| View previous topic :: View next topic |
| Author |
Message |
veritysr
n00b
Joined: 05 Apr 2025
Posts: 2
|
 Posted: Sat Apr 12, 2025 2:43 pm Post subject: ugrd unable to read LUKS header for LUKS1 device |
 |
|
I have an encrypted root filesystem, that is LUKS1.
I'm getting the following error when running ugrd that is preventing me from upgrading my kernel (sys-kernel/gentoo-kernel-bin).
| Code: | ERROR | [root] Unable to read LUKS header.
Traceback (most recent call last):
File "/usr/lib/python3.12/site-packages/ugrd/main.py", line 167, in main
generator.build()
File "/usr/lib/python3.12/site-packages/ugrd/initramfs_generator.py", line 95, in build
self.run_build()
File "/usr/lib/python3.12/site-packages/ugrd/initramfs_generator.py", line 235, in run_build
self.run_hook(task, force_exclude=True)
File "/usr/lib/python3.12/site-packages/ugrd/initramfs_generator.py", line 151, in run_hook
if function_output := self.run_func(function, *args, **kwargs):
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/usr/lib/python3.12/site-packages/ugrd/initramfs_generator.py", line 111, in run_func
if function_output := function(self):
^^^^^^^^^^^^^^
File "/usr/lib/python3.12/site-packages/ugrd/crypto/cryptsetup.py", line 388, in export_crypt_sources
_validate_luks_config(self, name)
File "/usr/lib/python3.12/site-packages/zenlib/util/dict_check.py", line 36, in _contains
return func(*args, **kwargs)
^^^^^^^^^^^^^^^^^^^^^
File "/usr/lib/python3.12/site-packages/ugrd/crypto/cryptsetup.py", line 377, in _validate_luks_config
_validate_cryptsetup_device(self, mapped_name)
File "/usr/lib/python3.12/site-packages/zenlib/util/dict_check.py", line 36, in _contains
return func(*args, **kwargs)
^^^^^^^^^^^^^^^^^^^^^
File "/usr/lib/python3.12/site-packages/ugrd/crypto/cryptsetup.py", line 288, in _validate_cryptsetup_device
_validate_cryptsetup_header(self, mapped_name) # Run header validation, mostly for crypto modules
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/usr/lib/python3.12/site-packages/zenlib/util/dict_check.py", line 36, in _contains
return func(*args, **kwargs)
^^^^^^^^^^^^^^^^^^^^^
File "/usr/lib/python3.12/site-packages/ugrd/crypto/cryptsetup.py", line 241, in _validate_cryptsetup_header
raise ValueError("[%s] Unable to read LUKS header." % mapped_name)
ValueError: [root] Unable to read LUKS header. |
I took a peek at the code and saw that ugrd is calling the following to read the LUKS header.
| Code: | | cryptsetup luksDump --dump-json-metadata |
Since the "--dump-json-metadata" flag only supports LUKS2, it makes sense why ugrd would fail for a LUKS1 device.
Any help would be appreciated - thank you! |
|
| Back to top |
|
 |
zen_desu
Apprentice
Joined: 25 Oct 2024
Posts: 245
|
|
| Back to top |
|
|
veritysr
n00b
Joined: 05 Apr 2025
Posts: 2
|
| Posted: Sat Apr 12, 2025 6:46 pm Post subject: |
|
|
Setting "validate_header = false in /etc/ugrd/config.toml did it - Thank you!
I'm using grub for my bootloader and did my initial install of gentoo with a LUKS2 volume, with default options and it would not boot. After a couple days of troubleshooting, I eventually came across a couple articles that suggested using a LUKS1 volume instead of LUKS2 due to grub's limited support for LUKS2. That did the trick, so I stuck with it for a couple of months, and then I started getting errors during kernel upgrades.
Big warnings, urging users to upgrade to LUKS2 is a great idea. I'll look into getting an update to the gentoo articles that touch on setting up full disk encryption such as https://wiki.gentoo.org/wiki/Full_Disk_Encryption_From_Scratch that would include a similar warning.
Thanks again! |
|
| Back to top |
|
|
zen_desu
Apprentice
Joined: 25 Oct 2024
Posts: 245
|
| Posted: Sat Apr 12, 2025 6:52 pm Post subject: |
|
|
| veritysr wrote: | Setting "validate_header = false in /etc/ugrd/config.toml did it - Thank you!
I'm using grub for my bootloader and did my initial install of gentoo with a LUKS2 volume, with default options and it would not boot. After a couple days of troubleshooting, I eventually came across a couple articles that suggested using a LUKS1 volume instead of LUKS2 due to grub's limited support for LUKS2. That did the trick, so I stuck with it for a couple of months, and then I started getting errors during kernel upgrades.
Big warnings, urging users to upgrade to LUKS2 is a great idea. I'll look into getting an update to the gentoo articles that touch on setting up full disk encryption such as https://wiki.gentoo.org/wiki/Full_Disk_Encryption_From_Scratch that would include a similar warning.
Thanks again! |
You're welcome, I'm glad that worked for you.
Personally, I don't see much risk in keeping the kernel/initramfs on unencrypted storage. These files ideally don't hold secrets, and I'm mostly concerned about if these files are signed/unmodified, which is best done using something like secure boot.
Another challenge presented by using an encrypted /boot is that the bootloader has to decrypt the volume to read the kernel, and unless the initramfs has keys included within it, the root will have to be unlocked a second time.
It's also possible to take a bit of a hybrid approach and use luks1 for your /boot, and then luks2 for your root.
You should be able to get grub to work with luks2/argon2 KDF with some patches, but I don't think it's possible with the current stable version.
_________________
µgRD dev
Wiki writer |
|
| Back to top |
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
Portage & Programming
