/mapper/luks-067d6953-349e-49fc-9aae-2bb2b48dbf45 is active and is in use. type: LUKS1 cipher: aes-xts-plain64:sha512 keysize: 512 bits device: /dev/sda6 offset: 4096 sectors size: 2147479552 sectors mode: read/write # # gzip -dc /proc/config.gz | grep CRYPTO | grep -v "^#" CONFIG_BLK_DEV_CRYPTOLOOP=y CONFIG_CRYPTO=y CONFIG_CRYPTO_ALGAPI=y CONFIG_CRYPTO_ALGAPI2=y CONFIG_CRYPTO_AEAD=y CONFIG_CRYPTO_AEAD2=y CONFIG_CRYPTO_BLKCIPHER=y CONFIG_CRYPTO_BLKCIPHER2=y CONFIG_CRYPTO_HASH=y CONFIG_CRYPTO_HASH2=y CONFIG_CRYPTO_RNG=y CONFIG_CRYPTO_RNG2=y CONFIG_CRYPTO_RNG_DEFAULT=y CONFIG_CRYPTO_AKCIPHER2=y CONFIG_CRYPTO_AKCIPHER=y CONFIG_CRYPTO_RSA=y CONFIG_CRYPTO_MANAGER=y CONFIG_CRYPTO_MANAGER2=y CONFIG_CRYPTO_USER=y CONFIG_CRYPTO_MANAGER_DISABLE_TESTS=y CONFIG_CRYPTO_GF128MUL=y CONFIG_CRYPTO_NULL=y CONFIG_CRYPTO_NULL2=y CONFIG_CRYPTO_PCRYPT=y CONFIG_CRYPTO_WORKQUEUE=y CONFIG_CRYPTO_CRYPTD=y CONFIG_CRYPTO_MCRYPTD=y CONFIG_CRYPTO_AUTHENC=y CONFIG_CRYPTO_ABLK_HELPER=y CONFIG_CRYPTO_GLUE_HELPER_X86=y CONFIG_CRYPTO_CCM=y CONFIG_CRYPTO_GCM=y CONFIG_CRYPTO_CHACHA20POLY1305=y CONFIG_CRYPTO_SEQIV=y CONFIG_CRYPTO_ECHAINIV=y CONFIG_CRYPTO_CBC=y CONFIG_CRYPTO_CTR=y CONFIG_CRYPTO_CTS=y CONFIG_CRYPTO_ECB=y CONFIG_CRYPTO_LRW=y CONFIG_CRYPTO_PCBC=y CONFIG_CRYPTO_XTS=y CONFIG_CRYPTO_KEYWRAP=y CONFIG_CRYPTO_CMAC=y CONFIG_CRYPTO_HMAC=y CONFIG_CRYPTO_XCBC=y CONFIG_CRYPTO_VMAC=y CONFIG_CRYPTO_CRC32C=y CONFIG_CRYPTO_CRC32C_INTEL=y CONFIG_CRYPTO_CRC32=y CONFIG_CRYPTO_CRC32_PCLMUL=y CONFIG_CRYPTO_CRCT10DIF=y CONFIG_CRYPTO_CRCT10DIF_PCLMUL=y CONFIG_CRYPTO_GHASH=y CONFIG_CRYPTO_POLY1305=y CONFIG_CRYPTO_POLY1305_X86_64=y CONFIG_CRYPTO_MD4=y CONFIG_CRYPTO_MD5=y CONFIG_CRYPTO_MICHAEL_MIC=y CONFIG_CRYPTO_RMD128=y CONFIG_CRYPTO_RMD160=y CONFIG_CRYPTO_RMD256=y CONFIG_CRYPTO_RMD320=y CONFIG_CRYPTO_SHA1=y CONFIG_CRYPTO_SHA1_SSSE3=y CONFIG_CRYPTO_SHA256_SSSE3=y CONFIG_CRYPTO_SHA512_SSSE3=y CONFIG_CRYPTO_SHA1_MB=y CONFIG_CRYPTO_SHA256=y CONFIG_CRYPTO_SHA512=y CONFIG_CRYPTO_TGR192=y CONFIG_CRYPTO_WP512=y CONFIG_CRYPTO_GHASH_CLMUL_NI_INTEL=y CONFIG_CRYPTO_AES=y CONFIG_CRYPTO_AES_X86_64=y CONFIG_CRYPTO_AES_NI_INTEL=y CONFIG_CRYPTO_ANUBIS=y CONFIG_CRYPTO_ARC4=y CONFIG_CRYPTO_BLOWFISH=y CONFIG_CRYPTO_BLOWFISH_COMMON=y CONFIG_CRYPTO_BLOWFISH_X86_64=y CONFIG_CRYPTO_CAMELLIA=y CONFIG_CRYPTO_CAMELLIA_X86_64=y CONFIG_CRYPTO_CAMELLIA_AESNI_AVX_X86_64=y CONFIG_CRYPTO_CAMELLIA_AESNI_AVX2_X86_64=y CONFIG_CRYPTO_CAST_COMMON=y CONFIG_CRYPTO_CAST5=y CONFIG_CRYPTO_CAST5_AVX_X86_64=y CONFIG_CRYPTO_CAST6=y CONFIG_CRYPTO_CAST6_AVX_X86_64=y CONFIG_CRYPTO_DES=y CONFIG_CRYPTO_DES3_EDE_X86_64=y CONFIG_CRYPTO_FCRYPT=y CONFIG_CRYPTO_KHAZAD=y CONFIG_CRYPTO_SALSA20=y CONFIG_CRYPTO_SALSA20_X86_64=y CONFIG_CRYPTO_CHACHA20=y CONFIG_CRYPTO_CHACHA20_X86_64=y CONFIG_CRYPTO_SEED=y CONFIG_CRYPTO_SERPENT=y CONFIG_CRYPTO_SERPENT_SSE2_X86_64=y CONFIG_CRYPTO_SERPENT_AVX_X86_64=y CONFIG_CRYPTO_SERPENT_AVX2_X86_64=y CONFIG_CRYPTO_TEA=y CONFIG_CRYPTO_TWOFISH=y CONFIG_CRYPTO_TWOFISH_COMMON=y CONFIG_CRYPTO_TWOFISH_X86_64=y CONFIG_CRYPTO_TWOFISH_X86_64_3WAY=y CONFIG_CRYPTO_TWOFISH_AVX_X86_64=y CONFIG_CRYPTO_DEFLATE=y CONFIG_CRYPTO_LZO=y CONFIG_CRYPTO_842=y CONFIG_CRYPTO_LZ4=y CONFIG_CRYPTO_LZ4HC=y CONFIG_CRYPTO_ANSI_CPRNG=y CONFIG_CRYPTO_DRBG_MENU=y CONFIG_CRYPTO_DRBG_HMAC=y CONFIG_CRYPTO_DRBG_HASH=y CONFIG_CRYPTO_DRBG_CTR=y CONFIG_CRYPTO_DRBG=y CONFIG_CRYPTO_JITTERENTROPY=y CONFIG_CRYPTO_USER_API=y CONFIG_CRYPTO_USER_API_HASH=y CONFIG_CRYPTO_USER_API_SKCIPHER=y CONFIG_CRYPTO_USER_API_RNG=y CONFIG_CRYPTO_USER_API_AEAD=y CONFIG_CRYPTO_HASH_INFO=y CONFIG_CRYPTO_HW=y # gzip -dc /proc/config.gz | grep MD | grep -v "^#" CONFIG_ARCH_WANT_HUGE_PMD_SHARE=y CONFIG_CPU_SUP_AMD=y CONFIG_ARCH_ENABLE_SPLIT_PMD_PTLOCK=y CONFIG_AMD_NB=y CONFIG_SCTP_DEFAULT_COOKIE_HMAC_MD5=y CONFIG_SCTP_COOKIE_HMAC_MD5=y CONFIG_ATA_BMDMA=y CONFIG_MD=y CONFIG_BLK_DEV_MD=y CONFIG_MD_AUTODETECT=y CONFIG_MD_LINEAR=y CONFIG_MD_RAID0=y CONFIG_MD_RAID1=y CONFIG_MD_RAID10=y CONFIG_MD_RAID456=y CONFIG_FB_CMDLINE=y CONFIG_CRYPTO_MD4=y CONFIG_CRYPTO_MD5=y CONFIG_CRYPTO_RMD128=y CONFIG_CRYPTO_RMD160=y CONFIG_CRYPTO_RMD256=y CONFIG_CRYPTO_RMD320=y # gzip -dc /proc/config.gz | grep DM | grep -v "^#" CONFIG_NEED_DMA_MAP_STATE=y CONFIG_NEED_SG_DMA_LENGTH=y CONFIG_GENERIC_ISA_DMA=y CONFIG_ZONE_DMA32=y CONFIG_HAVE_DMA_CONTIGUOUS=y CONFIG_HAVE_DMA_API_DEBUG=y CONFIG_LDM_PARTITION=y CONFIG_ZONE_DMA=y CONFIG_DMI=y CONFIG_ARCH_DMA_ADDR_T_64BIT=y CONFIG_ZONE_DMA_FLAG=1 CONFIG_ISA_DMA_API=y CONFIG_X86_DEV_DMA_OPS=y CONFIG_DMA_SHARED_BUFFER=y CONFIG_SCSI_DMA=y CONFIG_ATA_BMDMA=y CONFIG_BLK_DEV_DM_BUILTIN=y CONFIG_BLK_DEV_DM=y CONFIG_DM_BUFIO=y CONFIG_DM_BIO_PRISON=y CONFIG_DM_PERSISTENT_DATA=y CONFIG_DM_CRYPT=y CONFIG_DM_SNAPSHOT=y CONFIG_DM_THIN_PROVISIONING=y CONFIG_DM_MIRROR=y CONFIG_DM_RAID=y CONFIG_DM_ZERO=y CONFIG_DM_UEVENT=y CONFIG_HDMI=y CONFIG_SND_DMA_SGBUF=y CONFIG_SND_HDA_CODEC_HDMI=y CONFIG_USB_WDM=y CONFIG_DMAR_TABLE=y CONFIG_DMIID=y CONFIG_DMI_SYSFS=y CONFIG_DMI_SCAN_MACHINE_NON_EFI_FALLBACK=y CONFIG_HAVE_C_RECORDMCOUNT=y CONFIG_HAS_DMA=y #
(In reply to Martin Mokrejš from comment #30) Ah. I've got it. There is a difference between issuing cryptsetup with '-d -' and without it. Without '-d -' trailing new line is stripped from the stdin. ;) (see NOTES ON PASSPHRASE PROCESSING FOR PLAIN MODE in the man cryptsetup) I just tried to reproduce this: $ cat /tmp/lukspass WqUktlXy8QKFNnWy6Yd9t7Ik8fyhJj $ cat /tmp/lukspass | sudo cryptsetup luksFormat /dev/mapper/vg_system-test $ cat /tmp/lukspass | sudo cryptsetup open --type luks /dev/mapper/vg_system-test crypttest $ echo $? 0 $ sudo cryptsetup close crypttest Now let's try with '-d -': $ cat /tmp/lukspass | sudo cryptsetup open --type luks -d - /dev/mapper/vg_system-test crypttest No key available with this passphrase. $ echo WqUktlXy8QKFNnWy6Yd9t7Ik8fyhJj | sudo cryptsetup open --type luks -d - /dev/mapper/vg_system-test crypttest No key available with this passphrase. $ echo -n WqUktlXy8QKFNnWy6Yd9t7Ik8fyhJj | sudo cryptsetup open --type luks -d - /dev/mapper/vg_system-test crypttest $ echo $? 0 Please try to create a new key slot with proper key that can be passed to cryptsetup with '-d -'
(In reply to Alexander Tsoy from comment #31) > see NOTES ON PASSPHRASE PROCESSING FOR PLAIN MODE I mean FOR LUKS of course, but there is no difference in processing stdin.
(In reply to Alexander Tsoy from comment #31) > Please try to create a new key slot with proper key that can be passed to > cryptsetup with '-d -' Honestly, the documentation for cryptsetup seemed to messy to me and the '-d -' specially. Why doesn't it work with my /boot/sda6key file? It does contain '\n' on the single line. Would adding second '\n' help? Anyway, so what do you want me to test? What do you mean under "proper key that can be passed to cryptsetup with ..."? What is wrong with my key in slot 0? Thank you anyway for you kind analysis!
(In reply to Martin Mokrejš from comment #33) Without '-d -' cryptsetup reads passphrase up to the first newline character, so I was not 100% correct in my previous comment. I think the following command should be enough to make dracut happy: cat <path>/sda6key | cryptsetup luksAddKey <device> <path>/sda6key If the system boots up properly, then you can remove key slot 0.
# cryptsetup status luks-067d6953-349e-49fc-9aae-2bb2b48dbf45 /dev/mapper/luks-067d6953-349e-49fc-9aae-2bb2b48dbf45 is active and is in use. type: LUKS1 cipher: aes-xts-plain64:sha512 keysize: 512 bits device: /dev/sda6 offset: 4096 sectors size: 2147479552 sectors mode: read/write # cat /boot/sda6key | cryptsetup luksAddKey luks-067d6953-349e-49fc-9aae-2bb2b48dbf45 /boot/sda6key Device luks-067d6953-349e-49fc-9aae-2bb2b48dbf45 doesn't exist or access denied. # # ls -latr /dev/mapper/ total 0 lrwxrwxrwx 1 root root 7 Sep 20 08:35 luks-067d6953-349e-49fc-9aae-2bb2b48dbf45 -> ../dm-0 drwxr-xr-x 18 root root 14000 Sep 20 08:35 .. drwxr-xr-x 2 root root 80 Sep 20 2016 . crw------- 1 root root 10, 236 Sep 20 2016 control # # ls -latr /dev/dm-0 brw-rw---- 1 root disk 253, 0 Sep 20 08:35 /dev/dm-0 #
I forgot to show what I tried at first. # cat /boot/sda6key | cryptsetup luksAddKey /dev/mapper/luks-067d6953-349e-49fc-9aae-2bb2b48dbf45 /boot/sda6key Device /dev/mapper/luks-067d6953-349e-49fc-9aae-2bb2b48dbf45 is not a valid LUKS device. # strace(1) shows this is merely correct , because cryptsetup tries to open the device directly, without prepending '/dev/' or '/dev/mapper/' to it. So, trying to pass it the not decrypted device now: # cat /boot/sda6key | cryptsetup luksAddKey /dev/sda6 /boot/sda6key # OK, this went through. Can I list used key slots for a LUKS device? I don't see anythjing liek that in 'cryptsetup --help'. :(
(In reply to Martin Mokrejš from comment #36) luksDump should do the trick: cryptsetup luksDump /dev/sda6
Created attachment 446872 [details] rdsosreport.txt16 So, addition of the same key into slot 1 helped. Attached rdsos file shows the device was assembled as /dev/mapper/root. Because my kernel commandline contained for about last month "root=UUID=637c34b3-85dc-4d35-a5da-3f9588aaf41" dracut failed to continue. Also, mounting the /dev/mapper/root as /sysroot kept failing with: mount: unknown filesystem type 'crypto_LUKS' dracut Warning: Failed to mount -t crypto_LUKS -o rw,relatime,data=ordered,ro,ro /dev/disk/by-uuid/067d6953-349e-49fc-9aae-2bb2b48dbf45 /sysroot dracut Warning: *** An error occurred during the file system check. dracut Warning: *** Dropping you to a shell; the system will try dracut Warning: *** to mount the filesystem(s), when you leave the shell. It seemed to me so far that is something looking reasonably similar to a root filesystrem is mounted into /sysroot then dracut will just try to boot it. That doe snot seem to be the case now. I was going to hack /lib/dracut-lib.sh but because I have no good editor (vim) in the ramdisk, I gave up an attempt to comment out the above mount call. The only way out was to give up and reboot, revert my kernel commandline to root=/dev/mapper/root. For that I will upload dmesg17.txt file, because I do not know how to tell dracut to save the rdsos file for me during booting. I think you could run diff on the attached logs to pinpoint the differences and find problematic places, right?
Created attachment 446874 [details] dmesg17.txt root=/dev/mapper/root on the kernel commandline needs to be specified because dracut assembles the luks device as /dev/mapper/root. If that does not match the kernel commandline then dracut gives up mistakenly and dumps me into an emergency shell. So one of the additional problems is that my mount -t crypto_LUKS complains about unknown filesystem type.