Skip to content
Permalink
Browse files
Added comment that LUKS2 can't be used.
  • Loading branch information
ei-ke committed Dec 10, 2018
1 parent 57ce14b commit 681e58b6689acda6a957e325f12e7b748faa8330
Showing 1 changed file with 2 additions and 1 deletion.
@@ -29,8 +29,9 @@ CARD_DEVICE="" # device name /dev/sdx of your SD card to burn directly to the

CRYPTROOT_ENABLE=no # enable root filesystem encryption using LUKS
CRYPTROOT_PARAMETERS="" # optionally: change cryptsetup's defaults like cipher, hash etc.
# Currently only LUKS1 is supported, so don't use --type luks2
CRYPTROOT_PASSPHRASE="MYSECRETPASS" # enter the encryption passphrase (can also be changed later on the CLI)
CRYPTROOT_SSH_UNLOCK=no # enable dropbear to unlock your device via SSH
# if you have an SSH public key store it in userpatches/dropbear_authorized_keys
# otherwise a new SSH key will be created and stored beside the OS image
CRYPTROOT_SSH_UNLOCK_PORT=2022 # dropbear SSH port
CRYPTROOT_SSH_UNLOCK_PORT=2022 # dropbear SSH port

6 comments on commit 681e58b

@zciendor
Copy link
Contributor

@zciendor zciendor commented on 681e58b Jan 18, 2020

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LUKS2 is the default with Debian Buster now (see https://www.debian.org/releases/buster/amd64/release-notes/ch-whats-new.en.html#cryptsetup-luks2). So even if you leave CRYPTROOT_PARAMETERS empty, LUKS2 will be used.

@ei-ke what's the specific issue you observed/faced with LUKS2 that led you to add this comment? On my end it works fine with LUKS2. I can unlock and boot without problems. Only automatic resizing of the root partition on first-run doesn't work currently because cryptsetup resize asks for the passphrase with LUKS2. And since it was started by a system service the user isn't asked to enter the passphrase, hence resize can't continue.

So from my observation LUKS2 works, but you have to manually resize the root partition after first boot. Anyway, if you want LUKS1 you have to specify CRYPTROOT_PARAMETERS="--type luks1" explicitly.

@igorpecovnik
Copy link
Member

@igorpecovnik igorpecovnik commented on 681e58b Jan 18, 2020

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

So from my observation LUKS2 works, but you have to manually resize the root partition after first boot. Anyway, if you want LUKS1 you have to specify CRYPTROOT_PARAMETERS="--type luks1" explicitly.

Shell we then change defaults to "--type luks1" and adjust text?

@ei-ke
Copy link
Contributor Author

@ei-ke ei-ke commented on 681e58b Jan 18, 2020

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

what's the specific issue you observed/faced with LUKS2 that led you to add this comment?

Honestly I can't remember. Maybe resize was not working (didn't try it manually, would need to look how to do it) or it got stuck during the resize task.
If it's still possible to build armbian with stretch I'll try it again an see what the issue was. But if it's working with manual intervention we should set the default to luks1 and maybe a hint to a short howto for those who want to manually resize their partition.

Further it would be good to know if manual resize also works with only the boot partition on SD and root on HDD (that's how I did it)

@zciendor
Copy link
Contributor

@zciendor zciendor commented on 681e58b Jan 19, 2020

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Shell we then change defaults to "--type luks1" and adjust text?

But we have to be careful. Seems like the --type luks1 parameter is only available since cryptsetup 2.1.0 (in buster). To maintain backwards compatibility this needs to be a distribution/release specific default.

@ei-ke
Copy link
Contributor Author

@ei-ke ei-ke commented on 681e58b Jan 19, 2020

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I've just build with

CRYPTROOT_ENABLE=yes			# enable root filesystem encryption using LUKS
CRYPTROOT_PARAMETERS="--type=luks2 --use-random --cipher=serpent-xts-plain64 --key-size=512 --hash=sha512"			# optionally: change cryptsetup's defaults like cipher, hash etc.
					# Currently only LUKS1 is supported, so don't use --type luks2
CRYPTROOT_PASSPHRASE="MYSECRETPASS"	# enter the encryption passphrase (can also be changed later on the CLI)
CRYPTROOT_SSH_UNLOCK=yes			# enable dropbear to unlock your device via SSH
					# if you have an SSH public key store it in userpatches/dropbear_authorized_keys
					# otherwise a new SSH key will be created and stored beside the OS image
CRYPTROOT_SSH_UNLOCK_PORT=2222		# dropbear SSH port
RELEASE="stretch"
./compile.sh  BOARD=odroidxu4 BRANCH=legacy RELEASE=stretch BUILD_MINIMAL=no BUILD_DESKTOP=no KERNEL_ONLY=no KERNEL_CONFIGURE=no  info

The install.log contains

Preparing to unpack .../linux-image-legacy-odroidxu4_19.11.9_armhf.deb ...
Unpacking linux-image-legacy-odroidxu4 (19.11.9) ...
Setting up linux-image-legacy-odroidxu4 (19.11.9) ...
update-initramfs: Generating /boot/initrd.img-4.14.165-odroidxu4
cryptsetup: WARNING: failed to detect canonical device of /dev/mmcblk0p1
cryptsetup: WARNING: could not determine root device from /etc/fstab
cryptsetup: WARNING: failed to detect canonical device of /dev/mmcblk0p2
Warning: couldn't identify filesystem type for fsck hook, ignoring.

But maybe this warning is okay - never had a look into the install.log before.

Trying to unlock via SSH gives me a "cryptsetup: armbian-root set up successfully". HDMI output shows "cryptsetup (armbian-root): unknown fstype, bad password or options?"
I think when I introduced the CRYPTROOT_PARAMETERS I didn't hook up the device via HDMI.

The created image does contain a LUKS2 partition that I can access on my PC.

@Legogris
Copy link
Contributor

@Legogris Legogris commented on 681e58b Feb 26, 2021

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@ei-ke (And anyone else intending to override CRYPTROOT_PARAMETERS): There's a gotcha here:

CRYPTROOT_PARAMETERS="--type=luks2 --use-random --cipher=serpent-xts-plain64 --key-size=512 --hash=sha512"

This will not get parsed properly by the build script since it contains = signs inside the value - Armbian build parameters set via cli args must not contain equals characters. This should work:

CRYPTROOT_PARAMETERS="--type luks2 --use-random --cipher serpent-xts-plain64 --key-size 512 --hash sha512"

Please sign in to comment.