Hi folks,
I have Alpine Linux installed in an encrypted LUKS partition. I came across this tutorial which shows how to setup a key in a USB drive and when the drive is inserted and the computer booted, the LUKS partition auto-unlocks with the key on the USB drive.
I would like to setup the same thing but I do not have Alpine linux installed on ZFS, so I’m looking for ways to adapt the instructions.
So far, what I’ve done is:
- I’ve setup the key on the usb stick and I can unlock the LUKS partition with that key.
- create a
/etc/mkinitfs/features.d/usb-unlock.sh
script with the following content:
(the echo
to /dev/kmesg
was to check whether the script did indeed run at boot by trying to print to the kernel messages but I can’t find anything in the kernel messages).
#!/bin/sh
echo "usb-unlock script starting..." > /dev/kmsg
USB_MOUNT="/mnt/my-usb-key" # The USB stick mounting point
LUKS_KEY_FILE="awesome.key" # The name of your keyfile on the USB stick
# Search for the USB stick with the key
for device in $(ls /dev/disk/by-uuid/*); do
mount $device $USB_MOUNT 2>/dev/null
if [ -f "$USB_MOUNT/$LUKS_KEY_FILE" ]; then
# Unlock the LUKS partition
cryptsetup luksOpen /dev/sda3 cryptroot \
--key-file "$USB_MOUNT/$LUKS_KEY_FILE" && exit 0
fi
umount $USB_MOUNT
done
echo "No USB key found, falling back to password prompt." # this message never appears, despite not having found the key on the usb stick
echo "usb-unlock script ending." > /dev/kmsg
- I added
usb-unlock
to thefeatures
inmkinitfs.conf
:
mytestalpine:~# cat /etc/mkinitfs/mkinitfs.conf
features="ata base ide scsi usb virtio ext4 cryptsetup keymap usb-unlock"
- run
mkinitfs
to rebuild the initramfs. Then reboot to test the implementation, which was unsuccessful.
What am I missing / doing wrong? Thank you for your help!
Edit: forgot to add step 4
I think you should check your
root=
line and add ard.luks.uuid=
to make it open it. Dracut will by default open the root FS as/dev/mapper/luks-abcdef...
based on the LUKS container UUID. You can get that withcryptsetup luksUUID
./dev/mapper/root
is just never going to show up unless you’ve assigned a custom name to that with the barely documentedrd.luks.name
, and I don’t see that in your setup. Thecryptroot
andcryptdm
parameters aren’t used by Dracut either.With all of that missing it’s just gonna wait for that
/dev/mapper/root
to magically show up out of nowhere, without ever trying to open it.A correct cmdline will probably look something along the lines of
root=/dev/mapper/luks-<uuid> modules=sd-mod,usb-storage,ext4 rootfstype=ext4 rootflags=rw,relatime rd.luks.uuid=<uuid>
and once opening with passphrase works, you can start to mess withrd.luks.key=/awesome.key
(and readdquiet
when done debugging, if you want it that way).ldconfig errors and the missing modules should be fine. musl’s ldconfig is just a bit different but also isn’t required in quite the same way. I don’t think you should need to mess with modules manually. I don’t think you’re using LVM’s userland for your setup, just all the device-mapper kernel modules. Dracut will pull all the necessary bits in for you if you’re setting it up for LUKS.
I’m very grateful for your extended help. I’ve made some progress. I’m able to get the prompt to appear asking me for my passphrase to unlock the right partition (sda3 in my case). Entering the passphrase, however, drops me in the Dracut emergency shell after ~3min of dracut logs, seemingly looping. (Edit: the reason for why it drops me in the shell is very unclear. It says
Dropping to debug shell. /bin/sh: can't access tty: job control turned off.
And if I try to exit the dracut shell, it saysdracut Warning: could not boot.
).In the Dracut emergency shell, checking
/dev/mapper/
I see aluks-<sda3-uuid>
listed. Runningblkid
I see it listed too withTYPE=crypto_LUKS
. I also see adev/dm-0
with a dedicated UUID, in ext4. I ranblkid
which shows:/dev/mapper/luks-705fc477-573a-4ef6-81b6-a14c43cda1f5: UUID="57955343-922a-4918-9bc1-797ca8d13a9c" TYPE="ext4" /dev/sda1: UUID="cc5e0b03-3544-4bef-ab8b-8b72dd236926" TYPE="ext4" /dev/sda2: UUID="4df1af6c-3199-4bb2-bb12-bcf897cfc6fc" TYPE="swap" /dev/sda3: UUID="705fc477-573a-4ef6-81b6-a14c43cda1f5" TYPE="crypto_LUKS" /dev/dm-0: UUID="57955343-922a-4918-9bc1-797ca8d13a9c" TYPE="ext4"
I checked the status of the filesystem running
cryptsetup status /dev/mapper/luks-<sda3-uuid>
and it says itis active
, which I guess means it is unlocked?I checked the
/root
directory, and it is empty. So I tried to mount the partition myself:mount /dev/mapper/luks-<sda3-uuid> /root
but it fails sayingmount: mounting /dev/mapper/luks-<sda3-uuid> on /root failed: No such file or directory
and that got me really puzzled? I’ve been searching far and wide but I can’t seem to find anyone with a similar situation. I feel like I’m close to getting this working.Below is my syslinux kernel config, and the 2nd and 3rd items are what I booted into (
/boot/extlinux.conf
)# Generated by update-extlinux 6.04_pre1-r15 DEFAULT menu.c32 PROMPT 0 MENU TITLE Alpine/Linux Boot Menu MENU HIDDEN MENU AUTOBOOT Alpine will be booted automatically in # seconds. TIMEOUT 10 LABEL lts MENU DEFAULT MENU LABEL Linux lts LINUX vmlinuz-lts INITRD initramfs-lts APPEND root=/dev/mapper/root modules=sd-mod,usb-storage,ext4 cryptroot=UUID=705fc477-573a-4ef6-81b6-a14c43cda1f5 cryptdm=root rootfstype=ext4 rd.debug log_buf_len=1M rd.shell LABEL lts MENU DEFAULT MENU LABEL Dracut Linux lts LINUX vmlinuz-lts INITRD /boot/initramfs-6.6.56-0-lts.img APPEND root=/dev/mapper/luks-705fc477-573a-4ef6-81b6-a14c43cda1f5 modules=sd-mod,usb-storage,ext4 rootfstype=ext4 rd.shell rd.debug log_buf_len=1M rd.luks.uuid=705fc477-573a-4ef6-81b6-a14c43cda1f5 LABEL lts MENU DEFAULT MENU LABEL Dracut Linux lts 2 LINUX vmlinuz-lts INITRD /boot/initramfs-6.6.56-0-lts.img APPEND modules=sd-mod,usb-storage,ext4,dm,crypt,rootfs-block rootfstype=ext4 rootflags=rw,relatime rd.shell rd.debug log_buf_len=1M root=UUID=57955343-922a-4918-9bc1-797ca8d13a9c rd.luks.uuid=705fc477-573a-4ef6-81b6-a14c43cda1f5
And here the
/proc/cmdline
of the booted partition:BOOT_IMAGE=vmlinuz-lts modules=sd-mod,usb-storage,ext4,dm,crypt,rootfs-block rootfstype=ext4 rootflags=rw,relatime rd.shell rd.debug log_buf_len=1M root=UUID=57955343-922a-4918-9bc1-797ca8d13a9c rd.luks.uuid=705fc477-573a-4ef6-81b6-a14c43cda1f5 initrd=/boot/initramfs-6.6.56-0-lts.img
Here is my setup, when I boot in my regular initramfs (the one I’m trying to replicate using dracut):
mytestalpine:~# lsblk -o NAME,FSTYPE,FSVER,LABEL,UUID,FSAVAIL,FSUSE%,MOUNTPOINTS NAME FSTYPE FSVER LABEL UUID FSAVAIL FSUSE% MOUNTPOINTS sda ├─sda1 ext4 cc5e0b03-3544-4bef-ab8b-8b72dd236926 195.5M 21% /boot ├─sda2 swap 4df1af6c-3199-4bb2-bb12-bcf897cfc6fc [SWAP] └─sda3 crypto_LUKS 705fc477-573a-4ef6-81b6-a14c43cda1f5 └─root ext4 57955343-922a-4918-9bc1-797ca8d13a9c 2.3G 8% / mytestalpine:~# lsblk -l -n /dev/sda3 sda3 8:3 0 2.8G 0 part root 253:0 0 2.8G 0 crypt /
Note: No idea of the relevance, but I’m testing this setup in a VM, with a BIOS firmware.