Encrypted root fails without udev in initramfs

Similar Messages

• Plymouth graphical boot, encrypted root, and systemd...

  I'm having some difficulty getting Plymouth working with an encrypted root, and, systemd in the initramfs. I had identical issues getting Plymouth working without systemd in the initramfs, so that doesn't seem to be the issue.
  I installed plymouth-git from the AUR. I similarly tried this with the non-git AUR package as well, with no different results. While trying to use the non-git package, I used the sd-plymouth mkinitcpio module from Celti's Github (He maintain's the -git AUR package), as posted in the comments. This enables support for systemd support inside the initramfs for plymouth, through using the sd-plymouth hook in place of the normal plymouth flag. When using the normal plymouth flag, and base + udev in place of systemd in my hooks, the same thing happens, so it seems unlikely to be the systemd implementation.
  Anyhoo, when using plymouth and plymouth-encrypt in my hooks, I never get asked for a password to decrypt the root volume. It just presents the splash, and, that's all I ever see. After a couple of minutes, it dumps me to a black screen.
  The contents of my /etc/mkinitcpio.conf file
  MODULES=""
  BINARIES=""
  FILES=""
  HOOKS="systemd sd-plymouth autodetect modconf block keyboard plymouth-encrypt filesystems fsck"
  COMPRESSION="gzip"
  COMPRESSION_OPTIONS=""
  I use rEFInd, not grub or gummiboot, and my kernel options are as follows:
  rd.luks.name=945737e7-94a0-49a0-b1ab-b51cb497ec4a=root root=/dev/mapper/root initrd=intel-ucode.img initrd=initramfs-linux.img rw nomodeset add_efi_memmap quiet splash
  When booting, I'm greeted with my rEFInd GUI, it drops to a black screen for a fraction of a second, and loads Plymouth, and, sits there for about 90 seconds before dumping me to a black screen. When I type something on the keyboard, it shows up in the console, on top of the splash screen. It's almost as if plymouth isn't hooking the input. It fails to ask for a password or decrypt my root, too. I do notice when not using sd-plymouth, the splash logo appears to have an input box as if it at least knows it's attempting to decrypt it, but again, the input fails to go into the splash screen, but shows up (in cleartext) in the console at the top corner.
  Suggestions would be appreciated.

  Without hacking the encrypt hook, you'll only be able to unlock one volume at the same time. Afaik the device mapper asks for a password for each encrypted partition, and using one for all won't work, you have to repeat the process for each partition, whereas the encrypt hook only seems to be able to handle one partition. You can hack it, but I haven't done that (yet), it's already quite messy you have to hack the hook file to make it apply to non-root partitions.

• [solved] kernel 2.6.27 - open LUKS encrypted root partition fails

  Hi,
  after updating to kernel 2.6.27 the passphrase for my LUKS encrypted root partition does not work anymore.
  I get this error messages:
  Enter LUKS passphrase:
  device-mapper: table: 254:0 crypt: Error allocating crypto tfm
  device-mapper: ioctl: error adding target to table
  device-mapper: ioctl: device doesn't appear to be in the dev hash table.
  Command failed: No key available with this passphrase.
  Enter LUKS passphrase:
  With a old (2.6.25) vanilla kernel it works.
  any ideas?
  EDIT
  Solved.
  The Problem was that I had this line in my mkinitcpio.conf to get rid of the padlock-error-message at boot.
  #CRYPTO_MODULES="aes_i586 aes_generic sha256_generic"
  With kernel 2.6.27 there are new / more modules needed to open the LUKS encryptet root partition.
  So I removed the line from mkinitcpio.conf and deletet the padlock modules in /lib/modules/2.6.27-ARCH before regenarating the initrd image.
  Thanks to GerBra for the tip.
  Last edited by SiD (2008-10-22 11:41:56)

  I'm not shure, but think ... yes.

• [SOLVED] Encrypted root, /boot on USB, cryptkey issue

  Well to the topic. Followed this guide.
  Usb flash drive with GRUB and a keyfile on it. Encrypted root.
  grub.cfg
  linux /vmlinuz-linux root=UUID=<uuid> ro cryptdevice=/dev/disk/by-id/<id>:luks cryptkey=/dev/disk/by-uuid/<uuid>:ext2:/key ipv6.disable=1 quiet
  echo 'Loading initial ramdisk ...'
  initrd /initramfs-linux.img
  mkinitcpio.conf
  MODULES="ata_generic ata_piix nls_cp437 ext2 i915"
  HOOKS="base udev autodetect modconf block encrypt filesystems keyboard fsck consolefont"
  Result: "Meh can't read a keyfile. Please input a passphrase om nom nom."
  Tried:
  1. Quadruple-checked UUID's, used /dev/sdX instead of them.
  2. Using different modules, like nls_utf8, removing ata_* stuff.
  3. Playing with <path> and <keyfile> strings, slashes, e t c.
  4. A barrel roll.
  Is it actually possible to make that filesystem key reading work? If not, how can I get physical offset of keyfile in a filesystem?
  UPDATE:
  Trouble in device detection speed. Any other usb media get's recognized instantly, while the one I booted from is slow like hell.
  Last edited by wfoojjaec (2013-08-14 14:37:11)

  Marked as solved.
  It seems that origin of a bug was somewhere in a kernel. After a recent update, done today of a 'linux' package a /boot usb device is properly recognized after about 5 seconds passed from poweron (instead of a full initialization at ~270 sec and hanging udev before).
  A hack with fstab & noauto is not required now. <_<

• Encrypted root with btrfs

  So I'm trying to set up my system with /dev/sda1 as a 500mb boot partition and /dev/sda2 as a plain dm crypted btrfs partition.
  I've got it all set up and I can chroot into it. Everything is fine except it won't boot into a functional system
  i've installed mkinicpio-btrfs from aur and reran mkinitcpio.
  i can't figure out where the problem is. any ideas?
  FSTAB
  # /etc/fstab: static file system information
  # <file system> <dir> <type> <options> <dump> <pass>
  #### /dev/mapper/btrfs LABEL=btrfs
  ####UUID=78a05d43-f52a-4086-9255-5062e5fcbb94 / btrfs rw,relatime,space_cache,subvol=__active/rootvol 0 0
  #### /dev/mapper/btrfs LABEL=btrfs
  ####UUID=78a05d43-f52a-4086-9255-5062e5fcbb94 /home btrfs rw,relatime,space_cache,subvol=__active/home 0 0
  # /dev/mapper/btrfs LABEL=btrfs
  /dev/mapper/btrfs / btrfs rw,noatime,compress=lzo,discard,autodefrag,inode_cache,subvol=__active/rootvol 0 0
  /dev/sda2 /boot ext2 defaults 0 2
  # /dev/mapper/btrfs LABEL=btrfs
  /dev/mapper/btrfs /home btrfs rw,noatime,compress=lzo,discard,autodefrag,inode_cache,subvol=__active/home 0 0
  # /dev/mapper/btrfs LABEL=btrfs
  /dev/mapper/btrfs /mnt/defvol btrfs rw,noatime,compress=lzo,discard,autodefrag,inode_cache 0 0
  syslinux.cfg
  # Config file for Syslinux -
  # /boot/syslinux/syslinux.cfg
  # Comboot modules:
  # * menu.c32 - provides a text menu
  # * vesamenu.c32 - provides a graphical menu
  # * chain.c32 - chainload MBRs, partition boot sectors, Windows bootloaders
  # * hdt.c32 - hardware detection tool
  # * reboot.c32 - reboots the system
  # To Use: Copy the respective files from /usr/lib/syslinux to /boot/syslinux.
  # If /usr and /boot are on the same file system, symlink the files instead
  # of copying them.
  # If you do not use a menu, a 'boot:' prompt will be shown and the system
  # will boot automatically after 5 seconds.
  # Please review the wiki: https://wiki.archlinux.org/index.php/Syslinux
  # The wiki provides further configuration examples
  DEFAULT arch
  PROMPT 0 # Set to 1 if you always want to display the boot: prompt
  TIMEOUT 50
  # You can create syslinux keymaps with the keytab-lilo tool
  #KBDMAP de.ktl
  # Menu Configuration
  # Either menu.c32 or vesamenu32.c32 must be copied to /boot/syslinux
  UI menu.c32
  #UI vesamenu.c32
  # Refer to http://syslinux.zytor.com/wiki/index.php/Doc/menu
  MENU TITLE Arch Linux
  #MENU BACKGROUND splash.png
  MENU COLOR border 30;44 #40ffffff #a0000000 std
  MENU COLOR title 1;36;44 #9033ccff #a0000000 std
  MENU COLOR sel 7;37;40 #e0ffffff #20ffffff all
  MENU COLOR unsel 37;44 #50ffffff #a0000000 std
  MENU COLOR help 37;40 #c0ffffff #a0000000 std
  MENU COLOR timeout_msg 37;40 #80ffffff #00000000 std
  MENU COLOR timeout 1;37;40 #c0ffffff #00000000 std
  MENU COLOR msg07 37;40 #90ffffff #a0000000 std
  MENU COLOR tabmsg 31;40 #30ffffff #00000000 std
  # boot sections follow
  # TIP: If you want a 1024x768 framebuffer, add "vga=773" to your kernel line.
  LABEL arch
  MENU LABEL Arch Linux
  LINUX ../vmlinuz-linux
  APPEND root=/dev/mapper/btrfs cryptdevice=/dev/sda2:btrfs rw
  INITRD ../initramfs-linux.img
  LABEL archfallback
  MENU LABEL Arch Linux Fallback
  mkinitcpio.conf
  # vim:set ft=sh
  # MODULES
  # The following modules are loaded before any boot hooks are
  # run. Advanced users may wish to specify all system modules
  # in this array. For instance:
  # MODULES="piix ide_disk reiserfs"
  MODULES="crc32c"
  # BINARIES
  # This setting includes any additional binaries a given user may
  # wish into the CPIO image. This is run last, so it may be used to
  # override the actual binaries included by a given hook
  # BINARIES are dependency parsed, so you may safely ignore libraries
  BINARIES=""
  # FILES
  # This setting is similar to BINARIES above, however, files are added
  # as-is and are not parsed in any way. This is useful for config files.
  FILES=""
  # HOOKS
  # This is the most important setting in this file. The HOOKS control the
  # modules and scripts added to the image, and what happens at boot time.
  # Order is important, and it is recommended that you do not change the
  # order in which HOOKS are added. Run 'mkinitcpio -H <hook name>' for
  # help on a given hook.
  # 'base' is _required_ unless you know precisely what you are doing.
  # 'udev' is _required_ in order to automatically load modules
  # 'filesystems' is _required_ unless you specify your fs modules in MODULES
  # Examples:
  ## This setup specifies all modules in the MODULES setting above.
  ## No raid, lvm2, or encrypted root is needed.
  # HOOKS="base"
  ## This setup will autodetect all modules for your system and should
  ## work as a sane default
  # HOOKS="base udev autodetect block filesystems"
  ## This setup will generate a 'full' image which supports most systems.
  ## No autodetection is done.
  # HOOKS="base udev block filesystems"
  ## This setup assembles a pata mdadm array with an encrypted root FS.
  ## Note: See 'mkinitcpio -H mdadm' for more information on raid devices.
  # HOOKS="base udev block mdadm encrypt filesystems"
  ## This setup loads an lvm2 volume group on a usb device.
  # HOOKS="base udev block lvm2 filesystems"
  ## NOTE: If you have /usr on a separate partition, you MUST include the
  # usr, fsck and shutdown hooks.
  HOOKS="base udev autodetect encrypt lvm2 modconf block filesystems keyboard fsck btrfs"
  # COMPRESSION
  # Use this to compress the initramfs image. By default, gzip compression
  # is used. Use 'cat' to create an uncompressed image.
  #COMPRESSION="gzip"
  #COMPRESSION="bzip2"
  #COMPRESSION="lzma"
  #COMPRESSION="xz"
  #COMPRESSION="lzop"
  #COMPRESSION="lz4"
  # COMPRESSION_OPTIONS
  # Additional options for the compressor
  #COMPRESSION_OPTIONS=""
  and this is what happens when i try to boot into it
  http://i.imgur.com/FeaBjvC.jpg
  -- mod edit: read the Forum Etiquette and only post thumbnails http://wiki.archlinux.org/index.php/For … s_and_Code [jwr] --

  falconindy wrote:You're not passing any subvol in your bootloader config.
  thanks that was the problem. it's running perfectly now. it's a great feeling diving into something deep in the command line and accomplishing it. making things work in arch is one of the most satisfying things ever.
  Strongly recommend against mkinitcpio-btrfs, BTW. Its unmaintained, archaic, and unnecessary for most folks. Device assembly can be done entirely with udev.
  so what do i need as far as hooks? just encrypt? or do i still need btrfs?
  and is it going to create problems? i've already done it. does it require a reformat and starting over? can i uninstall mkinitcpio-btrfs and just run mkinitcpio again? or should i just leave it be since it's working?
  edit: added rootflags=subvolume=__active/roovol
  Last edited by risho (2014-09-07 06:29:28)

• Luks encrypted root on sd card - problem with hooks

  Hi,
    I was trying to set up my arch system on an SD card on EeePC. I was using arch like that for about 4 months already, before my card crapped out, so now I have to reinstall it on a new card.
    This time I thought I make an effort and use encrypted root, just like it is in the wiki.
    I followed it exactly, and everything went fine - except when I actually tried to boot the system, it didn't work. Apparently the "encrypt" hook is being executed earlier than my /dev/sdb2 is recognized by the system.
     However, when I use the arch-install cd to boot it ("arch root=/dev/sdb2") it correctly asks for my password and everything is fine, I'm in my newly installed system!
     So, is this difference because the arch-install uses a different order of hooks? Or because it has to wait for the cdrom to settle, the /dev/sdb2 is not too late anymore?
     I guess one solution would be is adding a "sleep 5" or something to the "encrypt" hook at installation. Where does the arch install find that version of "encrypt" that mkinitcpio uses during the install?
      Or - is there any better solution? Like rearranging the order of hooks?
      Thanks!

  It doesn't seem to help - i think the "rootdelay=" kernel parameter only appears to have a difference at a different stage (and I think the [usb] hook has that already)
  The problem is, that the udev hook (or the hardware recognition in [autodetect]?) doesn't finish before the [encrypt] hook runs.
  I can see, that the hook [encrypt] passes, and a few lines afterwards  "waiting for devices to settle", then the /dev/sdb is recognized....
  Using the install CD - all hardware section finishes way before [arch_encrypt]...

• Payables Open Interface Pgm fails without any error(Very urgent)

  All,
  I'm into an integration project where in I'm pushing Invoice doc from a third party appln to Oracle apps (11.5.10.2) thru payables open interface. The integration is smooth till today. We pushed a record today, but the concurrent neither picks up the data but failed with 'completed error' status. When I delete the same record from the interface, the concurrent runs fine. So we are sure there is some issue with the data in my record. Since concurrent is failed without any reason, from where I can get the log to know what is the actual problem with that record? Pls help me with your inputs.
  Thanks,
  Sen

  Sen,
  To enable trace, please refer to this document (skip the part about generating TKPROF, just check the concurrent request output file if more details about the error are logged after enabling trace and setting the profile option).
  Note: 453527.1 - How To Trace a Concurrent Request And Generate TKPROF File
  https://metalink2.oracle.com/metalink/plsql/ml2_documents.showDocument?p_database_id=NOT&p_id=453527.1
  The database log file can be usually found under $ORACLE_HOME/admin/<SID>_<hostname>/bdump directory (or from SQL*Plus, issue "show parameter background_dump_dest").
  Regards,
  Hussein

• Publishing of the translation for an Iview fails without any notice

  We face the followoing problem with an custom IView in SAP portal:
  The publishing of the translation for an Iview fails without any notice it only works directly after the IView was deployed.
  The translation is done by first generating the translation data then translating to the several languages, marking the data as translated. After that the translation is published via the Translation Worklist Coordination.
  All is done in the Portal under Contenet-Administration->Portal Content Translation, Translation Worklist Coordination and Worklist Translation
  The publishing works directly after deployment of an iView but if one tries to retranslate the translation is saved in the repository but not published. If we delete the translation Worklist and start over again the translations that are not published are still in the generated data but still we can’t publish them.
  There is no Information that the publication failed or anything. In the Worklist it just goes back to normal state where we can again generate the translation data.
  The Iview is a Java IView for the translation a properties file was created and all the words from properties file show up in the generated data from the Worklist.
  We could deploy the Iview every time the translation needs to be changed but the customer wants to do the translation without that step.
  We use the following Versions:
  Sap Portal nw2004s
  sap.com/SAP-JEECOR 7.00 SP10 (1000.7.00.10.0.20061026144500) 20070119122211
  sap.com/SAP-JEE 7.00 SP10 (1000.7.00.10.0.20061026144500) 20070119121940
  Thanks 4 Help

  Please review the terms of your Comcast agreement. Many agreements include scheduled price increases, and typically state that prices will return to the prevailing (almost always higher) rates when the agreement expires.
  If you still have questions contact one of their Billing reps at the phone number on your bill or 1-800-Comcast, chat with them using one of the "Account and Bill" options at https://www.comcastsupport.com/chatentry/, or visit a Service Center if one is nearby (check locations and hours at http://customer.xfinity.com/service-center-locations).
  Comcast sometimes responds to questions here in the forums, and sometimes they do not. When they do the typical response time is somewhere between a few hours and a few days.

• Fsck on root partition without live CD

  Hi,
  For some unknown reason, I have to manually repair the root filesystem, but obviously every time I try, fsck tells me that the partition is mounted.
  I know I could use some live CD, or pendrive, but turns out my live CD is VERY scratched, and my BIOS can't boot from a pendrive. Of course I could go and buy another cd, but there must be another way, so here I am.
  Back in the old days, with sysv init, the only thing I had to do was enter the single-user-mode, and do the repair. Now, it is impossible, because "/" is always mounted. I've tried "systemd.unit=rescue.target" from grub, and "mount -o remount,ro /", I also prayed to my computer, but none of these things worked.
  So, is there any way to fsck the root partition without using a pendrive or live cd?
  Thank you.

  You may not be able to directly boot from a pendrive, but you can boot to your bootloader.  From the bootloader, it should be possible to start Arch from the pendrive.  I am not at my Arch machine right now, and ssh'ing into it won't let me play in Grub, but I think Grub should be able to handle USB drives out-of-the-box.  If not, I know the correct drivers can be installed to the boot partition.
  https://wiki.archlinux.org/index.php/Gr … _From_GRUB talks of how to modify the Grub menu to do this, but you should be able to hand-fly Grub by adapting this.

• How to retrive data from encrypted backup(failed in itunes) - i have the password!!

  I know there are other software that may help to retrive the data but it doesn't work with encrypted backup.
  Now i have the password, i have the encrypted backup (failed to recover in itunes).
  What can i do? is it possible to remove the password from the encrypted backup provided that i have the password????

  No, it's not possible.
  What happens when trying to restore the backup via iTunes?  It is entirely possible that the backup is simply corrupted.

• [SOLVED] Encrypted root on USB drive problem

  Hi,
  I have encrypted root on external USB harddrive. On one machine it works just fine, LUKS ask for password and system starts.
  On second it does not work. I tryed nearly all possible combinations of modules and hooks. I can also access my usb drive if I use break=y. I am using current kernel & utils, I definitely use right paths...
  Machine is an Dell with Intel chipset. My USB drive is like this:
    /dev/sdb1 - big fat32
    /dev/sdb2 - ext2 boot with Grub, kernel and initrd image
    /dev/sdb3 - root fs, reiserfs encrypted with LUKS
  I made little debuging and it seems that encrypt hook was launched, but did not make anything. Before I digg deeper I wonder that someone had same problem, or can give me advice.
  Kernel panic screenshot:
  PS: how can I put busybox to initrd image? echo * sucks.
  Thanks
  Last edited by Trained.Monkey (2007-10-10 09:42:13)

  I solved, problem is that encrypt is running BEFORE usb drive is fully initialized. Encrypted partition is not found and not used.
  Solotion:
  put sleep 5 at beggining of encrypt hook. You must also add sleep binary at installer.

• CRES encrypted mails even without the 'key' word

  Hi
  We have CRES enabled, and it does send out encrypted mails when we type in our "key" word in the subject or body.
  The issue is at times, when the selected user sends non-encrypted mails, the subject and the body of the email does not contain
  any of the "key" words, it even then encrypts the mail and sends it accross.
  We have observed this for a couple of users, so we removed these users from the Allowed list of users, who can encrypt their email,
  and re-inserted these users to encrypt, the mail, it works fine for them now.
  But now again another set of users are complaining of the mails being sent out as encrypted, thought they are not having any
  "key" words that are needed to send out the mail as encrypted.
  Any one faced this kind of issue or any work around for this, kindly advise.
  Regards,
  Tauseef

  Hi Tauseef,
  I would recommend you to use the Message Tracking so you can understand the message flow. The message is probably triggering the Encryption action.
  You could also use the Trace feature at:
  System Administration -> Trace
  So you can simulate a message and how the Cisco ESA will handle the message.
  If you are not confortable sharing the config (policies/filters) and the tracking in the forum, I would suggest you to open a TAC ticket so an Engineer can assist you identifying what is causing the message to be encrypted.
  I would say your Cisco ESA will not encrypt the message without a clear command to do so. The only question remaining is what is causing the action to encrypt to be triggered. I believe you know, but action can be triggered in a message filter, in a content filter and in a DLP policy. There is another option, using the Plug-in for encryptign the message locally but since you did not mention this, I am guessing this is out f the list. I would recommend reviewing the configuration and the message tracking data. That way you can determine what is causing the messages to be encryted.
  If you need further assistance from the forum, please share more data.
  I hope this helps.
  -Valter

• HT6598 Update to ios 8.1.2 requires a billion GB of space and when I finally managed to clear enough it fails without telling me why.

  STupid update has been staring me in the face for months, telling me it needs 6.2 GB of space to install when its only 1.4 GB large. After I finally remove almost half of my stuff I have the space required and I click install. The installation keeps failing without telling me why. Just a bloody popup telling me that it failed. Tried connecting to charger, tried rebooting. Nothing works.

  Feel lucky.  Lot of people are having wifi problems with 8.x.
  You should try to update from iTunes.  iTunes requires less space on your machine for the update.
  Robert

• AR Autoivoice fails without any error

  Autoivoice fails without any error, the lines remains in the Interface Lines. I do not get any exception or error, but the invoice is not created. After running Autoinvoce, Sales Order status is closed, so the problem is with the Autoinvoice..
  Any ideas of solving this problem? Thank you..

  It is completed, there is nothing in the log file but this Warning: some records remaining in ra_interface_lines..it looks as if it had completed normally, but the invoices are not created..there is no error shown..
  Could it be the problem the Accounting and Invoicing rules that are set to Monthly?
  Thank you.

• [SOLVED] Trouble installing with encrypted root system

  I'm trying to install with an encrypted root filesystem following the wikiguide: http://wiki.archlinux.org/index.php/Enc … Filesystem
  I've downloaded the latest 0.7.1 ISO with 2.6.15-12 kernel.
  All I get when I try to intall a bootloader is
  Missing/Invalid root partition
  Errormsg taken from the top of my head
  Any suggestions? Isn't the guide applicable on 0.7.1 / 2.6.15-2-kernel?

  It was all my bad.. I somehow forgot to configure a mount for /boot.