Add encrypted device to encrypted BTRFS filesystem

iDesmI · February 18, 2021, 12:31pm

The filesystem is encrypted since the installation.
I want to add a device to later on turn it into a RAID.

I already tried this:

create new encrypted partition via YasT (LUKS1)
btrfs dev add /dev/mapper/{…} /

Then I rebooted, but it seems the decryption gets stuck. Booted a rescue disk, removed the new device from the BTRFS, and the system boots again just fine.

I used the same password to encrypt I used for the first device.
Help?

arvidjaar · February 18, 2021, 8:03pm

What makes you think so?

Help?

To offer any help you need to at least show something from your system that demonstrates the problem - logs, screenshot, photo - and provide details at which point it happens. We do not even know whether you are talking about root filesystem or not. If it is root, you would need to recreate initrd at the very least to make it aware of new encrypted partition.

iDesmI · February 18, 2021, 9:24pm

The fact that it doesn’t get past the loading screen, even after 20 minutes. Also, my disks don’t make reading noise as they always do otherwise.

you need to at least show something from your system that demonstrates the problem - logs, screenshot, photo - and provide details at which point it happens.

I’m going to post photos since I don’t know what are relevant logs for this case.
In order:
I insert the password for the first partition.

I insert the password for the second partition.

Everything’s okay till now.

Here’s I type the password once to unlock the swap partition, but the password is used for cr_root as well without additional input.

And this is the last screen I see. Doesn’t get through.

The filesystem is root. All I actually did was to open YaST Boot Loader and confirm new settings without changing anything. Does that recreate initrd as well or only runs grub2-mkconfig?

arvidjaar · February 19, 2021, 7:09am

no

or only runs grub2-mkconfig?

Yes.

To see more boot with “plymouth.enable=0” on kernel command line, this will show what systemd is waiting for. But if it is root filesystem, then the first step is to run mkinitrd. It may not be enough, depending on how smart dracut is, but we’ll see.

iDesmI · February 19, 2021, 10:58am

I did as suggested. Added a device, run mkinitrd, run grub2-mkconfig, reboot.

Please tell me if there are relevant logs I could share.

Svyatko · February 19, 2021, 7:00pm

CHeck /etc/crypttab - https://forums.opensuse.org/showthread.php/542818-encrypt-hdd

iDesmI · February 20, 2021, 3:17pm

/etc/crypttab

cr_root /dev/disk/by-uuid/bb26fb93-6b78-4760-9cc0-94133cc11223 none x-initrd.attach
cr_swap /dev/disk/by-uuid/0ca54c5e-a5b3-436f-975e-80af9cdc98a3

The recently added disk’s UUID isn’t displayed.
Here my /run/initramfs/rdsosreport.txt

arvidjaar · February 20, 2021, 8:02pm

And how are we supposed to know which device was recently added?

Here my /run/initramfs/rdsosreport.txt

This is probably

/dev/sda1: UUID="15b32c81-b723-43b3-bea5-7aa8a5e45901" TYPE="crypto_LUKS" PARTUUID="84493e6c-74b5-4ac0-b738-3f5ef3d53988"

dracut itself knows that it has to wait for this device

    5.895866] suse dracut-cmdline[207]: Using kernel command line parameters: rd.driver.pre=btrfs rd.luks.uuid=luks-15b32c81-b723-43b3-bea5-7aa8a5e45901 rd.luks.uuid=luks-0ca54c5e-a5b3-436f-975e-80af9cdc98a3 rd.luks.uuid=luks-bb26fb93-6b78-4760-9cc0-94133cc11223 root=/dev/mapper/cr_root rootfstype=btrfs

but systemd is not aware of this stored command line and so it does not generate corresponding unit to activate it

    7.563758] suse dracut-initqueue[473]: Failed to start systemd-cryptsetup@luks\x2d15b32c81\x2db723\x2d43b3\x2dbea5\x2d7aa8a5e45901.service: Unit systemd-cryptsetup@luks\x2d15b32c81\x2db723\x2d43b3\x2dbea5\x2d7aa8a5e45901.service not found.

You should add your LUKS device to /etc/crypttab, I would use the same options as for the original root device, and generate initrd again.

iDesmI · February 21, 2021, 10:39am

Done and worked!
The final table is:

cr_root  UUID=bb26fb93-6b78-4760-9cc0-94133cc11223  none  x-initrd.attach
cr_root1 UUID=15b32c81-b723-43b3-bea5-7aa8a5e45901  none  x-initrd.attach
cr_swap  UUID=0ca54c5e-a5b3-436f-975e-80af9cdc98a3

Solved. Thank you!

ramdomPTM · February 6, 2024, 8:34am

Hello, OP!

I want to add new a device to the existing encrypted btrfs root filesystem to expand my storage. The new device is a SD card formatted as LUKS2 encrypted btrfs, just as the root filesystem. After configuring /etc/sysconfig/fde-tools and /etc/crypttab following this thread and other instructions, I can now decrypt root and new device at boot time. After booting into system, now I have /dev/mapper/cr_root and /dev/mapper/cr_sdcard (the new device).

However, after I added the new device to /, the next boot would fail and boot into grub command line. Have you encountered this problem?

I can boot again if I remove the device from Live CD.

hcvv · February 6, 2024, 8:54am

Oh please, please. Do you really expect people to watch three year old threads to see if someone adds a question that might be remotely related?

People look at the titles of new threads to see if there is something they can help with.

So please start a new thread with the now relevant information about versions of software used, etc.