On Tue 28 May 2019 at 14:13:42 (+0300), Sergey Belyashov wrote: > As expected nothing is changed. I did not forget to run update-initramfs > after change of fstab. > Attached 3 photos: normal boot, recovery boot before pasword enter, > recovery boot after password and Ctrl-D in recovery shell.
[I don't see any photos attached. (The entire email is only 4.3kB)] But I have struggled to find out what program is expected to issue the prompt and collect the passphrase under various circumstances (eg unlocking at boot, or unlocking later). > вт, 28 мая 2019 г., 9:38 deloptes <delop...@gmail.com>: > > Sergey Belyashov wrote: > > > > > Root partition is on mdraid but is not encrypted. Home is encrypted only. > > > Modules are set to most already. > > > > I have this setup on my server, but I removed all crypted entries from fstab > > because obviously I can not sit infront of the server to type the password > > when booting. So I can not help in this case much. I put all of this in a > > script that I execute after I ssh to the server. Most of my machines are set up rather like this. I have a pseudo-user called unlock whose /var/local/home/unlock/.bash_profile runs sudo udisksctl unlock --block-device /dev/disk/by-id/… mount /home and then logs out. However, this is unsuitable for this laptop, as explained below. > > On the clients I have root encrypted. I had issues in the beginning after > > transfering the system from dbootstrap to the disk. In that case the UUIDs > > were not correct. I always did set the init=/bin/sh on the command line in > > grub to get the shell and debugged. Sometimes it is useful to add > > a "rootdelay" to wait for the root device to get available, but in your > > setup it looks like it is not exactly what you would need. I haven't had that problem, but that might be just because I don't encrypt root, only /home. > > When the system boots it would read whatever you have in your initrd. It > > would load the drivers and perform the boot process. Then it will pass > > control to init and run the rest from the root system. IMO mounting home > > comes in this second stage, but I am not 100% sure. What do you see when > > you enable debug or verbose - what does it say when booting. On my servers (unlocking later), I get the prompt "Passphrase: ". When I type the passphrase, there is no reflection at all. And this would be a big problem for me, were I to do this on this laptop. So on this laptop, I use /etc/crypttab and /etc/fstab to mount /home at boot. The passphrase entry obviously gets called in a different manner as the prompt is more detailed (presumably because one might be unlocking several different partitions at the same time but in an unknown order): Please enter passphrase for disk Linux-Home (swanhome) on /home! where "swanhome" is the crypttab target and "Linux-Home" is the GPT Partition name. When I type the passphrase, an asterisk is reflected for each character. I've tried to figure out what programs are actually requesting the passphrase and whether they have any arguments/options/environment variables that can affect them. Things like, what's the prompt, where is it printed, and what's reflected (if anything) when the passphrase characters are being typed. With unlocking later, the processes I see running are: root 1026 808 ? sshd: unlock [priv] unlock 1028 1 ? /lib/systemd/systemd --user unlock 1029 1028 ? (sd-pam) unlock 1035 1026 ? sshd: unlock@pts/0 unlock 1036 1035 pts/0 -bash root 1043 1036 pts/0 sudo udisksctl unlock --block-device /dev/disk/by-id/… root 1044 1043 pts/0 udisksctl unlock --block-device /dev/disk/by-id/… root 1047 1 ? /usr/lib/udisks2/udisksd --no-debug root 1051 1 ? /usr/lib/policykit-1/polkitd --no-debug root 1065 1 ? /lib/systemd/systemd --user root 1066 1065 ? (sd-pam) root 1069 538 tty1 -bash root 1575 1069 tty1 ps -ef Once the passphrase has been entered, the processes before the empty line all disappear. It might be helpful for the OP to ascertain the answers for working on their problem. > > Also you have the fs type in fstab set to auto for your home - what happens > > if you set the exact fs type like ext4 or xfs? > > > > Do a change at a time and test after this. My problem: because of the keyboard's phantom typing, reported¹ at https://lists.debian.org/debian-user/2018/03/msg01030.html I have to know when spurious characters are being typed, by seeing the asterisks. Therefore I unlock at boot. But to prevent locking myself out with a bad passphrase, I've added nofail to /home's fstab entry. I can then unlock /home in the same way as I use with my servers. All this works, apart from some odd messages that I don't fully understand, and may report sometime. ¹ I need to rereport this, with new information, but that too is for another time. Cheers, David.
