Bug 445737

Summary: Encrypted root filesystem mount fails
Product: [openSUSE] openSUSE 11.1 Reporter: David Bailey <dr>
Component: SecurityAssignee: Security Team bot <security-team>
Status: RESOLVED WORKSFORME QA Contact: E-mail List <qa-bugs>
Severity: Major    
Priority: P3 - Medium    
Version: Beta 5   
Target Milestone: ---   
Hardware: x86-64   
OS: Other   
Whiteboard:
Found By: Beta-Customer Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description David Bailey 2008-11-17 17:36:54 UTC 
Following the work-around in http://en.opensuse.org/Encrypted_Root_File_System since YaST does not support root file encryption, testing with openSUSE 11.1 beta 5, I am no longer given the opportunity to enter the LUKS/dm-crypt password for my partitions and mounting root fails.

I have tried to add the pertinent kernel modules manually to see if this helps, but I cannot find the right combination to do so.

Optimally, a good way to resolve this would just be to make YaST allow root filesystem encryption using the technologies stated in the article.
Comment 1 Ludwig Nussel 2008-11-18 08:16:40 UTC 
Please understand that bugzilla is no discussion forum and the method described in the wiki is a quite inofficial one. So a better place to discuss this is one of our mailinglists.

Nevertheless I've just recently sucessfully installed a SLES11beta5 (same code base) on encrypted / so the initrd is in principle capable to handle the situation. For testing I used this script: http://www.suse.de/~lnussel/mkcryptroot
Maybe it helps you debug your problem
Comment 2 David Bailey 2008-11-18 15:31:09 UTC 
That script helped me find the issue. It appears that I had an issue with updating the initrd and the boot loader. Thank you. I'll see if I can't update the wiki with my findings.
Comment 3 David Bailey 2008-11-18 15:55:02 UTC 
BTW- the script appears to have a couple bugs.

1. The awk line mangled my luks_root= (or luks_crypt_root= ?) statements as well as removing the root= statement.

2. On the encrypted root mounted on /mnt, the /etc/fstab must be updated for the filesystem to boot correctly, or even though you decrypted the partition at boot, you are still mounting the unencrypted partition.
Comment 4 Ludwig Nussel 2008-11-18 16:02:58 UTC 
(In reply to comment #3 from David Bailey)
> BTW- the script appears to have a couple bugs.

Well, fortunately it's just a hack and nothing I'd publish widely :-)

> 1. The awk line mangled my luks_root= (or luks_crypt_root= ?) statements as
> well as removing the root= statement.

They are not needed. The mkinird records those values so the
generated initrd automatically uses them (at least if you call mkinitrd in a chroot).

> 2. On the encrypted root mounted on /mnt, the /etc/fstab must be updated for
> the filesystem to boot correctly, or even though you decrypted the partition at
> boot, you are still mounting the unencrypted partition.

IIRC that doesn't happen as / is already mounted by the kernel. fsck
will likely check the wrong partition though.