Scheduled Maintenance: We are aware of an issue with Google, AOL, and Yahoo services as email providers which are blocking new registrations. We are trying to fix the issue and we have several internal and external support tickets in process to resolve the issue. Please see: viewtopic.php?t=158230

 

 

 

Ignore mount of crypttab entry if device is not present?

Linux Kernel, Network, and Services configuration.
Post Reply
Message
Author
SirSkorpan
Posts: 1
Joined: 2018-12-09 13:29

Ignore mount of crypttab entry if device is not present?

#1 Post by SirSkorpan »

I've a small server running a light Debian install (DietPi), though I'm testing things out on Debian on a VirtualBox VM.

I'd like to add multiple external HDDs as file storage. These HDDs should be encrypted. The server should be running headless (as in no monitor or keyboard attached), and I'd like the encrypted HDDs be unlocked at boot without having to manually entering a password. So a keyfile then, but I don't want the keyfile to reside unprotected on the machine. So a keyfile on a USB pendrive, which I can remove after boot while still having access to the files on the external HDDs.

My setup at the moment on a clean Debian installation (on VirtualBox) is outlined below, /dev/sdb is the external drive and /dev/sdb1, the USB pendrive has a label of "TEST" and the keyfile is located at /test-key.key on this device. I've made the following changes/additions:

Code: Select all

$> cat /etc/fstab
UUID=<sda1> / ext4 errors=remount-ro 0 1
UUID=<sda2> /home ext4 defaults 0 2
UUID=<sda3> /tmp ext4 defaults 0 2
UUID=<sda4> /var ext4 defaults 0 2
/dev/mapper/crypthdd /ext_1 auto defaults,x-systemd.device-timeout=30,timeout=30,nofail 0 0

$> cat /etc/crypttab
crypthdd UUID=<sdb1's uuid> /dev/disk/by-label/TEST:/test-key.key:5 luks,initramfs,keyscript=/lib/cryptsetup/scripts/passdev,tries=2,nofail
I've also added some cryptsetup scripts through initramfs hooks:

Code: Select all

$> cp /usr/share/initramfs-tools/hooks/cryptroot /etc/initramfs-tools/hooks/
$> cp /usr/share/initramfs-tools/hooks/cryptpassdev /etc/initramfs-tools/hooks/
As well as created a simple hook to add /sbin/cryptsetup to initramfs:

Code: Select all

$> cat /etc/initramfs-tools/hooks/add_cryptsetup
#!/bin/sh

PREREQ=""

prereqs()
{
  echo "$PREREQ"
}

case $1 in
prereqs)
  prereqs
  exit 0
  ;;
esac

. /usr/share/initramfs-tools/hook-functions

copy_exec /sbin/cryptsetup
I've also added some modules to initramfs (my pendrive holds a FAT filesystem with the key):

Code: Select all

$> cat /etc/initramfs-tools/modules
dm-crypt
nls_cp437
nls_ascii
finally I've attempted to silence systemd from pausing booting, because it doesn't understand the crypttab entry, and updated initramfs and grub:

Code: Select all

$> touch /etc/systemd/system/systemd-cryptsetup@crypthdd.service
$> update-initramfs -u
$> update-grub
During the "update-initramfs -u" command I see this warning.

Code: Select all

device-mapper: table ioctl on crypthdd failed: No such device or address
Command failed
cryptsetup: WARNING: failed to determine cipher modules to load for crypthdd
device-mapper: table ioctl on crypthdd failed: No such device or address
Command failed
cryptsetup: WARNING: failed to determine cipher modules to load for crypthdd
But it doesn't seem to have negatively affected the setup. This works apart from one important thing. If the encrypted external HDD is not present at boot I will get the following error:

Code: Select all

cryptsetup (crypthdd): lvm is not avaliable
cryptsetup (crypthdd): lvm is not avaliable
cryptsetup (crypthdd): lvm is not avaliable
cryptsetup (crypthdd): lvm is not avaliable
...
until it enters the initramfs terminal or I connect the external drive, exiting the iniramfs the same sequence will loop.

Where this error comes from and what it means?
How do I configure my system to ignore mounting a crypttab entry if the encrypted device is not present?

Post Reply