445737 – Encrypted root filesystem mount fails

Bug 445737 - Encrypted root filesystem mount fails

Summary: Encrypted root filesystem mount fails

Status:	RESOLVED WORKSFORME

Alias:	None

Product:	openSUSE 11.1
Classification:	openSUSE
Component:	Security (show other bugs)
Version:	Beta 5
Hardware:	x86-64 Other

Priority:	P3 - Medium Severity: Major with 5 votes (vote)
Target Milestone:	---
Assignee:	Security Team bot
QA Contact:	E-mail List

URL:
Whiteboard:
Keywords:

Depends on:
Blocks:

Clone This Bug

Reported:	2008-11-17 17:36 UTC by David Bailey
Modified:	2008-11-18 16:02 UTC (History)
CC List:	0 users

See Also:
Found By:	Beta-Customer
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description David Bailey 2008-11-17 17:36:54 UTC

Following the work-around in http://en.opensuse.org/Encrypted_Root_File_System since YaST does not support root file encryption, testing with openSUSE 11.1 beta 5, I am no longer given the opportunity to enter the LUKS/dm-crypt password for my partitions and mounting root fails.

I have tried to add the pertinent kernel modules manually to see if this helps, but I cannot find the right combination to do so.

Optimally, a good way to resolve this would just be to make YaST allow root filesystem encryption using the technologies stated in the article.

Comment 1 Ludwig Nussel 2008-11-18 08:16:40 UTC

Please understand that bugzilla is no discussion forum and the method described in the wiki is a quite inofficial one. So a better place to discuss this is one of our mailinglists.

Nevertheless I've just recently sucessfully installed a SLES11beta5 (same code base) on encrypted / so the initrd is in principle capable to handle the situation. For testing I used this script: http://www.suse.de/~lnussel/mkcryptroot
Maybe it helps you debug your problem

Comment 2 David Bailey 2008-11-18 15:31:09 UTC

That script helped me find the issue. It appears that I had an issue with updating the initrd and the boot loader. Thank you. I'll see if I can't update the wiki with my findings.

Comment 3 David Bailey 2008-11-18 15:55:02 UTC

BTW- the script appears to have a couple bugs.

1. The awk line mangled my luks_root= (or luks_crypt_root= ?) statements as well as removing the root= statement.

2. On the encrypted root mounted on /mnt, the /etc/fstab must be updated for the filesystem to boot correctly, or even though you decrypted the partition at boot, you are still mounting the unencrypted partition.

Comment 4 Ludwig Nussel 2008-11-18 16:02:58 UTC

(In reply to comment #3 from David Bailey)
> BTW- the script appears to have a couple bugs.

Well, fortunately it's just a hack and nothing I'd publish widely :-)

> 1. The awk line mangled my luks_root= (or luks_crypt_root= ?) statements as
> well as removing the root= statement.

They are not needed. The mkinird records those values so the
generated initrd automatically uses them (at least if you call mkinitrd in a chroot).

> 2. On the encrypted root mounted on /mnt, the /etc/fstab must be updated for
> the filesystem to boot correctly, or even though you decrypted the partition at
> boot, you are still mounting the unencrypted partition.

IIRC that doesn't happen as / is already mounted by the kernel. fsck
will likely check the wrong partition though.