~alpine/users

5 3

initramfs ask cryptsetup password but is not found for mounting

David Demelier <markand@malikania.fr>
Details
Message ID
<6c4e65a2-5d6f-41f5-d7fe-21f3444ceaf8@malikania.fr>
DKIM signature
missing
Download raw message
Hi there,

I'm trying to setup a LUKS installation on my laptop. I have the 
following partitions:

- /dev/nvme0n1p1 - efi
- /dev/nvme0n1p2 - boot
- /dev/nvme0n1p3 - root (luks)

The appropriate UUID are:

/dev/nvme0n1p3: UUID="10619912-5aa0-4698-b058-fdc3477a797c"
/dev/mapper/cryptroot UUID="4bb876e8-8788-4d79-89f7-6e92158973f0"

So my linux command line in grub is as following:

     linux /vmlinuz-lts ro quiet dmcrypt=cryptroot 
cryptroot=UUID=10619912-5aa0-4698-b058-fdc3477a797c 
root=UUID=4bb876e8-8788-4d79-89f7-6e92158973f0 rootfstype=ext4

the root= parameter is automatically added by grub-mkconfig but it seems 
good anyway.

I have the following features in mkinitfs.conf:

     features="ata base cdrom cryptsetup ext4 keymap kms mmc nvme scsi usb"

I have the following /etc/fstab:

     /dev/nvme0n1p2 /boot ext4 defaults 0 1
     /dev/nvme0n1p1 /boot/efi vfat defaults 0 1
     /dev/mapper/cryptroot / ext4 defaults 0 1

Then, at boot it asks properly for the /dev/nvme0n1p3 device but 
afterwards it says:

Mounting of UUID=4bb876e8-8788-4d79-89f7-6e92158973f0 on /sysroot 
failed: No such file or directory

The weird thing is that /dev/mapper/ is empty at this step (being in the 
recovery shell). If I open manually the device it will be listed.

# cryptsetup open /dev/nvme0n1p3 cryptroot
-> /dev/mapper/cryptroot exists

What do I miss to boot my Alpine 3.11 correctly?

Regards,
Details
Message ID
<BZT154UJ8HTV.1XZID9ETA7LB7@homura>
In-Reply-To
<6c4e65a2-5d6f-41f5-d7fe-21f3444ceaf8@malikania.fr> (view parent)
DKIM signature
missing
Download raw message
Hey David, you might be interested in this alpine-conf patch I've been
working on:

https://lists.alpinelinux.org/~alpine/devel/patches/3214

It'll prompt you during setup-alpine to add encryption to sys installs.
To do an installation with this patch...

1. Boot up the install media
2. Run setup-interfaces
3. service networking start
4. Run setup-apkrepos
5. apk add alpine-sdk curl
6. git clone https://git.alpinelinux.org/alpine-conf
7. cd alpine-conf
8. curl -s https://lists.alpinelinux.org/~alpine/devel/patches/3214/mbox | git am -3
9. make install
10. setup-alpine (finish installation normally)

Let me know if it works well for you.
David Demelier <markand@malikania.fr>
Details
Message ID
<e63e88e1397d3eef876387b3ac9d864714b28226.camel@malikania.fr>
In-Reply-To
<BZT154UJ8HTV.1XZID9ETA7LB7@homura> (view parent)
DKIM signature
missing
Download raw message
On Sat, 2020-01-11 at 09:25 -0500, Drew DeVault wrote:
> Hey David, you might be interested in this alpine-conf patch I've
> been
> working on:
> 
> https://lists.alpinelinux.org/~alpine/devel/patches/3214
> 
> It'll prompt you during setup-alpine to add encryption to sys
> installs.
> To do an installation with this patch...

Thanks, I keep this on my table.

For now I was unable to boot my system, I just inverted the kernel
command line cryptdm <-> dmcrypt. What's interesting though is that the
package/project name is definitely dmcrypt but not its kernel
parameter.

Consistency, at its best. :-!

Cheers,

-- 
David
David Demelier <markand@malikania.fr>
Details
Message ID
<175853d9-b56f-ee9a-ae80-7c6e2b1e48d5@malikania.fr>
In-Reply-To
<BZT154UJ8HTV.1XZID9ETA7LB7@homura> (view parent)
DKIM signature
missing
Download raw message
Le 11/01/2020 à 15:25, Drew DeVault a écrit :
> Hey David, you might be interested in this alpine-conf patch I've been
> working on:
> 
> https://lists.alpinelinux.org/~alpine/devel/patches/3214
> 
> It'll prompt you during setup-alpine to add encryption to sys installs.
> To do an installation with this patch...
> 
> 1. Boot up the install media
> 2. Run setup-interfaces
> 3. service networking start
> 4. Run setup-apkrepos
> 5. apk add alpine-sdk curl
> 6. git clone https://git.alpinelinux.org/alpine-conf
> 7. cd alpine-conf
> 8. curl -s https://lists.alpinelinux.org/~alpine/devel/patches/3214/mbox | git am -3
> 9. make install
> 10. setup-alpine (finish installation normally)
> 
> Let me know if it works well for you.
> 

Hello Drew,

Sorry for the extreme delay, I'll try this as soon as possible :-).

I saw that you hardcoded --type luks2 (which seems a sane default). Do 
you think it's worth adding a new question for the type and use luks2 by 
default?

-- 
David
Details
Message ID
<20200124100210.xypcus74jy7z6xw3@wolfsden.cz>
In-Reply-To
<175853d9-b56f-ee9a-ae80-7c6e2b1e48d5@malikania.fr> (view parent)
DKIM signature
missing
Download raw message
Hi,

On 2020-01-24 10:20:15 +0100, David Demelier wrote:
> I saw that you hardcoded --type luks2 (which seems a sane default). Do you
> think it's worth adding a new question for the type and use luks2 by
> default?

IMHO asking which luks to use would be nice. luks2 is still fairly new
and for example grub landed support for it just 14 days back (
365e0cc3e7e44151c14dd29514c2f870b49f9755 ). Also older cryptsetups (from
live CD and such) might not speak luks2 as well.

So giving user the choice (since there are no security holes in luks1)
would my opinion good thing to do.

W.

-- 
There are only two hard things in Computer Science:
cache invalidation, naming things and off-by-one errors.
Details
Message ID
<C044SEA4629X.1JKCJ0OALNZ5Z@homura>
In-Reply-To
<20200124100210.xypcus74jy7z6xw3@wolfsden.cz> (view parent)
DKIM signature
missing
Download raw message
LUKS2 is 3 years old now, and included in every still-supported release
of Alpine Linux, plus several now unsupported releases. It's more secure
and we should use it by default going forward.
Reply to thread Export thread (mbox)