Discussion:
Problems mounting encrypted disk on reboot
Add Reply
Jerry Lowry
2017-09-21 16:35:13 UTC
Reply
Permalink
Raw Message
Hi,

I have created an encrypted drive using the following commands:

#>cryptsetup --verify-passphrase -- hash=sha256 --keyfile=/dir/file
create testcui /dev/sdb

#>mkfs.ext4 /dev/mapper/testcui

I did this all at single user level.  running centos 7 on a VM.

this all work well until I reboot the system and then it fails to mount
the device and drops down it to emergency mode.  This is the journalctl
output I get. ( yeah I know about the acls on the key file )  device
name  "testcui"

Sep 20 14:19:53 jubilee systemd[1]: Starting Cryptography Setup for
/dev/mapper/testcui...
-- Subject: Unit systemd-cryptsetup@-dev-mapper-testcui.service has
begun start-up
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
--
-- Unit systemd-cryptsetup@-dev-mapper-testcui.service has begun
starting up.
Sep 20 14:19:53 jubilee systemd-cryptsetup[501]: Key file /etc/keys is
world-readable. This is not a good idea!
Sep 20 14:19:53 jubilee systemd-cryptsetup[501]: Set cipher aes, mode
cbc-essiv:sha256, key size 256 bits for device /dev/sdb.
Sep 20 14:19:53 jubilee systemd-cryptsetup[501]: *Failed to activate
with key file '/etc/keys': Invalid argument*
Sep 20 14:19:53 jubilee systemd[1]: Started Forward Password Requests to
Plymouth.

What is the invalid argument that it is complaining about?

Once in emergency mode I can :

#>cryptsetup create testcui /dev/sdb

( passcode)

And it continues just fine.

-- crypttab --

# test disk
#
/dev/mapper/testcui  /dev/sdb /etc/keys plain

--fstab--

#
# /etc/fstab
# Created by anaconda on Tue Dec 15 12:05:51 2015
#
# Accessible filesystems, by reference, are maintained under '/dev/disk'
# See man pages fstab(5), findfs(8), mount(8) and/or blkid(8) for more info
#
UUID=c4cc85f2-9dbb-4bf8-8b3e-edaa5af3dae9 / xfs     defaults        1 1
UUID=2f178edb-b16e-4ea1-85c3-d8243b07a75b /boot xfs     defaults        1 2
UUID=a34fac21-a385-494a-a6cc-cae22b87c8c9 swap swap    defaults        0 0
/dev/mapper/testcui    /cui        ext4    defaults    1 2
--
---------------------------------------------------------------------------
Jerold Lowry
Principal Network/Systems Engineer
Engineering Design Team (EDT), Inc. a HEICO company
3423 NW John Olsen Pl
Hillsboro, Oregon 97124 (U.S.A.)
Phone: 503-690-1234 / 800-435-4320
Fax: 503-690-1243
Web: _www.edt.com <http://www.edt.com/>_
Lennart Poettering
2017-09-22 14:56:16 UTC
Reply
Permalink
Raw Message
Post by Jerry Lowry
Sep 20 14:19:53 jubilee systemd-cryptsetup[501]: Key file /etc/keys is
world-readable. This is not a good idea!
You should really fix that...
Post by Jerry Lowry
Sep 20 14:19:53 jubilee systemd-cryptsetup[501]: Set cipher aes, mode
cbc-essiv:sha256, key size 256 bits for device /dev/sdb.
Sep 20 14:19:53 jubilee systemd-cryptsetup[501]: *Failed to activate with
key file '/etc/keys': Invalid argument*
So, this error is returned by the LUKS/DM subsystem. It might have a
number of different reasons, and I can only guess. Quite often this
might be caused by a missing kernel crypto algorithm module for what
you have picked there.

It's usually a much better idea to use LUKS as the algorithms are
encoded in the LUKS header, and thus it's much harder to pick a
configuration that might not match what is available.

Lennart
--
Lennart Poettering, Red Hat
Loading...