(Minor) problems with full disk encryption and LVM

Kernels & Hardware, configuring network, installing services

(Minor) problems with full disk encryption and LVM

Postby incas » 2018-01-26 14:24

I used guided FDE with LVM in my Debian Stable installation and there are two things I would like to change. I wasn't able to find help on a web search.

1. Debian assumed my primary disk device was sdb on installation. The installer named my USB stick I installed from sda, but after installation the system correctly sees my SSD as sda. Now my encrypted device is called sdb5_crypt. That might be just cosmetic but it irks me and I'd like to change that but I'm not sure how. If I change the label in /etc/crypttab I only get a second password prompt on boot. I also tried 'dmsetup rename' and that didn't seem to change anything.
Does anyone know where I can configure it?

2. After opening the cryptdevice on boot the system is not able to use the lvmetad service and I get error messages, that it needs to search manually instead for volume groups. Now, it doesn't even make a difference if I disable the service and disable lvmetad in lvm.conf, I still get the messages. My guess is there is something misconfigured in the initramfs. I tried looking in the init scripts but I'm not really able to troubleshoot the problem completely. Any ideas? I got rid of the warnings before the password prompt by removing line 11-16 in /usr/share/initramfs-tools/scripts/local-top/cryptroot, where it tries to load cryptroot after LVM, instead of before. Furthermore using the UUIDs instead of labels in fstab is advised against in the debian wiki.
incas
 
Posts: 5
Joined: 2018-01-22 18:42

Re: (Minor) problems with full disk encryption and LVM

Postby dotlj » 2018-01-27 02:48

Usually, Debian will use UUID by default to avoid this problem.

Please cat your /etc/crypttab, also your /etc/fstab, and then show the output from blkid

From this, you will be able to see the devices, the UUIDs and what is what. Then you can correct the problem.
If you have any doubts, post the outputs and someone here will be able to help.
User avatar
dotlj
 
Posts: 599
Joined: 2009-12-25 17:21

Re: (Minor) problems with full disk encryption and LVM

Postby p.H » 2018-01-27 11:36

incas wrote:Debian assumed my primary disk device was sdb on installation. The installer named my USB stick I installed from sda, but after installation the system correctly sees my SSD as sda

There is no correct nor incorrect naming. Names are assigned in the discovery order, and the discovery ordrer is, at most, unpredictable and not persistent. Bear with it.

incas wrote:Now my encrypted device is called sdb5_crypt. That might be just cosmetic

Yes, it is just cosmetic. However I complain about this encrypted device naming scheme in the installer because it confuses things when the underlying device name changes (and it does). IMO The installer should ask the user to provide a meaningful name, just as it does for LVM VGs and LVs, or partition and filesystem labels.

incas wrote: If I change the label in /etc/crypttab I only get a second password prompt on boot.

A (partial) copy of /etc/crypttab is embedded in the initramfs in order to be able to mount the root filesystem, so I guess that you need to rebuild the initramfs after modifying /etc/crypttab.
Code: Select all
update-initramfs -u
p.H
 
Posts: 595
Joined: 2017-09-17 07:12

Re: (Minor) problems with full disk encryption and LVM

Postby incas » 2018-01-27 14:01

dotlj wrote:Usually, Debian will use UUID by default to avoid this problem.

Please cat your /etc/crypttab, also your /etc/fstab, and then show the output from blkid

From this, you will be able to see the devices, the UUIDs and what is what. Then you can correct the problem.
If you have any doubts, post the outputs and someone here will be able to help.

At least with encryption Debian will put the labels in fstab. https://wiki.debian.org/LVM#Labels

crypttab
Code: Select all
sdb5_crypt UUID=9dff24fd-7710-4c34-aa19-069483c84e38 none luks

fstab
Code: Select all
/dev/mapper/x230--vg-root /               ext4    errors=remount-ro 0       1
# /boot was on /dev/sdb1 during installation
UUID=b88afa0e-89b1-42f4-9020-012d7e1c1b2b /boot           ext2    defaults        0       2
/dev/mapper/x230--vg-home /home           ext4    defaults        0       2
/dev/mapper/x230--vg-swap_1 none            swap    sw              0       0

blkid
Code: Select all
/dev/mapper/sdb5_crypt: UUID="g46fXU-4n2p-DcdF-jMnZ-3JeW-hhw7-azJQxM" TYPE="LVM2_member"
/dev/mapper/x230--vg-root: UUID="e246af5c-19dd-4c17-b1f6-9f2f05672404" TYPE="ext4"
/dev/sda1: UUID="b88afa0e-89b1-42f4-9020-012d7e1c1b2b" TYPE="ext2" PARTUUID="47ead8c8-01"
/dev/sda5: UUID="9dff24fd-7710-4c34-aa19-069483c84e38" TYPE="crypto_LUKS" PARTUUID="47ead8c8-05"
/dev/mapper/x230--vg-swap_1: UUID="76b8dfcf-1816-4584-87b0-b455ca8c8ac9" TYPE="swap"
/dev/mapper/x230--vg-home: UUID="5b93f123-fae1-4407-91c9-59b499336d6a" TYPE="ext4"
incas
 
Posts: 5
Joined: 2018-01-22 18:42

Re: (Minor) problems with full disk encryption and LVM

Postby incas » 2018-01-27 14:13

p.H wrote:
incas wrote: If I change the label in /etc/crypttab I only get a second password prompt on boot.

A (partial) copy of /etc/crypttab is embedded in the initramfs in order to be able to mount the root filesystem, so I guess that you need to rebuild the initramfs after modifying /etc/crypttab.
Code: Select all
update-initramfs -u

This gives me a warning.
Code: Select all
cryptsetup: WARNING: invalid line in /etc/crypttab for sdb5_crypt -

Edit2: Solved problem no. 1. I had to edit crypttab, then 'dmsetup rename', then update-initramfs. Found it here (https://unix.stackexchange.com/question ... -mapped-to)
incas
 
Posts: 5
Joined: 2018-01-22 18:42

Re: (Minor) problems with full disk encryption and LVM

Postby dryden » 2018-02-07 20:54

incas wrote:then 'dmsetup rename', then update-initramfs.


Thanks for the pointer on that one, I never knew how to do that in an easy way.

The whole LVM/udev thing is just shabby.

The errors in initramfs are not important, they are not errors, just verbosity.

I never found it important enough to get rid of them.....
dryden
 
Posts: 80
Joined: 2015-02-04 08:54


Return to System configuration

Who is online

Users browsing this forum: No registered users and 7 guests

fashionable