[arch-general] crypttab support for non-root devices with systemd
Hi, I've installed Arch on a system with a two "disk" setup, where the first disk is a SSD, which I'm booting from. The second disk is an encrypted software RAID with LVM on top. Now obviously I want the second "disk" to be unlocked and mounted automatically on boot. This was no problem in the past. Now with systemd it seems to be harder. At least I get asked for the password on boot. This will unlock the device, however afterwards I have to activate the LVM and mount it manually. Is this already supported out of the box? The wiki mentions something about scripts, which may be changed, but I would like to have something more solid than self made scripts, which may break with every update in the future. Best regards, Karol Babioch
On Sat, Dec 08, 2012 at 09:08:28PM +0100, Karol Babioch wrote:
Hi,
I've installed Arch on a system with a two "disk" setup, where the first disk is a SSD, which I'm booting from. The second disk is an encrypted software RAID with LVM on top.
Now obviously I want the second "disk" to be unlocked and mounted automatically on boot. This was no problem in the past.
Now with systemd it seems to be harder. At least I get asked for the password on boot. This will unlock the device, however afterwards I have to activate the LVM and mount it manually.
Is this already supported out of the box? The wiki mentions something about scripts, which may be changed, but I would like to have something more solid than self made scripts, which may break with every update in the future.
Best regards, Karol Babioch
In core/lvm2 there's an lvm-on-crypt.service which you can enable. In testing/lvm2, you only need lvm-monitoring.service.
Hi, Am 08.12.2012 21:21, schrieb Dave Reisner:
In core/lvm2 there's an lvm-on-crypt.service which you can enable. In testing/lvm2, you only need lvm-monitoring.service.
Thanks for your reply. Although probably both of these service files would require the device to the unlocked. Currently its failing at this stage already. From my understanding /etc/crypttab should work with systemd just fine, shouldn't it? So probably my crypttab is invalid? Because right now I'm getting asked for the passphrase on each and every boot. Any plans on when the "lvm-monitoring.service" will be released? Is it in the early development, or is this something just waiting to be released? Best regards, Karol Babioch
On Sat, Dec 08, 2012 at 09:52:34PM +0100, Karol Babioch wrote:
Hi,
Am 08.12.2012 21:21, schrieb Dave Reisner:
In core/lvm2 there's an lvm-on-crypt.service which you can enable. In testing/lvm2, you only need lvm-monitoring.service.
Thanks for your reply. Although probably both of these service files would require the device to the unlocked.
No, only one is required, based on the package you're using. We've made some significant changes to lvm explicitly to make it play better with systemd: https://mailman.archlinux.org/pipermail/arch-dev-public/2012-October/023953....
Currently its failing at this stage already. From my understanding /etc/crypttab should work with systemd just fine, shouldn't it?
And it does...
So probably my crypttab is invalid? Because right now I'm getting asked for the passphrase on each and every boot.
Without posting it, I have no idea. You've not mentioned the behavior you expect, either. 'man 5 crypttab' documents the expected format and allowed parameters.
Any plans on when the "lvm-monitoring.service" will be released? Is it in the early development, or is this something just waiting to be released?
I don't know what's holding lvm in testing. This singular service is not the silver bullet you're looking for -- it's a package deal. d
Hi, Am 08.12.2012 22:06, schrieb Dave Reisner:
Without posting it, I have no idea.
Basically it looks like this: raid /dev/sdb1 "xxx" In this setup "/dev/sdb1" is a encrypted block device. Its not the one mentioned in the beginning, but the situation is quite similar. "xxx" is the passphrase. This worked just fine with the "old" initscripts. Maybe I'm missing something, but from my understanding of the appropriate man page it should actually work?
You've not mentioned the behavior you expect, either.
Right now I get asked for the passphrase during boot. I would like this dialog to disappear. I would like to have the device unlocked, activated and mounted automatically. For the time being I would like to use "lvm-on-crypt", only to be replaced with "lvm-monitoring" once it hits the official repositories. Thanks for your help! Best regards, Karol Babioch
On Dec 8, 2012 8:12 PM, "Karol Babioch" <karol@babioch.de> wrote:
Hi,
Am 08.12.2012 22:06, schrieb Dave Reisner:
Without posting it, I have no idea.
Basically it looks like this:
raid /dev/sdb1 "xxx"
In this setup "/dev/sdb1" is a encrypted block device. Its not the one mentioned in the beginning, but the situation is quite similar. "xxx" is the passphrase.
This worked just fine with the "old" initscripts. Maybe I'm missing something, but from my understanding of the appropriate man page it should actually work?
The man page makes no mention of allowing plaintext passwords in crypttab. Sure enough, this doesn't work. Use a key file.
You've not mentioned the behavior you expect, either.
Right now I get asked for the passphrase during boot. I would like this dialog to disappear. I would like to have the device unlocked, activated and mounted automatically. For the time being I would like to use "lvm-on-crypt", only to be replaced with "lvm-monitoring" once it hits the official repositories.
Thanks for your help!
Best regards, Karol Babioch
Hi, Am 09.12.2012 02:14, schrieb Dave Reisner:
The man page makes no mention of allowing plaintext passwords in crypttab. Sure enough, this doesn't work. Use a key file.
Thanks! Probably wouldn't figured this out any time soon :). As the man page refers to a "password" multiple times, I assumed it would also allow for plaintext passwords. Quite a misunderstanding. Best regards, Karol Babioch
participants (2)
-
Dave Reisner
-
Karol Babioch