Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in

  FAQ | Search | Memberlist | Usergroups | Statistics | Profile | Log in to check your private messages | Log in | Register

Difference between /etc/conf.d/dmcrypt vs. /etc/crypttab
 View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Other Things Gentoo
View previous topic :: View next topic  
Author Message
nagmat84
Apprentice
Apprentice


Joined: 27 Mar 2007
Posts: 225
PostPosted: Sat May 04, 2024 6:28 am    Post subject: Difference between /etc/conf.d/dmcrypt vs. /etc/crypttab Reply with quote
I try to setup an LUKS-encrypted root FS with FIDO2. The guide Gentoo Wiki: RootFS Encryption does not create any configuration file at all. I assumme it uses Discoverable Partitions to automatically mount the partitions correctly. That won't work in my case, as I need to tell the device mapper to read password for decryption from the FIDO2 stick.

The guide Gentoo Wiki: DM Crypt creates the configuration file /etc/conf.d/dmcrypt. However, there does not seem to be a man page for that file.

The guide Amedeos: Configure Gentoo to unlock LUKS root file system with FIDO2 key creates the configuration file /etc/crypttab. This file has indeed a proper Linux man page.

I am wondering what is the difference between the both configuration files /etc/conf.d/dmcrypt and /etc/crypttab?
  1. Is /etc/conf.d/dmcrypt Gentoo specific?
  2. Does /etc/conf.d/dmcrypt only work for OpenRC-based systems? (My system uses SystemD as the service manager.)
  3. Which tool reads which configuration file?
  4. Can both files be used to achieve the same things or are there aspects which can only be configured by one but not the other file?
Back to top
View user's profile Send private message
CodAv
Apprentice
Apprentice


Joined: 09 May 2004
Posts: 170
Location: Essen, Germany
PostPosted: Mon May 06, 2024 10:11 am    Post subject: Reply with quote
/etc/conf.d/dmcrypt is only used by the dm-crypt OpenRC init script. That said, as your installation uses a systemd profile, this file can be ignored as it isn't used - you have to put the configuration into /etc/crypttab instead. Conversion is mostly straightforward, but a few caveats are there:
  • Make sure you have the "cryptsetup" USE flag enabled for sys-app/systemd, otherwise the service generator which uses crypttab is not installed.
  • Populate /etc/crypttab with your required settings. Use "man crypttab" for a guide on the syntax.
  • crypttab is definitely more basic than dm-crypt, for example it doesn't have a way to specify pre/post mount actions (I think these are handled in a different service unit in systemd)

In your case, systemd provides the required options to use FIDO2 via systemd-cryptenroll, which is also supported in crypttab. A line like this in /etc/crypttab should work:

Code:
<mapped_name> UUID=<some UUID> none luks,discard,fido2-device=auto


You can find the UUID via "ls -la /dev/disk/by-uuid/", "<mapped_name>" will be the block device created, e.g. "/dev/mapper/mapper_name" for use in fstab.

So if you've installed systemd with the proper USE flag and added the above line to crypttab, you can test it without a reboot by executing:

Code:
/usr/lib/systemd/system-generators/systemd-cryptsetup-generator /run/systemd/generator
systemctl daemon-reload
systemctl restart cryptsetup.target


You should be asked for your FIDO2 PIN/passphrase. If the fstab entry was present at boot, systemd should also mount the partition immediately. If "fido2-device=auto" doesn't work, see the crypttab man page for additional options.
_________________
Debian is available in three different versions: rusty, stale and broken.
Back to top
View user's profile Send private message
nagmat84
Apprentice
Apprentice


Joined: 27 Mar 2007
Posts: 225
PostPosted: Mon May 06, 2024 11:19 am    Post subject: Reply with quote
As far as I understand, systemd only uses /etc/fstab and /etc/crypttab to generate *.mount service files upon boot on-the-fly. (I assume this would also be the place to define pre-/post-mount actions if one needed them.) According to my knowledge there are to "generators" provided by systemd: an fstab-related generator which translates the traditional files into mount unit files and a GPT auto-discovery generator which uses partition UUIDs to generate associated mount unit files.

If possible I would like to aboid using fstab and crypttab complete and only use the GPT-based approach. Currently, this is working fine, because I haven't yet enrolled a FIDO2 security token. (I only use password-based decryption.) Systemd is able to disover that automatically.

Question: Is there any systemd-based approach which allows using FIDO2 without maintaining crypttab? Maybe a kernel parameter which is passed to systemd?
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Other Things Gentoo All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum



 Links: forums.gentoo.org | www.gentoo.org | bugs.gentoo.org | wiki.gentoo.org | forum-mods@gentoo.org

Copyright 2001-2024 Gentoo Foundation, Inc. Designed by Kyle Manna © 2003; Style derived from original subSilver theme. | Hosting by Gossamer Threads Inc. © | Powered by phpBB 2.0.23-gentoo-p11 © 2001, 2002 phpBB Group
Privacy Policy