Hi fellow selfhoster,
Im a bit lost on the following scenario and im unable to find any documentation about it so i was hoping some smart people here could point me in the right direction.
I have a linux software raid 6 that contains a LUKS partition with ext4 in it. I would like to automount the ext4 when im rebooting. The root partition is also using LUKS and i have successfully setup the decryption for this parition but im uncertain on how to do this with this raid setup since im not sure where in the boot process linux recognizes my raid and when the decryption happens.
This is what i have:
[root@nfs-rocky-1 ~]# cat /etc/mdadm.conf
ARRAY /dev/md/server1:0 metadata=1.2 UUID=3e198408:2236ed3d:1dc13a8e:e5f91e52
On a reboot the raid does get automaticly recognizes but i still have to do cryptsetup luksOpen /dev/md0 raid & mount /dev/mapper/raid /mnt/data.
What would be the best way to do this? Im a bit scared of doing this im not certain of since i don’t want my machine to be stuck at a boot.
Just a like to an article that dicusses something like this already would help me greatly.
since im not sure where in the boot process linux recognizes my raid and when the decryption happens
Usually raid and decryption happen in the initram. This is because these are too complex to sit purely in the kernel, requiring userspace tools like cryptsetup, but you want to be able to boot off of them so they have to be handled before the disk is mounted.
Usually that initram is dracut. Why dracut only partially completes the process here, likely figuring out the raid but not decryption, is anyones guess. In my experience dracut is quite hard to debug and configure.
The simplest approach is probably to just eat it and write a startup service that does it. Basically a startup command. No need to worry about timing, as when the initram finishes the raid should already be up.
There might be a prebuilt systemd service for it too iirc…If you really wanns go for it, there are other initram systems like ugrd, which are easier to configure and might figure your setup out properly. But you’ll probably have to manually install and update them. That would definitely be a very involved approach.
There are some guesses I made here on your boot timeline. If you show your dmesg I can confirm if the raid really comes up at initramfs time. But it should be s solid bet.
@Hercules I have a similar setup with RAID1 and BTRFS.
I’m using a keyfile for that:
dd bs=512 count=4 if=/dev/random of=/etc/crypttab.d/keyfile-data.bin iflag=fullblock
chmod 600 /etc/crypttab.d/keyfile-data.bincryptsetup luksAddKey /dev/mapper/raid /etc/crypttab.d/keyfile-data.bin --new-key-slot 1
entry in /etc/crypttab:
data UUID=<blkid from /dev/md0> /etc/crypttab.d/keyfile-data.bin luksentry in /etc/fstab:
UUID=<blkid from /dev/mapper/raid> /mnt/data …Another way can be pam_mount, which I’m using on an SBC for opening an encrypted device:
https://inai.de/projects/pam/_mount/:D while your steps were very clear i think i fked up.
cryptsetup luksAddKey /dev/mapper/raid /etc/crypttab.d/keyfile-data.bin --new-key-slot 1gave:Device /dev/mapper/raid is not a valid LUKS device.. I assume this is a typo from your end since/dev/md0is my luks volume. But altering this gave me:slot is already in usekind of error.That can be explained since i tested something simular like you suggested earlier. Afterwhich i removed my key i generated and added to the volume. Then i did
cryptsetup luksRemoveKey /dev/md0.Now when i try to add it i get
No key available with this passphrase.I don’t have enough knowledge about cryptsetup to know what excactly i did wrong.
Do you by any change have an explaination?
In case this is usefull:
[root@nfs-rocky-1 ~]# cryptsetup luksDump /dev/md0 LUKS header information Version: 2 Epoch: 6 Metadata area: 16384 [bytes] Keyslots area: 16744448 [bytes] UUID: 485df758-6cec-49e3-aceb-438aaaedc833 Label: (no label) Subsystem: (no subsystem) Flags: (no flags) Data segments: 0: crypt offset: 16777216 [bytes] length: (whole device) cipher: aes-xts-plain64 sector: 4096 [bytes] Keyslots: 1: luks2 Key: 512 bits Priority: normal Cipher: aes-xts-plain64 Cipher key: 512 bits PBKDF: argon2id Time cost: 4 Memory: 1048576 Threads: 4 Salt: 17 c5 ff 7f b9 10 43 41 16 5a c8 28 44 b9 df 64 a8 1d 40 41 9f a1 70 85 34 06 52 8d ba 29 bd ef AF stripes: 4000 AF hash: sha256 Area offset:290816 [bytes] Area length:258048 [bytes] Digest ID: 0 2: luks2 Key: 512 bits Priority: normal Cipher: aes-xts-plain64 Cipher key: 512 bits PBKDF: argon2id Time cost: 12 Memory: 1048576 Threads: 4 Salt: 64 97 db 49 f1 18 b9 57 3b 02 53 37 b3 11 8e 44 71 d1 70 b2 b9 58 4c db e2 6b 36 95 7c dd d2 be AF stripes: 4000 AF hash: sha256 Area offset:548864 [bytes] Area length:258048 [bytes] Digest ID: 0 Tokens: Digests: 0: pbkdf2 Hash: sha256 Iterations: 105703 Salt: ae ac f1 9f df 47 27 9e 64 28 52 53 9a 9b cd 77 74 15 66 f6 8b 3c bd f4 29 dc f1 b1 c5 15 3b f6 Digest: 07 5f 2f 6b d3 c5 bf b6 54 58 5e b4 44 df 8c b8 2b da fa 5c 40 a5 89 cc 0e 3b 70 69 57 d5 7c f5 [root@nfs-rocky-1 ~]#@Hercules My exampled assumed, that you only have a password set on keyslot 0.
LUKS keyslots are starting at 0, so it seems, that you deleted the initial set password.
I hope, you know the other keyslots.As far I can see, you can specify, which keyslot has to be selected for unlocking the volume key.
More information you can find in the man page.man cryptsetup-luksaddkey cryptsetup luksAddKey /dev/md0 --new-key-slot 0 --key-slot 1Just to give you an update. The other keyslot was the key i added earlier for testing which i removed … So its time for me to copy over a lot of data to another system en recreate the luks volume. Thanks for your help!
@Hercules So it was possible to use one of the other keyslots to open the encryption?
Probably you can test your wanted configuration in a virtual machine with some small virtual drives to avoid any loss of data.
I found it relative difficult to find the correct UUID which had to be used when I setup my system in the past.So it was possible to use one of the other keyslots to open the encryption?
No it wasn’t. Luckely the luks parition was still mounted on my system so im making a backup, recreating the partiiton and the restoring …
I found an article from RedHat on how to restore a luks1 partitions keys while it is still mounted but this isn’t possible with luks2 :/
Is the
/etc/crypttab.dpath that you are using specificly chosen or can it be whatever? This path doesn’t exists on my system and online i don’t see any mentions of it.@Hercules I created it on my own, because I have some keys for other devices, too.
But you can place it, where you want.
But with crypttab.d I have a simple connection to crypttab configuration file.the crypttab.d thing is called a drop-in directory. linux will read files you make in these and overwrite the config files with the values in the drop-in files. it’s a way to add your own edits to config files without editing the default config files directly, so you don’t have to say manually copy crypttab to crypttab.old for a backup and instead always have a default config to fall back to if things go wrong by just commenting out your few changes in the drop-in file.
Thanks for your response!
I will give it a try. Have a great rest of your day!
i don’t know anything about raid, but judging by your manual command to unlock and mount it shouldn’t be any different than my non-raid extra encrypted disks setup.
it should be just adding it to crypttab and fstab and a keyfile and grub config edit maybe, and if you mess up you can still get in to edit these to try again with a liveusb (easiest way to go back to previous setup is just comment out the lines you add) and manually unlocking and mounting like you are now anyway, so don’t be scared.
https://wiki.archlinux.org/title/Dm-crypt/Encrypting_an_entire_system
is a lot but the specific info you need for your setup should be various places there and linked there. good luck!
