Re: dracut 008 luks key in external device - still broken

["Amadeusz Żołnowski" <aidecoe-2qtfh70TtYba5EbDDlwbIw@public.gmane.org>]

[-- Attachment #1: Type: text/plain, Size: 3066 bytes --]

Excerpts from jaivuk's message of Sun Mar 20 00:14:56 +0100 2011:
> > It re queues cryptroot-ask for after udev queue is settled if key is
> > not available initially. If device is still not available at this
> > point, I am not sure what can be done sensibly.
> 
> I think it should ask for password. And if it does so it would be good
> if I could still connect the key during the password prompt as I
> explained...

First of all I haven't taken into consideration fact, that one can want
to use dracut for mounting something more than root. That's why there's
only key or only password. But it probably would be possible to
optionally ask for password, too. I will have to think of cases with
multiple devices to be decrypted and improve the module.


> > Please provide dmesg output after failed boot.
> I have dmesg output now. However I do not want to violate any rules of
> this list so can you please advise how can I send you dmesg? I can see
> 3 options:
> - attatch it direclty (it has 50k)
> - send link to some external page where I can store it - do you
> suggest any for this purpose?
> - open a Fedora bugzilla ticket and send you ticket number

Please paste it somewhere.


> Which of these 3 options is the best in this case?
> 
> 2011/3/19 Amadeusz Żołnowski <aidecoe-2qtfh70TtYba5EbDDlwbIw@public.gmane.org>:
> > UUID should be prefixed with UUID=, so it should be:
> >
> >  rd.luks.key=/mykey:UUID=abcd-1234
> 
> Thats a good advice - I tried that but no luck :(

What happens? Doesn't decrypt anything? Or just one of devices?


> > In Dracut 008 devices are probed for key file asynchronously with
> > udev rules. If device eventually appears, it's probed for key. If
> > key is found, it's added to the list of possibles keys to try.
>
> I like udev is used, however as I mentioned there is still some bug.

Please specify:
1) How did you build initramfs (which options) and please provide output
it has printed. (Append -v to options to get more verbose output.)
2) How did you specify kernel cmd line options.
3) What is expected to happend and what happens.
4) dmesg
5) Content of /tmp/ from initramfs time would be useful, too. (Content
of every file there.)


> > You suggest that for every luks device Dracut should stop and let
> > the user decide to choose between key or password?
>
> Isn't it the case now? What if I had different key for each luks
> partition?

It's applying keys specified at kernel cmd line. You can specify it
multiple times.


> If I udnerstand current dracut logic correctly then if key is found it
> is store in /tmp so it can be reused?

No. Paths (with devices) to keys are stored there.


> So in case an attempt to open another luks partition failes, then yes
> in my view it would be best if user can either enter key manually or
> insert the USB stick with the key (in case rd.luks.key was specified).

Hm, might be good idea.
-- 
Amadeusz Żołnowski

PGP key fpr: C700 CEDE 0C18 212E 49DA  4653 F013 4531 E1DB FAB5

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 490 bytes --]