search

ublue-os / bazzite

Bazzite is a cloud native image built upon Fedora Atomic Desktops that brings the best of Linux gaming to all of your devices - including your favorite handheld.
https://bazzite.gg
Apache License 2.0
4.09k stars 251 forks source link

update to F41 when using full disk encryption with keyfile prompts for password because it can't find the keyfile in /root #1827

Closed Renner0E closed 1 week ago

Renner0E commented 3 weeks ago

Describe the bug

This was my first boot into F41. I run a bazzite derived image.

This time however I typed in my rootfs password and then was prompted for the passphrases of all my other drives. I pressed Esc and spammed Ctrl+D and made the prompt timeout so the responsible systemd-cryptsetup services would fail. I then saw SDDM, switched ttys, logged in and ran lsblk and all the drives were mounted correctly.

Is this on me? Should I put my keyfile somewhere else?

I'll happily provide more log files etc.

What did you expect to happen?

Normally I would get prompted for my password of my rootfs which has a keyfile in /root/keys/secret.key. This keyfile then unlocks all my other drives like backup HDD, Games SSD, and home SSD. These drives also can be unlocked with a password. So I only have to type in one password to unlock all my drives.

Output of rpm-ostree status

State: idle AutomaticUpdates: stage; rpm-ostreed-automatic.timer: last run 20min ago Deployments: ● ostree-image-signed:docker://ghcr.io/renner0e/atomic-desktop Digest: sha256:5b4a475ef77b74b57d20d3708dfdca26ce77d4bfeda77e7f7528d4bf833e0d94 Version: 41.20241029.1 (2024-10-29T17:21:27Z) RemovedBasePackages: firewall-config 2.2.3-2.fc41 InitramfsEtc: /etc/vconsole.conf

ostree-image-signed:docker://ghcr.io/renner0e/atomic-desktop Digest: sha256:09e8f8369aefc14b1ad7dd367efb35f3bd076f537c5688ddd16ce9ab509bfb53 Version: 40.20241020 (2024-10-28T17:21:54Z) RemovedBasePackages: firewall-config 2.1.3-1.fc40 InitramfsEtc: /etc/vconsole.conf

Hardware

Operating System: Bazzite 41 KDE Plasma Version: 6.2.2 KDE Frameworks Version: 6.7.0 Qt Version: 6.7.2 Kernel Version: 6.11.5-307.bazzite.fc41.x86_64 (64-bit) Graphics Platform: Wayland Processors: 24 × AMD Ryzen 9 7900X 12-Core Processor Memory: 30.9 GiB of RAM Graphics Processor: AMD Radeon RX 6750 XT

Extra information or context

I recall having this exact problem a couple months ago but I could hard shutdown my PC and it worked as expected afterwards. This didn't work this time.

/etc/crypttab

# root is generated by anaconda
luks-f5b9747d-fb9d-475f-9f02-767dcf87cbcf UUID=f5b9747d-fb9d-475f-9f02-767dcf87cbcf none,discard,tries=20,password-echo=yes
# for whatever reason tries=20 and password echo don't actually work

luks_6tb_hdd UUID=85d4a8dc-80d4-4383-92a5-7e40e9b55b50 /root/keys/secret.key

luks_4tb_ssd UUID=a23f017b-c3b6-487c-919d-57dfdd07cb54 /root/keys/secret.key

luks_home UUID=c66fe4c4-64c5-44ea-892d-8681bb3552a5 /root/keys/secret.key

sudo journalctl -b -p warning | grep systemd-cryptsetup

Okt 31 13:22:59 bazzite systemd-cryptsetup[902]: Failed to activate with specified passphrase. (Passphrase incorrect?)
Okt 31 13:23:29 mypc systemd-cryptsetup[1726]: Failed to activate, key file '/root/keys/secret.key' missing.
Okt 31 13:23:29 mypc systemd-cryptsetup[1727]: Failed to activate, key file '/root/keys/secret.key' missing.
Okt 31 13:23:29 mypc systemd-cryptsetup[1729]: Failed to activate, key file '/root/keys/secret.key' missing.
Okt 31 13:23:52 mypc systemd-cryptsetup[1727]: Failed to activate with specified passphrase. (Passphrase incorrect?)
Okt 31 13:23:55 mypc systemd-cryptsetup[1726]: Failed to activate with specified passphrase. (Passphrase incorrect?)
Okt 31 13:23:57 mypc systemd-cryptsetup[1729]: Failed to activate with specified passphrase. (Passphrase incorrect?)
Okt 31 13:24:49 mypc systemd-cryptsetup[1727]: Failed to activate with specified passphrase. (Passphrase incorrect?)
Okt 31 13:24:49 mypc systemd-cryptsetup[1727]: Too many attempts to activate; giving up.
Okt 31 13:24:49 mypc systemd[1]: systemd-cryptsetup@luks_6tb_hdd.service: Failed with result 'exit-code'.
Okt 31 13:24:49 mypc systemd[1]: Failed to start systemd-cryptsetup@luks_6tb_hdd.service - Cryptography Setup for luks_6tb_hdd.
Okt 31 13:24:57 mypc systemd-cryptsetup[1729]: Failed to activate with specified passphrase. (Passphrase incorrect?)
Okt 31 13:24:57 mypc systemd-cryptsetup[1729]: Too many attempts to activate; giving up.
Okt 31 13:24:57 mypc systemd[1]: systemd-cryptsetup@luks_home.service: Failed with result 'exit-code'.
Okt 31 13:24:57 mypc systemd[1]: Failed to start systemd-cryptsetup@luks_home.service - Cryptography Setup for luks_home.
Okt 31 13:24:59 mypc systemd-cryptsetup[1726]: Failed to activate with specified passphrase. (Passphrase incorrect?)
Okt 31 13:24:59 mypc systemd-cryptsetup[1726]: Too many attempts to activate; giving up.
Okt 31 13:24:59 mypc systemd[1]: systemd-cryptsetup@luks_4tb_ssd.service: Failed with result 'exit-code'.
Okt 31 13:24:59 mypc systemd[1]: Failed to start systemd-cryptsetup@luks_4tb_ssd.service - Cryptography Setup for luks_4tb_ssd.
antheas commented 3 weeks ago

Check permissions, also be careful about / in ostree. There are two roots and after boot you use the image one.

So it would be /sysroot/root/keys/secret.key

But yeah, its a completely custom setup so its on you.

Renner0E commented 1 week ago

I ended up moving my keyfiles in /etc/cryptsetup-keys.d/ I don't know if that is the correct place. I don't remember where I found it. So far haven't had any issues. Will report back again if it breaks from F41 to F42

Permissions are 700 root:root for the individual keyfiles