How to Unlock Multiple LUKS Devices Using Dropbear-initramfs

debiandmcryptdropbearinitramfsluks

My system setup is as following:

One single SSD with LUKS and LVM (and of course an unencrypted boot partition). The debian system is installed there.
Two HDDs assembled as RAID0 with LUKS and LVM for some custom data

To unlock to LUKS-devices at boot time from remote, I tried to use dropbear-initramfs.

That works fine, to unlock the first LUKS device (on the SSD, with the debian system installed on):

I log in with ssh to dropbear/busybox
I use cryptroot-unlock, insert the key, and unlock it

But to unlock the second LUKS device (on the RAID0), I still needs some console.

Is there any way to unlock both LUKS devices together (or after another) using dropbear-initramfs / busybox? TIA!

Best Answer

Someone could say: RTFM ... /usr/share/doc/cryptsetup/README.Debian.gz, section 8.

The solution is to put initramfs to options in crypttab, like:

nvme0n1p3_crypt UUID=7988273-32b1-163b-8b44-e479f39f15a1 none luks,discard,initramfs
md_crypt        /dev/md/myraid                           none luks,discard,initramfs

Then cryptroot-unlock ask me to unlock both LUKS devices. :)

Related Solutions

Ubuntu – How to repair a Ubuntu 14.04 RAID-LVM-DM-CRYPT-LUKS Physical to Virtual system that won’t boot

Your problem is caused by booting with one virtual disk cloned from two physical disks. After manually booting, you could try this if you have md0 uncrypted and md1 crypted :

vi /etc/initramfs-tools/scripts/local-top/workaround_mdadm : #!/bin/sh sleep 5 mdadm --stop /dev/md1 mdadm --stop /dev/md0 sleep 5 mdadm --assemble --scan Note : Feel free to change the sleep values as well.

Make the file executable : chmod 755 /etc/initramfs-tools/scripts/local-top/workaround_mdadm

Create new initrd files in /boot : update-initramfs -k all -c

Reboot with your virtual disk and check if you are prompted for a passphrase.

Debian – cryproot-unlock with dropbear: Timeout while waiting for askpass

I was able to fix the problem myself, but maybe someone else runs into the same problem, so I'll post the solution here:

As it turns out, my /etc/crypttab had syntax errors, which led to askpass(amongst others) not being included in the initramfs when running update-initramfs -u.

For me, it was enough to add each separate logical volume into /etc/crypttab instead of the volume group as a whole. Here's an example:

#name       underlying device       passphrase  cryptsetup options
vg-root     /dev/mapper/vg-root     none        luks,retry=1
vg-swap     /dev/mapper/vg-swap     none        luks,retry=1

After updating your initramfs once again your system should ask for the logical volume passphrases on startup and then resume booting normally.

Best Answer

Related Solutions

Ubuntu – How to repair a Ubuntu 14.04 RAID-LVM-DM-CRYPT-LUKS Physical to Virtual system that won’t boot

Debian – cryproot-unlock with dropbear: Timeout while waiting for askpass

Related Topic