Re: Add LUKS disk to an Raspberry Pi 4 install

[Lennart Poettering <lennart@xxxxxxxxxxxxxx>]

gOn Sa, 25.09.21 17:47, Barry Scott (barry@xxxxxxxxxxxxxxxx) wrote:

> [I originally ask this question on the Fedora ARM list, but got no reply]
>
> I'm trying to build a RPi4 system that uses a LUKS encrypted disk.
>
> But I cannot get the volume to be unlocked when the system boots.
>
> I have installed Fedora-Minimal-34-1.2.aarch64.raw.xz to with
> arm-image-installer --target=rpi4 and that boots.
>
> Then I have added a new partition to that sdcard that I setup using this
> command on a Fedora 34 x86_86 system.
>
> cryptsetup \
>        --type luks2 \
>        --cipher xchacha20,aes-adiantum-plain64 \
>        --hash sha256 \
>        --iter-time 5000 \
>        --pbkdf argon2i \
>            luksFormat ${DEVICE}
>
> I got these settings from a blog on setting up LUKS for debian on raspberry
> pi.
>
> I add an entry to /etc/crypttab for the volume.
>
> When I boot the system I am not prompted for the password to unlock the
> volume as I was expecting.
>
> Looking in journalctl -b 0 I see these lines:
>
> Apr 06 01:01:36 clef.chelsea.private systemd[1]: dev-disk-
> by\x2duuid-8c2519ae\x2d78a9\x2d44b0\x2d871f\x2d0aa2422de03a.device: Job dev-
> disk-by\x2duuid-8c2519ae\x2d78a9\x2d44b0\x2d871f\x2d0aa2422de03a.device/start
> timed out.

This suggests that the backing device name you specified in
/etc/crypttab doesn't match reality. i..e here you specified a device
node by the UUID of what's on it. (Presumably that's supposed to be
the UUID of the LUKS2 superblock?) And it doesn't appear to match what
is *actually* the UUID of your LUKS2 superblock?

Lennart

--
Lennart Poettering, Berlin