Unlock LUKS non-root filesystem partition on boot

The name of the pictureThe name of the pictureThe name of the pictureClash Royale CLAN TAG#URR8PPP











up vote
0
down vote

favorite












I have a system with an unencrypted / partition on Ubuntu 16.04, but with a LUKS encrypted ZFS zpool on 3 partitions. In order for the system to boot properly I want for the LUKS encrypted volumes to be unlocked before ZFS and other services (like database, web, email etc.) start, and this needs to be able to done remotely, through SSH.



With the 3 partitions added to the /etc/crypttab, the system boots and just after the initramfs stage will wait for unlock (and prompt for passwords). However, the usual way of accomplishing LUKS unlock at boot remotely is done through dropbear in initramfs, however because the 3 partitions are not in fstab the system will 'fall through' initramfs so to speak and continue to systemd. This is undesirable in this case as systemd prioritizes crypttab over the OpenSSH or dropbear meaning remote unlocking is disabled.



A dirty hack that works is simply adding a sleep 300 in initramfs, giving you time to login through dropbear and unlock, however this too is undesirable. I see foresee two options to fix this, but am not sure which would be best and I do not know how to implement either:



  • Changhing systemd boot order, to make sure something like networking and OpenSSH are up before crypttab, enabling remote or local unlocking.


  • Having initramfs wait for non-trivial partitions to be unlocked before proceeding to systemd.




ssh boot systemd luks initramfs




share|improve this question




















  • Just add/modify unit files so that the decryption happens before the rest.
    – Ignacio Vazquez-Abrams
    Apr 2 at 20:38














up vote
0
down vote

favorite












I have a system with an unencrypted / partition on Ubuntu 16.04, but with a LUKS encrypted ZFS zpool on 3 partitions. In order for the system to boot properly I want for the LUKS encrypted volumes to be unlocked before ZFS and other services (like database, web, email etc.) start, and this needs to be able to done remotely, through SSH.



With the 3 partitions added to the /etc/crypttab, the system boots and just after the initramfs stage will wait for unlock (and prompt for passwords). However, the usual way of accomplishing LUKS unlock at boot remotely is done through dropbear in initramfs, however because the 3 partitions are not in fstab the system will 'fall through' initramfs so to speak and continue to systemd. This is undesirable in this case as systemd prioritizes crypttab over the OpenSSH or dropbear meaning remote unlocking is disabled.



A dirty hack that works is simply adding a sleep 300 in initramfs, giving you time to login through dropbear and unlock, however this too is undesirable. I see foresee two options to fix this, but am not sure which would be best and I do not know how to implement either:



  • Changhing systemd boot order, to make sure something like networking and OpenSSH are up before crypttab, enabling remote or local unlocking.


  • Having initramfs wait for non-trivial partitions to be unlocked before proceeding to systemd.




ssh boot systemd luks initramfs




share|improve this question




















  • Just add/modify unit files so that the decryption happens before the rest.
    – Ignacio Vazquez-Abrams
    Apr 2 at 20:38












up vote
0
down vote

favorite









up vote
0
down vote

favorite











I have a system with an unencrypted / partition on Ubuntu 16.04, but with a LUKS encrypted ZFS zpool on 3 partitions. In order for the system to boot properly I want for the LUKS encrypted volumes to be unlocked before ZFS and other services (like database, web, email etc.) start, and this needs to be able to done remotely, through SSH.



With the 3 partitions added to the /etc/crypttab, the system boots and just after the initramfs stage will wait for unlock (and prompt for passwords). However, the usual way of accomplishing LUKS unlock at boot remotely is done through dropbear in initramfs, however because the 3 partitions are not in fstab the system will 'fall through' initramfs so to speak and continue to systemd. This is undesirable in this case as systemd prioritizes crypttab over the OpenSSH or dropbear meaning remote unlocking is disabled.



A dirty hack that works is simply adding a sleep 300 in initramfs, giving you time to login through dropbear and unlock, however this too is undesirable. I see foresee two options to fix this, but am not sure which would be best and I do not know how to implement either:



  • Changhing systemd boot order, to make sure something like networking and OpenSSH are up before crypttab, enabling remote or local unlocking.


  • Having initramfs wait for non-trivial partitions to be unlocked before proceeding to systemd.




ssh boot systemd luks initramfs




share|improve this question












I have a system with an unencrypted / partition on Ubuntu 16.04, but with a LUKS encrypted ZFS zpool on 3 partitions. In order for the system to boot properly I want for the LUKS encrypted volumes to be unlocked before ZFS and other services (like database, web, email etc.) start, and this needs to be able to done remotely, through SSH.



With the 3 partitions added to the /etc/crypttab, the system boots and just after the initramfs stage will wait for unlock (and prompt for passwords). However, the usual way of accomplishing LUKS unlock at boot remotely is done through dropbear in initramfs, however because the 3 partitions are not in fstab the system will 'fall through' initramfs so to speak and continue to systemd. This is undesirable in this case as systemd prioritizes crypttab over the OpenSSH or dropbear meaning remote unlocking is disabled.



A dirty hack that works is simply adding a sleep 300 in initramfs, giving you time to login through dropbear and unlock, however this too is undesirable. I see foresee two options to fix this, but am not sure which would be best and I do not know how to implement either:



  • Changhing systemd boot order, to make sure something like networking and OpenSSH are up before crypttab, enabling remote or local unlocking.


  • Having initramfs wait for non-trivial partitions to be unlocked before proceeding to systemd.





ssh boot systemd luks initramfs





share|improve this question











share|improve this question




share|improve this question










asked Apr 2 at 20:36









brickmasterj

456




456











  • Just add/modify unit files so that the decryption happens before the rest.
    – Ignacio Vazquez-Abrams
    Apr 2 at 20:38
















  • Just add/modify unit files so that the decryption happens before the rest.
    – Ignacio Vazquez-Abrams
    Apr 2 at 20:38















Just add/modify unit files so that the decryption happens before the rest.
– Ignacio Vazquez-Abrams
Apr 2 at 20:38




Just add/modify unit files so that the decryption happens before the rest.
– Ignacio Vazquez-Abrams
Apr 2 at 20:38










1 Answer
1






active

oldest

votes

















up vote
0
down vote













I am currently setting up such a system, but in debian stretch. And I am doing my experimentation in a VM before I actually set up the physical computer itself. I have a very similar setup working in the VM.



2 disks in zpool mirror for /, but not /boot. /boot is on md0. zpool is on top of LUKS. Using EFI.



root@zstaging:~# cat /proc/1/comm
systemd

root@zstaging:~# lsblk
NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINT
sda 8:0 0 20G 0 disk
+-sda1 8:1 0 256M 0 part
¦ +-md0 9:0 0 256M 0 raid1 /boot
+-sda2 8:2 0 256M 0 part /boot/efi
+-sda3 8:3 0 19.5G 0 part
¦ +-disk0_crypt 253:0 0 19.5G 0 crypt
+-sda9 8:9 0 9M 0 part
sdb 8:16 0 20G 0 disk
+-sdb1 8:17 0 256M 0 part
¦ +-md0 9:0 0 256M 0 raid1 /boot
+-sdb2 8:18 0 256M 0 part
+-sdb3 8:19 0 19.5G 0 part
¦ +-disk1_crypt 253:1 0 19.5G 0 crypt
+-sdb9 8:25 0 9M 0 part
sdc 8:32 0 20G 0 disk
sr0 11:0 1 1.8G 0 rom

root@zstaging:~# zpool status
 pool: rpool
 state: ONLINE
 scan: none requested
config:

 NAME STATE READ WRITE CKSUM
 rpool ONLINE 0 0 0
 mirror-0 ONLINE 0 0 0
 disk0_crypt ONLINE 0 0 0
 disk1_crypt ONLINE 0 0 0

errors: No known data errors


Relevant files and setup:



root@zstaging:~# cat /etc/fstab
UUID=648bfa4b-1b5f-480a-bb26-b3abffb4a6de /boot auto defaults 0 0
PARTUUID=1673f966-173b-4128-84d5-4e8d5810efef /boot/efi vfat defaults 0 1

root@zstaging:~# cat /etc/crypttab
disk0_crypt UUID=26194846-ba49-4e53-ab0b-857b0dad2021 none luks
disk1_crypt UUID=ef44b66a-8706-4be2-bd12-a30d40de9669 none luks

root@zstaging:~# cat /etc/initramfs-tools/conf.d/cryptroot
target=disk0_crypt,source=UUID=26194846-ba49-4e53-ab0b-857b0dad2021,key=none,rootdev
target=disk1_crypt,source=UUID=ef44b66a-8706-4be2-bd12-a30d40de9669,key=none,rootdev

set CRYPTSETUP=y in /etc/cryptsetup-initramfs/conf-hook

# vi /etc/default/grub
replace GRUB_CMDLINE_LINUX="" with GRUB_CMDLINE_LINUX="boot=zfs"
Remove quiet from: GRUB_CMDLINE_LINUX_DEFAULT
Uncomment: GRUB_TERMINAL=console

# update-initramfs -u -k all
# update-grub
# grub-install --target=x86_64-efi --efi-directory=/boot/efi --bootloader-id=debian --recheck --no-floppy


Everything works great. Get prompt for unlocking the two disks one at a time, and off we go. It is NOT necessary to list any zfs stuff in /etc/fstab. Yes, initramfs etc. WILL complain about /etc/fstab, but it all works fine, so far



I can even remote unlock it



# apt-get install dropbear-initramfs busybox
# vi /etc/dropbear-initramfs/authorized_keys
Paste my SSH pubkey

# chmod 400 /etc/dropbear-initramfs/authorized_keys
# update-initramfs -u

in another machine that has my SSH keys, add a custom section in ~/.ssh/config:
 Host zstaging_unlock
 HostName <ip_of_zstaging>
 User root
 HostKeyAlias zstaging_unlock

to remote unlock zstaging, from remote machine:
$ ssh zstaging_unlock
and follow prompts


HTH






share|improve this answer




















    Your Answer







    StackExchange.ready(function()
    var channelOptions =
    tags: "".split(" "),
    id: "106"
    ;
    initTagRenderer("".split(" "), "".split(" "), channelOptions);

    StackExchange.using("externalEditor", function()
    // Have to fire editor after snippets, if snippets enabled
    if (StackExchange.settings.snippets.snippetsEnabled)
    StackExchange.using("snippets", function()
    createEditor();
    );

    else
    createEditor();

    );

    function createEditor()
    StackExchange.prepareEditor(
    heartbeatType: 'answer',
    convertImagesToLinks: false,
    noModals: false,
    showLowRepImageUploadWarning: true,
    reputationToPostImages: null,
    bindNavPrevention: true,
    postfix: "",
    onDemand: true,
    discardSelector: ".discard-answer"
    ,immediatelyShowMarkdownHelp:true
    );



    );








     

    draft saved


    draft discarded


















    StackExchange.ready(
    function ()
    StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f435131%2funlock-luks-non-root-filesystem-partition-on-boot%23new-answer', 'question_page');

    );

    Post as a guest

















    1 Answer
    1






    active

    oldest

    votes








    1 Answer
    1






    active

    oldest

    votes









    active

    oldest

    votes






    active

    oldest

    votes








    up vote
    0
    down vote













    I am currently setting up such a system, but in debian stretch. And I am doing my experimentation in a VM before I actually set up the physical computer itself. I have a very similar setup working in the VM.



    2 disks in zpool mirror for /, but not /boot. /boot is on md0. zpool is on top of LUKS. Using EFI.



    root@zstaging:~# cat /proc/1/comm
    systemd

    root@zstaging:~# lsblk
    NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINT
    sda 8:0 0 20G 0 disk
    +-sda1 8:1 0 256M 0 part
    ¦ +-md0 9:0 0 256M 0 raid1 /boot
    +-sda2 8:2 0 256M 0 part /boot/efi
    +-sda3 8:3 0 19.5G 0 part
    ¦ +-disk0_crypt 253:0 0 19.5G 0 crypt
    +-sda9 8:9 0 9M 0 part
    sdb 8:16 0 20G 0 disk
    +-sdb1 8:17 0 256M 0 part
    ¦ +-md0 9:0 0 256M 0 raid1 /boot
    +-sdb2 8:18 0 256M 0 part
    +-sdb3 8:19 0 19.5G 0 part
    ¦ +-disk1_crypt 253:1 0 19.5G 0 crypt
    +-sdb9 8:25 0 9M 0 part
    sdc 8:32 0 20G 0 disk
    sr0 11:0 1 1.8G 0 rom

    root@zstaging:~# zpool status
     pool: rpool
     state: ONLINE
     scan: none requested
    config:

     NAME STATE READ WRITE CKSUM
     rpool ONLINE 0 0 0
     mirror-0 ONLINE 0 0 0
     disk0_crypt ONLINE 0 0 0
     disk1_crypt ONLINE 0 0 0

    errors: No known data errors


    Relevant files and setup:



    root@zstaging:~# cat /etc/fstab
    UUID=648bfa4b-1b5f-480a-bb26-b3abffb4a6de /boot auto defaults 0 0
    PARTUUID=1673f966-173b-4128-84d5-4e8d5810efef /boot/efi vfat defaults 0 1

    root@zstaging:~# cat /etc/crypttab
    disk0_crypt UUID=26194846-ba49-4e53-ab0b-857b0dad2021 none luks
    disk1_crypt UUID=ef44b66a-8706-4be2-bd12-a30d40de9669 none luks

    root@zstaging:~# cat /etc/initramfs-tools/conf.d/cryptroot
    target=disk0_crypt,source=UUID=26194846-ba49-4e53-ab0b-857b0dad2021,key=none,rootdev
    target=disk1_crypt,source=UUID=ef44b66a-8706-4be2-bd12-a30d40de9669,key=none,rootdev

    set CRYPTSETUP=y in /etc/cryptsetup-initramfs/conf-hook

    # vi /etc/default/grub
    replace GRUB_CMDLINE_LINUX="" with GRUB_CMDLINE_LINUX="boot=zfs"
    Remove quiet from: GRUB_CMDLINE_LINUX_DEFAULT
    Uncomment: GRUB_TERMINAL=console

    # update-initramfs -u -k all
    # update-grub
    # grub-install --target=x86_64-efi --efi-directory=/boot/efi --bootloader-id=debian --recheck --no-floppy


    Everything works great. Get prompt for unlocking the two disks one at a time, and off we go. It is NOT necessary to list any zfs stuff in /etc/fstab. Yes, initramfs etc. WILL complain about /etc/fstab, but it all works fine, so far



    I can even remote unlock it



    # apt-get install dropbear-initramfs busybox
    # vi /etc/dropbear-initramfs/authorized_keys
    Paste my SSH pubkey

    # chmod 400 /etc/dropbear-initramfs/authorized_keys
    # update-initramfs -u

    in another machine that has my SSH keys, add a custom section in ~/.ssh/config:
     Host zstaging_unlock
     HostName <ip_of_zstaging>
     User root
     HostKeyAlias zstaging_unlock

    to remote unlock zstaging, from remote machine:
    $ ssh zstaging_unlock
    and follow prompts


    HTH






    share|improve this answer
























      up vote
      0
      down vote













      I am currently setting up such a system, but in debian stretch. And I am doing my experimentation in a VM before I actually set up the physical computer itself. I have a very similar setup working in the VM.



      2 disks in zpool mirror for /, but not /boot. /boot is on md0. zpool is on top of LUKS. Using EFI.



      root@zstaging:~# cat /proc/1/comm
      systemd

      root@zstaging:~# lsblk
      NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINT
      sda 8:0 0 20G 0 disk
      +-sda1 8:1 0 256M 0 part
      ¦ +-md0 9:0 0 256M 0 raid1 /boot
      +-sda2 8:2 0 256M 0 part /boot/efi
      +-sda3 8:3 0 19.5G 0 part
      ¦ +-disk0_crypt 253:0 0 19.5G 0 crypt
      +-sda9 8:9 0 9M 0 part
      sdb 8:16 0 20G 0 disk
      +-sdb1 8:17 0 256M 0 part
      ¦ +-md0 9:0 0 256M 0 raid1 /boot
      +-sdb2 8:18 0 256M 0 part
      +-sdb3 8:19 0 19.5G 0 part
      ¦ +-disk1_crypt 253:1 0 19.5G 0 crypt
      +-sdb9 8:25 0 9M 0 part
      sdc 8:32 0 20G 0 disk
      sr0 11:0 1 1.8G 0 rom

      root@zstaging:~# zpool status
       pool: rpool
       state: ONLINE
       scan: none requested
      config:

       NAME STATE READ WRITE CKSUM
       rpool ONLINE 0 0 0
       mirror-0 ONLINE 0 0 0
       disk0_crypt ONLINE 0 0 0
       disk1_crypt ONLINE 0 0 0

      errors: No known data errors


      Relevant files and setup:



      root@zstaging:~# cat /etc/fstab
      UUID=648bfa4b-1b5f-480a-bb26-b3abffb4a6de /boot auto defaults 0 0
      PARTUUID=1673f966-173b-4128-84d5-4e8d5810efef /boot/efi vfat defaults 0 1

      root@zstaging:~# cat /etc/crypttab
      disk0_crypt UUID=26194846-ba49-4e53-ab0b-857b0dad2021 none luks
      disk1_crypt UUID=ef44b66a-8706-4be2-bd12-a30d40de9669 none luks

      root@zstaging:~# cat /etc/initramfs-tools/conf.d/cryptroot
      target=disk0_crypt,source=UUID=26194846-ba49-4e53-ab0b-857b0dad2021,key=none,rootdev
      target=disk1_crypt,source=UUID=ef44b66a-8706-4be2-bd12-a30d40de9669,key=none,rootdev

      set CRYPTSETUP=y in /etc/cryptsetup-initramfs/conf-hook

      # vi /etc/default/grub
      replace GRUB_CMDLINE_LINUX="" with GRUB_CMDLINE_LINUX="boot=zfs"
      Remove quiet from: GRUB_CMDLINE_LINUX_DEFAULT
      Uncomment: GRUB_TERMINAL=console

      # update-initramfs -u -k all
      # update-grub
      # grub-install --target=x86_64-efi --efi-directory=/boot/efi --bootloader-id=debian --recheck --no-floppy


      Everything works great. Get prompt for unlocking the two disks one at a time, and off we go. It is NOT necessary to list any zfs stuff in /etc/fstab. Yes, initramfs etc. WILL complain about /etc/fstab, but it all works fine, so far



      I can even remote unlock it



      # apt-get install dropbear-initramfs busybox
      # vi /etc/dropbear-initramfs/authorized_keys
      Paste my SSH pubkey

      # chmod 400 /etc/dropbear-initramfs/authorized_keys
      # update-initramfs -u

      in another machine that has my SSH keys, add a custom section in ~/.ssh/config:
       Host zstaging_unlock
       HostName <ip_of_zstaging>
       User root
       HostKeyAlias zstaging_unlock

      to remote unlock zstaging, from remote machine:
      $ ssh zstaging_unlock
      and follow prompts


      HTH






      share|improve this answer






















        up vote
        0
        down vote










        up vote
        0
        down vote









        I am currently setting up such a system, but in debian stretch. And I am doing my experimentation in a VM before I actually set up the physical computer itself. I have a very similar setup working in the VM.



        2 disks in zpool mirror for /, but not /boot. /boot is on md0. zpool is on top of LUKS. Using EFI.



        root@zstaging:~# cat /proc/1/comm
        systemd

        root@zstaging:~# lsblk
        NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINT
        sda 8:0 0 20G 0 disk
        +-sda1 8:1 0 256M 0 part
        ¦ +-md0 9:0 0 256M 0 raid1 /boot
        +-sda2 8:2 0 256M 0 part /boot/efi
        +-sda3 8:3 0 19.5G 0 part
        ¦ +-disk0_crypt 253:0 0 19.5G 0 crypt
        +-sda9 8:9 0 9M 0 part
        sdb 8:16 0 20G 0 disk
        +-sdb1 8:17 0 256M 0 part
        ¦ +-md0 9:0 0 256M 0 raid1 /boot
        +-sdb2 8:18 0 256M 0 part
        +-sdb3 8:19 0 19.5G 0 part
        ¦ +-disk1_crypt 253:1 0 19.5G 0 crypt
        +-sdb9 8:25 0 9M 0 part
        sdc 8:32 0 20G 0 disk
        sr0 11:0 1 1.8G 0 rom

        root@zstaging:~# zpool status
         pool: rpool
         state: ONLINE
         scan: none requested
        config:

         NAME STATE READ WRITE CKSUM
         rpool ONLINE 0 0 0
         mirror-0 ONLINE 0 0 0
         disk0_crypt ONLINE 0 0 0
         disk1_crypt ONLINE 0 0 0

        errors: No known data errors


        Relevant files and setup:



        root@zstaging:~# cat /etc/fstab
        UUID=648bfa4b-1b5f-480a-bb26-b3abffb4a6de /boot auto defaults 0 0
        PARTUUID=1673f966-173b-4128-84d5-4e8d5810efef /boot/efi vfat defaults 0 1

        root@zstaging:~# cat /etc/crypttab
        disk0_crypt UUID=26194846-ba49-4e53-ab0b-857b0dad2021 none luks
        disk1_crypt UUID=ef44b66a-8706-4be2-bd12-a30d40de9669 none luks

        root@zstaging:~# cat /etc/initramfs-tools/conf.d/cryptroot
        target=disk0_crypt,source=UUID=26194846-ba49-4e53-ab0b-857b0dad2021,key=none,rootdev
        target=disk1_crypt,source=UUID=ef44b66a-8706-4be2-bd12-a30d40de9669,key=none,rootdev

        set CRYPTSETUP=y in /etc/cryptsetup-initramfs/conf-hook

        # vi /etc/default/grub
        replace GRUB_CMDLINE_LINUX="" with GRUB_CMDLINE_LINUX="boot=zfs"
        Remove quiet from: GRUB_CMDLINE_LINUX_DEFAULT
        Uncomment: GRUB_TERMINAL=console

        # update-initramfs -u -k all
        # update-grub
        # grub-install --target=x86_64-efi --efi-directory=/boot/efi --bootloader-id=debian --recheck --no-floppy


        Everything works great. Get prompt for unlocking the two disks one at a time, and off we go. It is NOT necessary to list any zfs stuff in /etc/fstab. Yes, initramfs etc. WILL complain about /etc/fstab, but it all works fine, so far



        I can even remote unlock it



        # apt-get install dropbear-initramfs busybox
        # vi /etc/dropbear-initramfs/authorized_keys
        Paste my SSH pubkey

        # chmod 400 /etc/dropbear-initramfs/authorized_keys
        # update-initramfs -u

        in another machine that has my SSH keys, add a custom section in ~/.ssh/config:
         Host zstaging_unlock
         HostName <ip_of_zstaging>
         User root
         HostKeyAlias zstaging_unlock

        to remote unlock zstaging, from remote machine:
        $ ssh zstaging_unlock
        and follow prompts


        HTH






        share|improve this answer












        I am currently setting up such a system, but in debian stretch. And I am doing my experimentation in a VM before I actually set up the physical computer itself. I have a very similar setup working in the VM.



        2 disks in zpool mirror for /, but not /boot. /boot is on md0. zpool is on top of LUKS. Using EFI.



        root@zstaging:~# cat /proc/1/comm
        systemd

        root@zstaging:~# lsblk
        NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINT
        sda 8:0 0 20G 0 disk
        +-sda1 8:1 0 256M 0 part
        ¦ +-md0 9:0 0 256M 0 raid1 /boot
        +-sda2 8:2 0 256M 0 part /boot/efi
        +-sda3 8:3 0 19.5G 0 part
        ¦ +-disk0_crypt 253:0 0 19.5G 0 crypt
        +-sda9 8:9 0 9M 0 part
        sdb 8:16 0 20G 0 disk
        +-sdb1 8:17 0 256M 0 part
        ¦ +-md0 9:0 0 256M 0 raid1 /boot
        +-sdb2 8:18 0 256M 0 part
        +-sdb3 8:19 0 19.5G 0 part
        ¦ +-disk1_crypt 253:1 0 19.5G 0 crypt
        +-sdb9 8:25 0 9M 0 part
        sdc 8:32 0 20G 0 disk
        sr0 11:0 1 1.8G 0 rom

        root@zstaging:~# zpool status
         pool: rpool
         state: ONLINE
         scan: none requested
        config:

         NAME STATE READ WRITE CKSUM
         rpool ONLINE 0 0 0
         mirror-0 ONLINE 0 0 0
         disk0_crypt ONLINE 0 0 0
         disk1_crypt ONLINE 0 0 0

        errors: No known data errors


        Relevant files and setup:



        root@zstaging:~# cat /etc/fstab
        UUID=648bfa4b-1b5f-480a-bb26-b3abffb4a6de /boot auto defaults 0 0
        PARTUUID=1673f966-173b-4128-84d5-4e8d5810efef /boot/efi vfat defaults 0 1

        root@zstaging:~# cat /etc/crypttab
        disk0_crypt UUID=26194846-ba49-4e53-ab0b-857b0dad2021 none luks
        disk1_crypt UUID=ef44b66a-8706-4be2-bd12-a30d40de9669 none luks

        root@zstaging:~# cat /etc/initramfs-tools/conf.d/cryptroot
        target=disk0_crypt,source=UUID=26194846-ba49-4e53-ab0b-857b0dad2021,key=none,rootdev
        target=disk1_crypt,source=UUID=ef44b66a-8706-4be2-bd12-a30d40de9669,key=none,rootdev

        set CRYPTSETUP=y in /etc/cryptsetup-initramfs/conf-hook

        # vi /etc/default/grub
        replace GRUB_CMDLINE_LINUX="" with GRUB_CMDLINE_LINUX="boot=zfs"
        Remove quiet from: GRUB_CMDLINE_LINUX_DEFAULT
        Uncomment: GRUB_TERMINAL=console

        # update-initramfs -u -k all
        # update-grub
        # grub-install --target=x86_64-efi --efi-directory=/boot/efi --bootloader-id=debian --recheck --no-floppy


        Everything works great. Get prompt for unlocking the two disks one at a time, and off we go. It is NOT necessary to list any zfs stuff in /etc/fstab. Yes, initramfs etc. WILL complain about /etc/fstab, but it all works fine, so far



        I can even remote unlock it



        # apt-get install dropbear-initramfs busybox
        # vi /etc/dropbear-initramfs/authorized_keys
        Paste my SSH pubkey

        # chmod 400 /etc/dropbear-initramfs/authorized_keys
        # update-initramfs -u

        in another machine that has my SSH keys, add a custom section in ~/.ssh/config:
         Host zstaging_unlock
         HostName <ip_of_zstaging>
         User root
         HostKeyAlias zstaging_unlock

        to remote unlock zstaging, from remote machine:
        $ ssh zstaging_unlock
        and follow prompts


        HTH







        share|improve this answer












        share|improve this answer



        share|improve this answer










        answered Apr 4 at 4:43









        deyab

        11




        11






















             

            draft saved


            draft discarded


























             


            draft saved


            draft discarded














            StackExchange.ready(
            function ()
            StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f435131%2funlock-luks-non-root-filesystem-partition-on-boot%23new-answer', 'question_page');

            );

            Post as a guest
































































            -

            Popular posts from this blog

            How to check contact read email or not when send email to Individual?

            Image
            Clash Royale CLAN TAG #URR8PPP up vote 1 down vote favorite I'm using WordPress 4.9.8, CiviCRM to 5.5.1, I usually send email to contact by Search> Find contacts View contact details Action> Send email Send email ok, Contact received mail ok like picture But status only Email sent though contact read email or not. So, can CiviCRM can change status to Email read when contact read email? wordpress email share | improve this question asked Sep 26 at 0:12 ToanLuong 49 9 add a comment  |  up vote 1 down vote favorite I'm using WordPress 4.9.8, CiviCRM to 5.5.1, I usually send email to contact by Search> Find contacts View contact details Action> Send email Send email ok, Contact received mail ok like picture But status only Email sent though contact read email or not. So, can CiviCRM can change status to Email read when contact read email? wordpress email share | improve this question asked Se
            Read more

            Bahrain

            Image
            For other uses, see Bahrain (disambiguation). Sovereign island state in the Persian Gulf Kingdom of Bahrain مملكة البحرين   (Arabic) Mamlakat al-Baḥrayn Flag Coat of arms Anthem:  نشيد البحرين الوطني Bahrainona Our Bahrain Location of   Bahrain    (circled in red) Capital and largest city Manama 26°13′N 50°35′E  /  26.217°N 50.583°E  / 26.217; 50.583 Official languages Arabic Ethnic groups (2010 [1] ) 50.7% Arab (46% Bahrani, 4.7% other Arabs) 45.5% Asian 1% European 1.2% Others Religion Islam Demonym(s) Bahraini Government Unitary constitutional monarchy • King Hamad bin Isa Al Khalifa • Crown Prince Salman bin Hamad bin Isa Al Khalifa • Prime Minister Khalifa bin Salman Al Khalifa Legislature National Assembly • Upper house Consultative Council • Lower house Council of Representatives Independence • Declared Independence [2] 14 August 1971 • from United Kingdom [1] 15 August 1971 • Admitted to the United Nations 21 September 1971 • Kingdom of Bahrain 14 February 2002
            Read more

            Postfix configuration issue with fips on centos 7; mailgun relay

            Image
            Clash Royale CLAN TAG #URR8PPP up vote 0 down vote favorite I am trying to setup postfix to relay all mail generated on the local machine via SMTP to a mailgun relay. I have used the mailgun relay before with success on an ubuntu server, but I am migrating to a Centos 7 server which I will be running in FIPS mode. There error log is below, slightly sanitized. I have a small enough network that I choose to have each machine reach out to mailgun individually (this the loopback-only, 127.0.0.0/8 restrictions) and no firewall open port allowing smtp in to the machine. I assume the FIPS mode (and with it disabling of MD5) is causing problems, but I don't know how to overcome it or if it is even possible for tls_fprint to use some supported hash such as sha256 or sha512. However, the relay=none is slightly concerning since I have relayhost set, but perhaps that is because the smtp process is failing? Any help would be appreciated! postconf -n: alias_database = hash:/etc/alia
            Read more