Ignore mount of crypttab entry if device is not present?

Kernels & Hardware, configuring network, installing services

Ignore mount of crypttab entry if device is not present?

Postby SirSkorpan » 2018-12-09 19:29

I've a small server running a light Debian install (DietPi), though I'm testing things out on Debian on a VirtualBox VM.

I'd like to add multiple external HDDs as file storage. These HDDs should be encrypted. The server should be running headless (as in no monitor or keyboard attached), and I'd like the encrypted HDDs be unlocked at boot without having to manually entering a password. So a keyfile then, but I don't want the keyfile to reside unprotected on the machine. So a keyfile on a USB pendrive, which I can remove after boot while still having access to the files on the external HDDs.

My setup at the moment on a clean Debian installation (on VirtualBox) is outlined below, /dev/sdb is the external drive and /dev/sdb1, the USB pendrive has a label of "TEST" and the keyfile is located at /test-key.key on this device. I've made the following changes/additions:
Code: Select all
$> cat /etc/fstab
UUID=<sda1> / ext4 errors=remount-ro 0 1
UUID=<sda2> /home ext4 defaults 0 2
UUID=<sda3> /tmp ext4 defaults 0 2
UUID=<sda4> /var ext4 defaults 0 2
/dev/mapper/crypthdd /ext_1 auto defaults,x-systemd.device-timeout=30,timeout=30,nofail 0 0

$> cat /etc/crypttab
crypthdd UUID=<sdb1's uuid> /dev/disk/by-label/TEST:/test-key.key:5 luks,initramfs,keyscript=/lib/cryptsetup/scripts/passdev,tries=2,nofail


I've also added some cryptsetup scripts through initramfs hooks:
Code: Select all
$> cp /usr/share/initramfs-tools/hooks/cryptroot /etc/initramfs-tools/hooks/
$> cp /usr/share/initramfs-tools/hooks/cryptpassdev /etc/initramfs-tools/hooks/


As well as created a simple hook to add /sbin/cryptsetup to initramfs:
Code: Select all
$> cat /etc/initramfs-tools/hooks/add_cryptsetup
#!/bin/sh

PREREQ=""

prereqs()
{
  echo "$PREREQ"
}

case $1 in
prereqs)
  prereqs
  exit 0
  ;;
esac

. /usr/share/initramfs-tools/hook-functions

copy_exec /sbin/cryptsetup


I've also added some modules to initramfs (my pendrive holds a FAT filesystem with the key):
Code: Select all
$> cat /etc/initramfs-tools/modules
dm-crypt
nls_cp437
nls_ascii


finally I've attempted to silence systemd from pausing booting, because it doesn't understand the crypttab entry, and updated initramfs and grub:
Code: Select all
$> touch /etc/systemd/system/systemd-cryptsetup@crypthdd.service
$> update-initramfs -u
$> update-grub


During the "update-initramfs -u" command I see this warning.
Code: Select all
device-mapper: table ioctl on crypthdd failed: No such device or address
Command failed
cryptsetup: WARNING: failed to determine cipher modules to load for crypthdd
device-mapper: table ioctl on crypthdd failed: No such device or address
Command failed
cryptsetup: WARNING: failed to determine cipher modules to load for crypthdd


But it doesn't seem to have negatively affected the setup. This works apart from one important thing. If the encrypted external HDD is not present at boot I will get the following error:
Code: Select all
cryptsetup (crypthdd): lvm is not avaliable
cryptsetup (crypthdd): lvm is not avaliable
cryptsetup (crypthdd): lvm is not avaliable
cryptsetup (crypthdd): lvm is not avaliable
...


until it enters the initramfs terminal or I connect the external drive, exiting the iniramfs the same sequence will loop.

Where this error comes from and what it means?
How do I configure my system to ignore mounting a crypttab entry if the encrypted device is not present?
SirSkorpan
 
Posts: 1
Joined: 2018-12-09 13:29

Return to System configuration

Who is online

Users browsing this forum: No registered users and 15 guests

fashionable