FS#15738 - [cryptsetup] initcpio-hook enhancement

Attached to Project: Arch Linux
Opened by Jim Pryor (Profjim) - Friday, 31 July 2009, 08:05 GMT
Last edited by Tom Gundersen (tomegun) - Tuesday, 13 November 2012, 12:43 GMT
Task Type Feature Request
Category Packages: Core
Status Closed
Assigned To Thomas Bächler (brain0)
Dave Reisner (falconindy)
Tom Gundersen (tomegun)
Architecture All
Severity Low
Priority Normal
Reported Version
Due in Version Undecided
Due Date Undecided
Percent Complete 100%
Votes 0
Private No

Details

My current disk setup requires my laptop root and swap drives to be on different LUKS partitions. That makes it impossible to use the resume hook in mkinitcpio, since I won't have any /dev/unencrypted_device to point resume to on the grub kernel line. It looks like the existing encrypt hook can be used to decrypt root or (undocumented, but should work) the swap/resume volume, but not both.

I've seen this discussed before, e.g.: http://bbs.archlinux.org/viewtopic.php?id=63011.

Based on those discussions, what seems to me to be the most robust solution is decrypting + mounting one partition, which contains the keyfiles for your root and/or swap/suspend volume, then umounting the partition with the keyfiles. It works best if this partition is unjournaled and/or never mounted when one hibernates the machine. Though you may be able to work around that; see the above forum post. In my case, I just shrunk my boot partition a bit and made a tiny small new partition to hold the keyfiles for root and swap. This partition is only ever decrypted and mounted during the bootup sequence.

I wrote and am successfully using the attached initcpio hook. From its help():
This hook allows for multiple encrypted root devices
(for example, root and swap) to be opened at init time.
It uses a kernel argument cryptkey= in same way as the encrypt
hook (it can be left empty, or supplied as dev:fstype:path,
or supplied as dev:raw_numeric_offset:length).
Instead of the encrypt hook's required cryptdevice= argument,
it instead uses a cryptdevices= argument, whose format must be:

cryptdevices=dev_holding_keyfiles:fstype[:path],\\
dev1_to_decrypt:alias_for_it,\\
dev2_to_decrypt:alias_for_it,...

The code is based on the encrypt hook code. I just removed the handling of legacy encryption, parsed the more complex cryptdevices instead of cryptdevice, and used a cascade of calls to cryptSetup luksOpen...
This task depends upon

Closed by  Tom Gundersen (tomegun)
Tuesday, 13 November 2012, 12:43 GMT
Reason for closing:  Deferred
Additional comments about closing:  see last comment
Comment by Thomas Bächler (brain0) - Friday, 31 July 2009, 08:55 GMT
I don't have the time to look at the code in details now. However, I had written a similar solution back when there was no encryption support for Arch and used it successfully for a while, although I found it to be quite complex.

Generally, I can support such a solution if we leave it in a separate hook. Let's see when I get time to verify the code. If you have improvements, don't hesitate to post them too.
Comment by Jim Pryor (Profjim) - Friday, 14 August 2009, 21:52 GMT
Here's a tweaked version of the hooks/multicrypt file (first of the two files attached above, the other is install/multicrypt and remains the same).

I found that the small partition holding the keys to unlock your root and swap partitions wasn't getting unmounted + luksClosed properly, because I was using some switches on umount which weren't available in the pared-down version of umount on the initrd. I don't know where I had seen those switches recommended; but in any case, now they're gone and this version seems to work cleanly.
Comment by Dan Liew (delcypher) - Monday, 20 September 2010, 11:01 GMT
Hi a similar need to have to different partitions (that are used to make a LVM "physical volume") that needed to be encrypted. I modified the encrypt hook (included) so that it looped through multiple devices specified in cryptdevice.

e.g. cryptdevice=/dev/sda4:volgroup,/dev/sdb1:volgroupextend

I looked at the multicrypt script but I can't understand how it's "supposed" to loop through multiple LUKS volumes/partitions

in particular...
set -- $(/bin/replace "${cryptdevices}" ',')

How does this work. The normal "replace" takes input from standard input. Even if there was some standard input it would effectively do...
set -- ,

...how is that even helpful? replace also doesn't seem to be available in my initramfs image (added break=y parameter at boot to see what programs were available)

I'm also not sure what the purpose of this is...
if [ ! -e "/dev/mapper/control" ]; then
/bin/mknod "/dev/mapper/control" c $(cat /sys/class/misc/device-mapper/dev | sed 's|:| |')
fi
   encrypt (6.2 KiB)
Comment by Jim Pryor (Profjim) - Sunday, 01 May 2011, 05:57 GMT
Hi Dan, sorry I didn't see your comment earlier. The multicrypt files attached above are from before the current use of busybox. I'm attaching updated versions of /lib/initcpio/install/multicrypt and /lib/initcpio/hooks/multicrypt that work for me now. Hope they might be useful.
Comment by Tom Gundersen (tomegun) - Tuesday, 13 November 2012, 12:43 GMT
Is this stuff still needed/up-to-date? If so, please rebase and submit git-formatted patches to arch-projects@archlinux.org.

Loading...