Hi folks,

I have Alpine Linux installed in an encrypted LUKS partition. I came across this tutorial which shows how to setup a key in a USB drive and when the drive is inserted and the computer booted, the LUKS partition auto-unlocks with the key on the USB drive.

https://askubuntu.com/questions/1414617/configure-ubuntu-22-04-zfs-for-automatic-luks-unlock-on-boot-via-usb-drive

I would like to setup the same thing but I do not have Alpine linux installed on ZFS, so I’m looking for ways to adapt the instructions.

So far, what I’ve done is:

  1. I’ve setup the key on the usb stick and I can unlock the LUKS partition with that key.
  2. create a /etc/mkinitfs/features.d/usb-unlock.sh script with the following content:

(the echo to /dev/kmesg was to check whether the script did indeed run at boot by trying to print to the kernel messages but I can’t find anything in the kernel messages).

#!/bin/sh

echo "usb-unlock script starting..." > /dev/kmsg

USB_MOUNT="/mnt/my-usb-key" # The USB stick mounting point
LUKS_KEY_FILE="awesome.key"  # The name of your keyfile on the USB stick

# Search for the USB stick with the key
for device in $(ls /dev/disk/by-uuid/*); do
    mount $device $USB_MOUNT 2>/dev/null
    if [ -f "$USB_MOUNT/$LUKS_KEY_FILE" ]; then
        # Unlock the LUKS partition
        cryptsetup luksOpen /dev/sda3 cryptroot \
            --key-file "$USB_MOUNT/$LUKS_KEY_FILE" && exit 0
    fi
    umount $USB_MOUNT
done
echo "No USB key found, falling back to password prompt." # this message never appears, despite not having found the key on the usb stick

echo "usb-unlock script ending." > /dev/kmsg
  1. I added usb-unlock to the features in mkinitfs.conf:
mytestalpine:~# cat /etc/mkinitfs/mkinitfs.conf 
features="ata base ide scsi usb virtio ext4 cryptsetup keymap usb-unlock"
  1. run mkinitfs to rebuild the initramfs. Then reboot to test the implementation, which was unsuccessful.

What am I missing / doing wrong? Thank you for your help!

Edit: forgot to add step 4

  • The HobbyistOP
    link
    fedilink
    English
    arrow-up
    1
    ·
    edit-2
    2 months ago

    I’m very grateful for your extended help. I’ve made some progress. I’m able to get the prompt to appear asking me for my passphrase to unlock the right partition (sda3 in my case). Entering the passphrase, however, drops me in the Dracut emergency shell after ~3min of dracut logs, seemingly looping. (Edit: the reason for why it drops me in the shell is very unclear. It says Dropping to debug shell. /bin/sh: can't access tty: job control turned off. And if I try to exit the dracut shell, it says dracut Warning: could not boot.).

    In the Dracut emergency shell, checking /dev/mapper/ I see a luks-<sda3-uuid> listed. Running blkid I see it listed too with TYPE=crypto_LUKS. I also see a dev/dm-0 with a dedicated UUID, in ext4. I ran blkid which shows:

    /dev/mapper/luks-705fc477-573a-4ef6-81b6-a14c43cda1f5: UUID="57955343-922a-4918-9bc1-797ca8d13a9c" TYPE="ext4"
    /dev/sda1: UUID="cc5e0b03-3544-4bef-ab8b-8b72dd236926" TYPE="ext4"
    /dev/sda2: UUID="4df1af6c-3199-4bb2-bb12-bcf897cfc6fc" TYPE="swap"
    /dev/sda3: UUID="705fc477-573a-4ef6-81b6-a14c43cda1f5" TYPE="crypto_LUKS"
    /dev/dm-0: UUID="57955343-922a-4918-9bc1-797ca8d13a9c" TYPE="ext4"
    

    I checked the status of the filesystem running cryptsetup status /dev/mapper/luks-<sda3-uuid> and it says it is active, which I guess means it is unlocked?

    I checked the /root directory, and it is empty. So I tried to mount the partition myself: mount /dev/mapper/luks-<sda3-uuid> /root but it fails saying mount: mounting /dev/mapper/luks-<sda3-uuid> on /root failed: No such file or directory and that got me really puzzled? I’ve been searching far and wide but I can’t seem to find anyone with a similar situation. I feel like I’m close to getting this working.

    Below is my syslinux kernel config, and the 2nd and 3rd items are what I booted into (/boot/extlinux.conf)

    # Generated by update-extlinux 6.04_pre1-r15
    DEFAULT menu.c32
    PROMPT 0
    MENU TITLE Alpine/Linux Boot Menu
    MENU HIDDEN
    MENU AUTOBOOT Alpine will be booted automatically in # seconds.
    TIMEOUT 10
    LABEL lts
      MENU DEFAULT
      MENU LABEL Linux lts
      LINUX vmlinuz-lts
      INITRD initramfs-lts
      APPEND root=/dev/mapper/root modules=sd-mod,usb-storage,ext4 cryptroot=UUID=705fc477-573a-4ef6-81b6-a14c43cda1f5 cryptdm=root rootfstype=ext4 rd.debug log_buf_len=1M rd.shell
    
    LABEL lts
      MENU DEFAULT
      MENU LABEL Dracut Linux lts
      LINUX vmlinuz-lts
      INITRD /boot/initramfs-6.6.56-0-lts.img
      APPEND root=/dev/mapper/luks-705fc477-573a-4ef6-81b6-a14c43cda1f5 modules=sd-mod,usb-storage,ext4 rootfstype=ext4 rd.shell rd.debug log_buf_len=1M rd.luks.uuid=705fc477-573a-4ef6-81b6-a14c43cda1f5
    
    LABEL lts
      MENU DEFAULT
      MENU LABEL Dracut Linux lts 2
      LINUX vmlinuz-lts
      INITRD /boot/initramfs-6.6.56-0-lts.img
      APPEND modules=sd-mod,usb-storage,ext4,dm,crypt,rootfs-block rootfstype=ext4 rootflags=rw,relatime rd.shell rd.debug log_buf_len=1M root=UUID=57955343-922a-4918-9bc1-797ca8d13a9c rd.luks.uuid=705fc477-573a-4ef6-81b6-a14c43cda1f5
    

    And here the /proc/cmdline of the booted partition:

    BOOT_IMAGE=vmlinuz-lts modules=sd-mod,usb-storage,ext4,dm,crypt,rootfs-block rootfstype=ext4 rootflags=rw,relatime rd.shell rd.debug log_buf_len=1M root=UUID=57955343-922a-4918-9bc1-797ca8d13a9c rd.luks.uuid=705fc477-573a-4ef6-81b6-a14c43cda1f5 initrd=/boot/initramfs-6.6.56-0-lts.img
    

    Here is my setup, when I boot in my regular initramfs (the one I’m trying to replicate using dracut):

    mytestalpine:~# lsblk -o NAME,FSTYPE,FSVER,LABEL,UUID,FSAVAIL,FSUSE%,MOUNTPOINTS
    NAME     FSTYPE      FSVER LABEL UUID                                 FSAVAIL FSUSE% MOUNTPOINTS
    sda                                                                                  
    ├─sda1   ext4                    cc5e0b03-3544-4bef-ab8b-8b72dd236926  195.5M    21% /boot
    ├─sda2   swap                    4df1af6c-3199-4bb2-bb12-bcf897cfc6fc                [SWAP]
    └─sda3   crypto_LUKS             705fc477-573a-4ef6-81b6-a14c43cda1f5                
      └─root ext4                    57955343-922a-4918-9bc1-797ca8d13a9c    2.3G     8% /
    
    mytestalpine:~# lsblk -l -n /dev/sda3
    sda3   8:3   0  2.8G 0 part  
    root 253:0   0  2.8G 0 crypt /
    

    Note: No idea of the relevance, but I’m testing this setup in a VM, with a BIOS firmware.

    • chameleon@fedia.io
      link
      fedilink
      arrow-up
      2
      ·
      2 months ago

      Sorry, I’ve had a (self-imposed) busy week, but I have to admit, that also has me rather stumped. As far as I can tell, your second entry should work. If the device is visible in /dev/mapper under a name, it should be able to mount under that name.

      The only thing I can think of is that some important module like the ext4 module might be missing somehow? You can get pretty confusing errors when that happens. Dracut is supposed to parse /etc/fstab for everything needed to boot, and maybe that’s not recognizing your root for some reason. dmesg might have some useful info at the end after you try to mount it. If that’s what’s happening, you could try to add add_drivers+=" ext4 " in your dracut.conf and regenerate it (the spaces are important!). But if that’s not it, then I’m probably out of ideas now.