Re: [systemd-devel] Add LUKS disk to an Raspberry Pi 4 install
gOn Sa, 25.09.21 17:47, Barry Scott (ba...@barrys-emacs.org) wrote:
> [I originally ask this question on the Fedora ARM list, but got no reply]
>
> I'm trying to build a RPi4 system that uses a LUKS encrypted disk.
>
> But I cannot get the volume to be unlocked when the system boots.
>
> I have installed Fedora-Minimal-34-1.2.aarch64.raw.xz to with
> arm-image-installer --target=rpi4 and that boots.
>
> Then I have added a new partition to that sdcard that I setup using this
> command on a Fedora 34 x86_86 system.
>
> cryptsetup \
>--type luks2 \
>--cipher xchacha20,aes-adiantum-plain64 \
>--hash sha256 \
>--iter-time 5000 \
>--pbkdf argon2i \
>luksFormat ${DEVICE}
>
> I got these settings from a blog on setting up LUKS for debian on raspberry
> pi.
>
> I add an entry to /etc/crypttab for the volume.
>
> When I boot the system I am not prompted for the password to unlock the
> volume as I was expecting.
>
> Looking in journalctl -b 0 I see these lines:
>
> Apr 06 01:01:36 clef.chelsea.private systemd[1]: dev-disk-
> by\x2duuid-8c2519ae\x2d78a9\x2d44b0\x2d871f\x2d0aa2422de03a.device: Job dev-
> disk-by\x2duuid-8c2519ae\x2d78a9\x2d44b0\x2d871f\x2d0aa2422de03a.device/start
> timed out.
This suggests that the backing device name you specified in
/etc/crypttab doesn't match reality. i..e here you specified a device
node by the UUID of what's on it. (Presumably that's supposed to be
the UUID of the LUKS2 superblock?) And it doesn't appear to match what
is *actually* the UUID of your LUKS2 superblock?
Lennart
--
Lennart Poettering, Berlin
[systemd-devel] Add LUKS disk to an Raspberry Pi 4 install
[I originally ask this question on the Fedora ARM list, but got no reply]
I'm trying to build a RPi4 system that uses a LUKS encrypted disk.
But I cannot get the volume to be unlocked when the system boots.
I have installed Fedora-Minimal-34-1.2.aarch64.raw.xz to with
arm-image-installer --target=rpi4 and that boots.
Then I have added a new partition to that sdcard that I setup using this
command on a Fedora 34 x86_86 system.
cryptsetup \
--type luks2 \
--cipher xchacha20,aes-adiantum-plain64 \
--hash sha256 \
--iter-time 5000 \
--pbkdf argon2i \
luksFormat ${DEVICE}
I got these settings from a blog on setting up LUKS for debian on raspberry
pi.
I add an entry to /etc/crypttab for the volume.
When I boot the system I am not prompted for the password to unlock the
volume as I was expecting.
Looking in journalctl -b 0 I see these lines:
Apr 06 01:01:36 clef.chelsea.private systemd[1]: dev-disk-
by\x2duuid-8c2519ae\x2d78a9\x2d44b0\x2d871f\x2d0aa2422de03a.device: Job dev-
disk-by\x2duuid-8c2519ae\x2d78a9\x2d44b0\x2d871f\x2d0aa2422de03a.device/start
timed out.
Apr 06 01:01:36 clef.chelsea.private systemd[1]: Timed out waiting for device
/dev/disk/by-uuid/8c2519ae-78a9-44b0-871f-0aa2422de03a.
Apr 06 01:01:36 clef.chelsea.private systemd[1]: Dependency failed for
Cryptography Setup for clef-root.
Apr 06 01:01:36 clef.chelsea.private systemd[1]: Dependency failed for Local
Encrypted Volumes.
Once I login I can open the volume and mount it
$ cryptsetup luksOpen /dev/mmcblk0p4 clef-root
$ mount /dev/mapper/clef-root /mnt
I have tried updating the initrd with:
dracut --force.
And also adding to the kernel command line:
# cat /proc/cmdline
BOOT_IMAGE=(hd0,msdos2)/vmlinuz-5.11.12-300.fc34.aarch64
root=UUID=67ca2085-9dab-405b-a042-ff6269816fbc ro rhgb quiet console=tty0
rd.luks.uuid=8c2519ae-78a9-44b0-871f-0aa2422de03a
I have a other systems that use full disk encryption that work. But I have
failed to spot the difference between the RPi config and the working systems
config.
Do you know what is missing or not configured?
Hmm, just noticed that the kernel command says console is tty0.
But when I log in on the console its tty1.
Barry
