Re: cryptsetup + lvm order and crypt name

[Claudio Clemens <asturio-hi6Y0CQ0nG0@public.gmane.org>]

[-- Attachment #1: Type: text/plain, Size: 2889 bytes --]

Am 08.08.2014 09:12, schrieb Amadeusz Żołnowski:
> First of all I advise to call dracut like that:
> 
>   dracut -H '' <kernel-version>
> 
> it will generate host-specific initramfs for specified kernel version in
> default location.  Later edit variable GRUB_CMDLINE_LINUX_DEFAULT in
> /etc/default/grub and put there parameters you want. After that
> regenerate grub2 config with grub2-mkconfig.
> 
> I hope that helps. :-)

Ok... it was a while now. But I managed to boot my system. The -H flag
wasn't needed. I put the boot configuration Opts in grub, and not
dracut. Just for the documentation of it I have this setup:

In /etc/default/grub
GRUB_CMDLINE_LINUX="rd.auto rd.luks rd.luks.crypttab
rd.luks.uuid=83e0aaa5-a8ad-4435-afff-0d52b1071fc3 rd.lvm
rd.lvm.vg=boromir rd.md=0 rd.dm"

The only really needed option was rd.auto (maybe other options now
implies rd.auto). But the problem was a conflict between my
installation, Debian's dracut and Debian's cryptsetup.

When I installed my system and encrypted my /dev/sda5, I gave the
encrypted partition the name sda5_crypt. This value was written in
/etc/crypttab. So for accessing the partition at boot-time what is done
is: cryptsetup luksOpen /dev/sda5 sda5_crypt

When booting /etc/init.d/cryptdisks* looks for sda5_crypt, if it is
there, it won't do anything and boot will continue. If it is not there,
it asks for the passphrase and try to decrypt it.

The problem was that dracut, when calling "cryptsetup luksOpen" won't
use the name given in /etc/crypttab, but "luks-<UUID of the partition>".
When /etc/init.d/cryptdisk* comes in, there is no sda5_crypt present, so
it tried to decrypt the partition again, which is not possible, because
it is actually already in use.

My solution for the problem was to rename the decrypt volume in
/etc/crypttab from "sda5_crypt" to "luks-<UUID of /dev/sda5>". So I use
the same name dracut uses when calling cryptsetup and the
Debian-init-scripts finds the device.

I think the elegant solution would be in dracut, which could have a boot
option to the name of the decrypted device (or read it from
/etc/crypttab when creating the image), or the cryptdisks-init-scripts
which could see if the encrypted device is already decrypted, and not
only look if the name is present.

I hope this can help any one with a similar problem.

Thanks for the help,

Claudio

PS - I'll fill then a bug-report/wish for both Debian-Packages so they
are aware of the problem.

-- 
+- .''`. ---| Dipl.-Inf. Univ. Claudio Clemens |-------| wheezy |-----+
| : :' :      asturio at gmx (.) net           GNU/Linux User #79942  |
| `. `'       http://asturio.gmxhome.de/begin.html                    |
|   `-        "YE GODS, I HAVE FEET??!"         <- Userfriendly       |
"I will take the ring, though I do not know the way" Frodo Baggins


[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 259 bytes --]