Uploaded image for project: 'Funtoo Linux'
  1. Funtoo Linux
  2. FL-8318

LUKS encrypted root filesystems can not be unlocked on boot.

    Details

    • Type: Bug
    • Status: Ready to Fix
    • Priority: Normal
    • Resolution: Unresolved
    • Affects Version/s: None
    • Fix Version/s: None
    • Labels:
      None
    • Reproduction Steps:
      Hide
      Follow the documentation located on the wiki https://www.funtoo.org/Encrypted_Root, https://www.funtoo.org/Rootfs_over_encrypted_lvm_over_raid-1_on_GPT, or https://www.funtoo.org/Rootfs_over_encrypted_lvm [though there may be other install instructions I didn't find as well].
      Show
      Follow the documentation located on the wiki https://www.funtoo.org/Encrypted_Root, https://www.funtoo.org/Rootfs_over_encrypted_lvm_over_raid-1_on_GPT, or https://www.funtoo.org/Rootfs_over_encrypted_lvm [though there may be other install instructions I didn't find as well].
    • Facts:
      Hide
      1. Current debian-sources kernel contains a bug which breaks cryptsetup open when passphrases are 64+ characters in length.
      2. Default behavior of cryptsetup is to create LUKS2 volumes.
      3. sys-kernel/genkernel fails to include the proper kernel modules to support LUKS2 in initramfs.
      4. Initrd supplied in current stage3 tarballs is missing the appropriate kernel modules to support LUKS2 encryption.
      5. I have documented the process of working around these issues and installing a working LUKS2 encrypted rootfs at the following link https://gesis.pw/encrypted-rootfs-on-funtoo-linux-1-4/
      Show
      1. Current debian-sources kernel contains a bug which breaks cryptsetup open when passphrases are 64+ characters in length. 2. Default behavior of cryptsetup is to create LUKS2 volumes. 3. sys-kernel/genkernel fails to include the proper kernel modules to support LUKS2 in initramfs. 4. Initrd supplied in current stage3 tarballs is missing the appropriate kernel modules to support LUKS2 encryption. 5. I have documented the process of working around these issues and installing a working LUKS2 encrypted rootfs at the following link https://gesis.pw/encrypted-rootfs-on-funtoo-linux-1-4/
    • Presumptive Root Cause:
      Hide
      The primary cause of failure is that the kernel modules af_alg.ko and algif_skcipher.ko do not get included in initrd either via the funtoo build system or by genkernel. These modules are necessary for cryptsetup to unlock LUKS2 volumes.

      Secondary to this, is the aforementioned kernel bug. While this only affects users with long passphrases, it is still something that should be properly documented so that users are aware.
      Show
      The primary cause of failure is that the kernel modules af_alg.ko and algif_skcipher.ko do not get included in initrd either via the funtoo build system or by genkernel. These modules are necessary for cryptsetup to unlock LUKS2 volumes. Secondary to this, is the aforementioned kernel bug. While this only affects users with long passphrases, it is still something that should be properly documented so that users are aware.

      Description

      To keep it simple; despite documentation updates, LUKS encrypted root filesystems are still broken in Funtoo. I have, however found the fix[es].

        Attachments

          Activity

            People

            Assignee:
            Unassigned Unassigned
            Reporter:
            gesis gesis
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

              Dates

              Created:
              Updated: