From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by finch.gentoo.org (Postfix) with ESMTPS id 731D815800A for ; Sat, 5 Aug 2023 15:11:37 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id C32CF2BC030; Sat, 5 Aug 2023 15:11:32 +0000 (UTC) Received: from bactrian.maple.relay.mailchannels.net (bactrian.maple.relay.mailchannels.net [23.83.214.9]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id 49EC62BC013 for ; Sat, 5 Aug 2023 15:11:32 +0000 (UTC) X-Sender-Id: _forwarded-from|230.3.169.217 Received: from relay.mailchannels.net (localhost [127.0.0.1]) by relay.mailchannels.net (Postfix) with ESMTP id 561AE2C19BA for ; Sat, 5 Aug 2023 15:11:31 +0000 (UTC) ARC-Seal: i=1; s=arc-2022; d=mailchannels.net; t=1691248291; a=rsa-sha256; cv=none; b=yqqYPPCUQtJBupYRi6WDyScPMkQmf+SPGgs8P4CroU5qvYtUaUeq5X53pgHeY9cokoAHFD UuDhvBJFo8RHkmWlh3sKII46b28zMKEX2sti2at/gVU3db0ts0pVm7WHSlj6TJA2eHEEJ/ y6Ex391O7Wb+16A9vVXFIihli3tJRUyoHogbCdQoU6r2SVMSc71pmRrOCuL818SSb3BJOj 0itUS9605M5hyQcuU42ate6eRtUNOIC2Rg/hNSLpOyAXWPJqjE6IXpiVTKAReY0UmuxZMU tK6KXXhw9dOOohqQleC71XzgYf4qABTr+nZHNze2bqfmIvwMFjre7oHeWARvDA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=mailchannels.net; s=arc-2022; t=1691248291; h=from:from:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:mime-version:mime-version: content-type:content-type:dkim-signature; bh=cdlyqNchIEFvb9hbOdOAHRWvi2m/2TZhMsSDDy8BE5s=; b=Fh02BlVRcqylJqiYusWeH0n8yTFuEY7+4ah4IfSz9osxhsDCjYhHfqMkm1W/8rAnnLoA6g RNibJdoYSxLRr+wV8WYXx5Pe5e1ve17iBkxWQjUb2QQxZn7YQWL+x80yJTL4U3NEnk5abc novue+9cOB/GLp1LD6dt/rjBL32+PBSYV1QDmkTZgolT192mtbzYxkPm8LdfEv9okFJQbH VdYGvru4/lSIx9K4QrocX08D5haWEw3ov0J2+ACYVC/d/uG6AWmgSEgRJCw2CUymEcPBYy RGiFMF5V7XPoh6ckpiZsU/Kn369FHeSsNG45sq2tu2xN9DW6LhnmzWMEe5z2sQ== ARC-Authentication-Results: i=1; rspamd-6588fd49b-4pn6k; auth=pass smtp.auth=thundermail smtp.mailfrom=confabulate@kintzios.com X-Sender-Id: _forwarded-from|230.3.169.217 X-MC-Relay: Forwarding X-MailChannels-SenderId: _forwarded-from|230.3.169.217 X-MailChannels-Auth-Id: thundermail X-Lyrical-Battle: 7371100f16dc6d66_1691248291195_1801725850 X-MC-Loop-Signature: 1691248291195:1427191915 X-MC-Ingress-Time: 1691248291195 Received: from mailclean11.thundermail.uk (mailclean11.thundermail.uk [149.255.60.66]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384) by 100.119.188.57 (trex/6.9.1); Sat, 05 Aug 2023 15:11:31 +0000 Received: from cloud220.unlimitedwebhosting.co.uk (cloud220.unlimitedwebhosting.co.uk [149.255.60.183]) by mailclean11.thundermail.uk (Postfix) with ESMTPS id 3295A402F3 for ; Sat, 5 Aug 2023 16:11:25 +0100 (BST) Received: from lenovo.localnet (230.3.169.217.in-addr.arpa [217.169.3.230]) by cloud220.unlimitedwebhosting.co.uk (Postfix) with ESMTPSA id 52F0AC74ECD for ; Sat, 5 Aug 2023 16:11:25 +0100 (BST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=kintzios.com; s=default; t=1691248285; bh=cdlyqNchIEFvb9hbOdOAHRWvi2m/2TZhMsSDDy8BE5s=; h=From:To:Subject; b=eugz5C88Se6hdgoPRe+07bG6a7nSFBeT6gcoqlL2rdUAzp92JfBAx2gkA6U1S4Bg0 9cHenoTc+34RROWJptv6kdzLiozS81jOe8vmrEKALOI3QCHEiKZ5xCw5P676gcnFTN aCw8IykGwK1XZhyTwLm6vy6X4BcXuN76YfqZksfs= From: Michael To: gentoo-user@lists.gentoo.org Subject: [gentoo-user] dmcrypt error during boot Date: Sat, 05 Aug 2023 16:11:05 +0100 Message-ID: <8254762.T7Z3S40VBb@lenovo> Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-user@lists.gentoo.org Reply-to: gentoo-user@lists.gentoo.org X-Auto-Response-Suppress: DR, RN, NRN, OOF, AutoReply MIME-Version: 1.0 Content-Type: multipart/signed; boundary="nextPart10317260.nUPlyArG6x"; micalg="pgp-sha256"; protocol="application/pgp-signature" X-PPP-Message-ID: <169124828560.2427346.3902339442322356804@cloud220.unlimitedwebhosting.co.uk> X-PPP-Vhost: kintzios.com X-Rspamd-Queue-Id: 3295A402F3 X-Rspamd-Server: mailclean11 X-Spamd-Result: default: False [-1.61 / 999.00]; SIGNED_PGP(-2.00)[]; MID_RHS_NOT_FQDN(0.50)[]; MIME_GOOD(-0.20)[multipart/signed,text/plain]; ONCE_RECEIVED(0.10)[]; MX_GOOD(-0.01)[]; NEURAL_HAM(-0.00)[-1.000]; FROM_EQ_ENVFROM(0.00)[]; DMARC_POLICY_ALLOW(0.00)[kintzios.com,none]; MIME_TRACE(0.00)[0:+,1:+,2:~]; RCVD_COUNT_ONE(0.00)[1]; FUZZY_BLOCKED(0.00)[rspamd.com]; ASN(0.00)[asn:34931, ipnet:149.255.60.0/22, country:GB]; RCVD_TLS_ALL(0.00)[]; DKIM_TRACE(0.00)[kintzios.com:+]; RCPT_COUNT_ONE(0.00)[1]; ARC_NA(0.00)[]; R_DKIM_ALLOW(0.00)[kintzios.com:s=default]; RCVD_VIA_SMTP_AUTH(0.00)[]; TO_DN_NONE(0.00)[]; FROM_HAS_DN(0.00)[]; R_SPF_ALLOW(0.00)[+mx]; TO_MATCH_ENVRCPT_ALL(0.00)[]; PREVIOUSLY_DELIVERED(0.00)[gentoo-user@lists.gentoo.org]; REPLYTO_ADDR_EQ_FROM(0.00)[]; HAS_REPLYTO(0.00)[confabulate@kintzios.com] X-Rspamd-Action: no action X-Archives-Salt: f127a161-b511-4651-b5ee-f2d20df431cb X-Archives-Hash: 802b1e7f47e468c5fa46484fc438b36c --nextPart10317260.nUPlyArG6x Content-Transfer-Encoding: 7Bit Content-Type: text/plain; charset="UTF-8"; protected-headers="v1" From: Michael To: gentoo-user@lists.gentoo.org Reply-To: confabulate@kintzios.com Subject: dmcrypt error during boot Date: Sat, 05 Aug 2023 16:11:05 +0100 Message-ID: <8254762.T7Z3S40VBb@lenovo> MIME-Version: 1.0 This is a simple installation on 3 partitions for /boot, / and /home respectively. There is no initrd and no 3rd party boot manager. The system is booted directly by the UEFI firmware. Only the /home partition is encrypted with dm-crypt/luks. The dm-crypt key is itself encrypted with gpg and stored in /etc/keys/enc.key.gpg. When the system boots a couple of error messages ominously flash through about dmcrypt service failing to start. Then the pinentry pops up asking for the gpg passphrase. The passphrase is promptly typed in, the boot process continues and the /dev/mapper/home block device is set up as 'dev/mapper/home -> /dev/dm-0'. However, the decrypted partition is NOT mounted under /home, unless I login as root and proceed to do this manually. I have tried a few things, unsuccessfully, including: 1. Specifying in fstab the UUID for device to be used for the /home partition, then changing this to '/dev/mapper/home'. 2. Adding an entry in /etc/dmtab, generated by 'dmsetup table', after manually decrypting and mounting the /home partition. 3. Adding in '/etc/conf.d/device-mapper': rc_verbose="YES" rc_after="dmcrypt" to the default entry of: RC_AFTER="lvm" (NOTE: There is no lvm service in this system.) This is what rc.log reveals: ============================ rc boot logging started at Fri Aug 4 16:21:38 2023 * Setting system clock using the hardware clock [UTC] ... [ ok ] * Mounting misc binary format filesystem ... [ ok ] * Loading custom binary format handlers ... [ ok ] * Setting up dm-crypt mappings ... * home using: open /dev/sda9 home ... Nothing to read on input. Nothing to read on input. Nothing to read on input. Nothing to read on input. Nothing to read on input. * failure running cryptsetup [ !! ] * Failed to setup dm-crypt devices [ !! ] * ERROR: dmcrypt failed to start * Setting up device-mapper volumes: * Creating volume: home ... * Error creating volume: home [ !! ] * ERROR: device-mapper failed to start * Checking local filesystems ... [ ok ] * Remounting root filesystem read/write ... [ ok ] * Remounting filesystems ... [ ok ] * Updating /etc/mtab ... * Creating mtab symbolic link [ ok ] * Activating swap devices ... [ ok ] * Mounting local filesystems ... [ ok ] * Configuring kernel parameters ... [ ok ] * Creating user login records ... [ ok ] * Wiping /tmp directory ... [ ok ] * Starting dbus ... [ ok ] * Starting elogind ... [ ok ] [snip ...] * Create Volatile Files and Directories ... [ ok ] rc boot logging stopped at Fri Aug 4 16:21:41 2023 rc default logging started at Fri Aug 4 16:21:41 2023 * Starting chronyd ... [ ok ] * Setting up dm-crypt mappings ... * home using: open /dev/sda9 home ... [ ok ] [ ok ] * Checking your configfile (/etc/syslog-ng/syslog-ng.conf) ... [ ok ] * Starting syslog-ng ... [ ok ] * Starting cronie ... [ ok ] * Initializing sensors ... [ ok ] * Starting DHCP Client Daemon ... [ ok ] * Mounting network filesystems ... [ ok ] * Starting local ... [ ok ] rc default logging stopped at Fri Aug 4 16:21:59 2023 ======================================================= I don't fully understand why dmcrypt service does not wait for gpg to decrypt the key, but proceeds immediately to run 5 retries of the still unencrypted key and fails. The relevant entry I have in /etc/conf.d/dmcrypt is: # Definition for /dev/mapper/home (for /home) target=home source=UUID="3e9c0cff-6b09-4461-8679-6cb7fd9f55f3" key='/etc/keys/enc.key.gpg:gpg' Sakaki's installation guide with the buildkernel script created a 'staticgpg' file without pinentry, but this was for use in an initrd image and booting off a USB stick. I assume this should not be needed for a non-initrd boot process - am I wrong? What am I missing here? --nextPart10317260.nUPlyArG6x Content-Type: application/pgp-signature; name="signature.asc" Content-Description: This is a digitally signed message part. Content-Transfer-Encoding: 7Bit -----BEGIN PGP SIGNATURE----- iQIzBAABCAAdFiEEXqhvaVh2ERicA8Ceseqq9sKVZxkFAmTOZokACgkQseqq9sKV ZxmhcxAAh6Zq9uMQex8jngirijEnpc9jNsyiSvbK9GB/tPBybnK1/BiJQQdId2Ec OwMYRpsMARwdssgH+FTpgUV3f5EO7Gp3M6L4qaNn7e/TCeFyWWuzkpDvk3UG8lK+ oQwe+GpB6ctTH1ecw/VrPU1WN9dqOUsDlHY+69UcLueTDVUHA9FHm8TqCFldXYvX Q6haKS2MqM31e+41fM6YBGprAnOr4AkHu8q04cxaTsGVQ8ncrNLbrCb+Mr4oaA5B amIlx+hybo+q2H/WgYWtduQXD4/FMgu/Oy4FadkYWSeZG4PhVRZeqvrtlwRokh6n pKQw2xtqI9oRBclk/8BPWjYw9iMwiUikO7T4fhEA/QxuzxJ5DoySeLfBO9IFG6Uo KjtsHehgjO4jfWKTFo+xKZqlPObzJz9X/BYEPzgVgz+WZSbK6Xto3+6vYQwvinfE JkdwFzhSt2O2JQEEu7AeX5jLqHkWXaqaMOY1LawXQSkqVmGgFH+monmEg3pJBoIh kcbJjDEeXsGiz0axoDBrKQbdesBTL7dhcwrz+Oj5LH9Z4gVyOcaUx5X8Qei/5Nwl KE9lE0Y+u0U2dmGpsg8ih8cQW3WkvX1y8plz1Jtpkpq7WvqcaHBf6d+fuI+uj3/X cKeqQDZGU65lkTv7s8UvIBo8LVmuC0FrFJUgHiajmrToTUR7/+s= =C4R3 -----END PGP SIGNATURE----- --nextPart10317260.nUPlyArG6x--