| View previous topic :: View next topic |
| Author |
Message |
avdb
n00b
Joined: 16 Aug 2020
Posts: 65
Location: Netherlands
|
 Posted: Wed Sep 01, 2021 2:27 pm Post subject: [SOLVED] dracut Warning: No key found for /dev/nvme0n1p3. |
 |
|
I wish I didn't have to ask this but it seems like I can't find the solution on my own.
https://wiki.gentoo.org/wiki/Full_Encrypted_Btrfs/Native_System_Root_Guide
Having followed this guide I still have to enter the password for my root partition twice.
I remember having trouble getting this to work on my old system with a single hard drive and I solved it by using something different from rd.luks.uuid to specify the partition, I went over the entire dracut.cmdline manual but didn't find a single useful thing.
For some reason it still works on 5.11.13-gentoo on a different system, here's what I found in /boot/grub/grub.cfg:
| Code: | menuentry 'Gentoo GNU/Linux, with Linux 5.11.13-gentoo' --class gentoo --class gnu-linux --class gnu --class os $menuentry_id_option 'gnulinux-5.11.13-gentoo-advanced-06d3a2f0-73d9-4fca-ae37-dd48e855b7c9' {
load_video
insmod gzio
insmod part_gpt
insmod cryptodisk
insmod luks
insmod gcry_serpent
insmod gcry_serpent
insmod gcry_sha512
insmod btrfs
cryptomount -u 6fe88547dffd413784630ddb8229d918
set root='cryptouuid/6fe88547dffd413784630ddb8229d918'
if [ x$feature_platform_search_hint = xy ]; then
search --no-floppy --fs-uuid --set=root --hint='cryptouuid/6fe88547dffd413784630ddb8229d918' 06d3a2f0-73d9-4fca-ae37-dd48e855b7c9
else
search --no-floppy --fs-uuid --set=root 06d3a2f0-73d9-4fca-ae37-dd48e855b7c9
fi
echo 'Loading Linux 5.11.13-gentoo ...'
linux /@boot/vmlinuz-5.11.13-gentoo root=UUID=06d3a2f0-73d9-4fca-ae37-dd48e855b7c9 ro rootflags=subvol=@ rd.luks=1 rd.luks.key=/root/secret slub_debug=P page_poison=1 nosmt=force l1tf=full root=UUID=06d3a2f0-73d9-4fca-ae37-dd48e855b7c9 rd.luks.uuid=luks-6fe88547-dffd-4137-8463-0ddb8229d918 quiet splash video=VGA1:e
echo 'Loading initial ramdisk ...'
initrd /@boot/initramfs-5.11.13-gentoo.img
|
And this is what I have in my current /boot/grub/grub.cfg:
| Code: | menuentry 'Gentoo GNU/Linux, with Linux 5.13.12-gentoo' --class gentoo --class gnu-linux --class gnu --class os $menuentry_id_option 'gnulinux-5.13.12-gentoo-advanced-f8be8452-6092-4618-a9c0-f4db6e155e3a' {
load_video
if [ "x$grub_platform" = xefi ]; then
set gfxpayload=keep
fi
insmod gzio
insmod part_gpt
insmod cryptodisk
insmod luks
insmod gcry_serpent
insmod gcry_serpent
insmod gcry_sha512
insmod btrfs
cryptomount -u 9042fef2d0414b7fba3cf813b28827b7
set root='cryptouuid/9042fef2d0414b7fba3cf813b28827b7'
if [ x$feature_platform_search_hint = xy ]; then
search --no-floppy --fs-uuid --set=root --hint='cryptouuid/9042fef2d0414b7fba3cf813b28827b7' f8be8452-6092-4618-a9c0-f4db6e155e3a
else
search --no-floppy --fs-uuid --set=root f8be8452-6092-4618-a9c0-f4db6e155e3a
fi
echo 'Loading Linux 5.13.12-gentoo ...'
linux /@boot/vmlinuz-5.13.12-gentoo root=/dev/mapper/luks-9042fef2-d041-4b7f-ba3c-f813b28827b7 ro rootflags=subvol=@ rd.luks=1 rd.luks.key=/root/secretkey root=UUID=f8be8452-6092-4618-a9c0-f4db6e155e3a rd.luks.uuid=9042fef2-d041-4b7f-ba3c-f813b28827b7 quiet
echo 'Loading initial ramdisk ...'
initrd /@boot/initramfs-5.13.12-gentoo.img |
\
And this is my current blkid:
| Code: |
/dev/nvme0n1p3: UUID="9042fef2-d041-4b7f-ba3c-f813b28827b7" TYPE="crypto_LUKS" PARTLABEL="root" PARTUUID="b44cae9a-de1a-457e-bcdc-ada0f5d901ad"
/dev/mapper/luks-9042fef2-d041-4b7f-ba3c-f813b28827b7: LABEL="root" UUID="f8be8452-6092-4618-a9c0-f4db6e155e3a" UUID_SUB="5e92cf06-b8a7-4219-a7ba-d3eb385d1850" BLOCK_SIZE="4096" TYPE="btrfs" |
Last edited by avdb on Tue Sep 07, 2021 9:12 pm; edited 1 time in total |
|
| Back to top |
|
 |
alamahant
Advocate
Joined: 23 Mar 2019
Posts: 3916
|
| Posted: Wed Sep 01, 2021 4:17 pm Post subject: |
|
|
I looked briefly in the Wiki you mentioned and it presupposes systemd.
Are you using systemd or openrc?
| Quote: |
/dev/mapper/luks-9042fef2-d041-4b7f-ba3c-f813b28827b7
|
The decrypted volume naming is wrong.
You dont need all this uuid-ish string appeneded after luks.
Do
| Code: |
cryptsetup luksOpen /dev/nvme0n1p3 luks
#### then you will have /dev/mapper/luks
### in /etc/default/grub use
GRUB_ENABLE_CRYPTODISK=y
GRUB_CMDLINE_LINUX="cryptdevice=UUID=9042fef2-d041-4b7f-ba3c-f813b28827b7:luks root=/dev/mapper/luks rootfstype=btrfs"
|
Then
| Code: |
USE="device-mapper" emerge -1av grub
### make it permanent via package.use
dracut --force
grub-mkconfig -o /boot/grub/grub.cfg
rc-update add dmcrypt boot
reboot
|
| Quote: |
I solved it by using something different from rd.luks.uuid to specify the partition
|
All this "rd.rd.lvm.lv=<>/<> or rd.luks.uuid=<>" naming is meant to be understood by dracut but it is not mandatory.
_________________
 |
|
| Back to top |
|
|
avdb
n00b
Joined: 16 Aug 2020
Posts: 65
Location: Netherlands
|
| Posted: Wed Sep 01, 2021 6:12 pm Post subject: |
|
|
| Thanks for your help alamahant. I'm using dracut so your solution didn't work, if anything I can't boot at all right now. The boot gets stuck for 180 seconds before dracut starts scanning all btrfs devices after which I finally get thrown in a recovery shell where I have to open the root partition manually with "cryptsetup open /dev/nvme0n1p3 -d /root/secretkey". |
|
| Back to top |
|
|
alamahant
Advocate
Joined: 23 Mar 2019
Posts: 3916
|
| Posted: Wed Sep 01, 2021 6:29 pm Post subject: |
|
|
| Quote: |
. I'm using dracut so your solution didn't work,
|
"My" solution IS a dracut solution.
I also use dracut only.
Plz do not use a secret key for root.
It is better if you type it @boot
In /etc/default/grub
also add
| Code: |
GRUB_PRELOAD_MODULES="luks2 luks"
|
Also
plz post
| Code: |
ls -R /boot
mountpoint /boot
|
Furthermore this
| Quote: |
/dev/mapper/luks-9042fef2-d041-4b7f-ba3c-f813b28827b7: LABEL="root" UUID="f8be8452-6092-4618-a9c0-f4db6e155e3a" UUID_SUB="5e92cf06-b8a7-4219-a7ba-d3eb385d1850"
|
is a wrong partition.You are confusing the "rd.luks.uuid" with the "cryptsetup luksOpen /dev/nvm... luks"
I mean you can name your decrypted volume however it pleases you but all this is unnecessary.
_________________
Last edited by alamahant on Wed Sep 01, 2021 7:22 pm; edited 4 times in total |
|
| Back to top |
|
|
avdb
n00b
Joined: 16 Aug 2020
Posts: 65
Location: Netherlands
|
| Posted: Wed Sep 01, 2021 6:41 pm Post subject: |
|
|
ls -R /boot:
http://dpaste.com/4WDV8Q63B
mountpoint /boot:
| Code: | | /boot is a mountpoint |
I checked to be sure and cryptdevice is indeed a valid kernel parameter so I'm gonna assume the problem here is that my machine boots too fast.
| Quote: | | Plz do not use a secret key for root |
What do you mean by this? |
|
| Back to top |
|
|
alamahant
Advocate
Joined: 23 Mar 2019
Posts: 3916
|
| Posted: Wed Sep 01, 2021 6:47 pm Post subject: |
|
|
| Quote: |
Code:
/boot is a mountpoint
|
Ok your /boot seems fine.
is /boot/efi also a mountpoint?
I didnt see the /boot/efi/EFI directory.
so i guess /boot/efi is not mounted right now correct?
I mean it kindda defeats the purpose if you use a key for / no?
Anybody can boot your machine.
It is good if you typed your luks password @boot.
This is what I mean.
Also the Wiki you are following is trying to make a simple matter appear complicated.
It also uses encrypted /boot raid and other flashy things.
DO NOT use an encrypted /boot.
Use a plain unencrypted partition something that apparently you did according to your posted output.
It is much much simpler than the above article presents it to to be.
Doing complicated things is not always a virtue but often a liability.
| Quote: |
The boot gets stuck for 180 seconds before dracut starts scanning all btrfs devices after which I finally get thrown in a recovery shell where I have to open the root partition manually with "cryptsetup open /dev/nvme0n1p3 -d /root/secretkey".
|
I think it was waiting for you to type your password.
_________________
|
|
| Back to top |
|
|
avdb
n00b
Joined: 16 Aug 2020
Posts: 65
Location: Netherlands
|
| Posted: Fri Sep 03, 2021 4:28 pm Post subject: |
|
|
| Quote: | | so i guess /boot/efi is not mounted right now correct? |
This shouldn't matter. /boot/efi doesn't need to be mounted in order for my system to work properly since it's only read at startup by grub.
| Quote: | | DO NOT use an encrypted /boot. |
You don't seem to understand. It's my system and I choose to have an encrypted /boot like I did for the past several years without problems. I want to make sure the kernel or initramfs are encrypted as well.
| Quote: | | I think it was waiting for you to type your password. |
It's not. It's supposed to decrypt / on it's own after I decrypted /boot by typing in the password before I have access to the grub menu, to me it seems more like you're trying to give me bad advice instead of helping me. Thanks for your time anyway. |
|
| Back to top |
|
|
alamahant
Advocate
Joined: 23 Mar 2019
Posts: 3916
|
| Posted: Fri Sep 03, 2021 4:32 pm Post subject: |
|
|
| Quote: |
t's not. It's supposed to decrypt / on it's own after I decrypted /boot by typing in the password before I have access to the grub menu, to me it seems more like you're trying to give me bad advice instead of helping me. Thanks for your time anyway.
|
No need to be so touchy.
I humbly apologize if i "tried to give you bad advice".
| Quote: |
You don't seem to understand. It's my system and I choose to have an encrypted /boot like I did for the past several years without problems.
|
Of course its your system and you can do as you please with it.
I am not trying to steal your system away.
No i dont "seem to understand".
I am a little stupid...
Sorry!
I hope you get your set up up and running....soon.....
_________________
|
|
| Back to top |
|
|
avdb
n00b
Joined: 16 Aug 2020
Posts: 65
Location: Netherlands
|
| Posted: Tue Sep 07, 2021 9:11 pm Post subject: |
|
|
| Solution: uninstall Dracut and use a custom initramfs. |
|
| Back to top |
|
|
pietinger
Moderator
Joined: 17 Oct 2006
Posts: 5104
Location: Bavaria
|
| Posted: Tue Sep 07, 2021 10:46 pm Post subject: |
|
|
avdb,
do you have installed SecureBoot also ? |
|
| Back to top |
|
|
|
Installing Gentoo
