Hi. I have a LUKS encrypted disk on Tumbleweed that is mounted (on /data) on boot and currently unlocked by prompting for the password to be entered interactively.
I’m now testing performing the unlock using a key file.
I’ve created the key file and added it to a keyslot for the device.
If I specify the absolute path to the key file in /etc/crypttab it works fine:
data UUID=6e2089ea-ec52-4e33-a956-586c63ab54d0 /boot/efi/data.key
but if I specify a relative path and a device it does not:
data UUID=6e2089ea-ec52-4e33-a956-586c63ab54d0 /data.key:PARTUUID=7a8ef736-65e2-4dfd-ba7a-8c1838aeebf3
or:
data UUID=6e2089ea-ec52-4e33-a956-586c63ab54d0 /data.key:UUID=E1DA-2923
Some info:
mount | grep “/boot/efi”
/dev/sda1 on /boot/efi type vfat (rw,relatime,fmask=0022,dmask=0022,codepage=437,iocharset=iso8859-1,shortname=mixed,utf8,errors=remount-ro)sudo fdisk -l /dev/sda | grep -E “type|sda1”
Disklabel type: gpt
/dev/sda1 2048 1050623 1048576 512M EFI Systemsudo blkid | grep sda1
/dev/sda1: UUID=“E1DA-2923” BLOCK_SIZE=“512” TYPE=“vfat” PARTUUID=“7a8ef736-65e2-4dfd-ba7a-8c1838aeebf3”find /dev/disk/{by-partuuid,by-uuid} -ls | grep sda1
861 0 lrwxrwxrwx 1 root root 10 Jun 10 16:23 /dev/disk/by-partuuid/7a8ef736-65e2-4dfd-ba7a-8c1838aeebf3 → …/…/sda1
867 0 lrwxrwxrwx 1 root root 10 Jun 10 16:23 /dev/disk/by-uuid/E1DA-2923 → …/…/sda1
Man page references:
man crypttab:
3. The third field specifies an absolute path to a file with the encryption key. Optionally, the path may be followed by ":" and an /etc/fstab style device specification (e.g. starting with "LABEL=" or similar); in which case the path is taken relative to the specified device's file system root. If the field is not present or is "none" or "-", a key file named after the volume to unlock (i.e. the first column of the line), suffixed with .key is automatically loaded from the /etc/cryptsetup-keys.d/ and /run/cryptsetup-keys.d/ directories, if present. Otherwise, the password has to be manually entered during system boot. For swap encryption, /dev/urandom may be used as key file, resulting in a randomized key
man fstab:
The first field (fs_spec). This field describes the block special device, remote filesystem or filesystem image for loop device to be mounted or swap file or swap device to be enabled. For ordinary mounts, it will hold (a link to) a block special device node (as created by mknod(2)) for the device to be mounted, like /dev/cdrom or /dev/sdb7. For NFS mounts, this field is <host>:<dir>, e.g., knuth.aeb.nl:/. For filesystems with no storage, any string can be used, and will show up in df(1) output, for example. Typical usage is proc for procfs; mem, none, or tmpfs for tmpfs. Other special filesystems, like udev and sysfs, are typically not listed in fstab. LABEL=<label> or UUID=<uuid> may be given instead of a device name. This is the recommended method, as device names are often a coincidence of hardware detection order, and can change when other disks are added or removed. For example, 'LABEL=Boot' or 'UUID=3e6be9de-8139-11d1-9106-a43f08d823a6'. (Use a filesystem-specific tool like e2label(8), xfs_admin(8), or fatlabel(8) to set LABELs on filesystems). It’s also possible to use PARTUUID= and PARTLABEL=. These partitions identifiers are supported for example for GUID Partition Table (GPT). See mount(8), blkid(8) or lsblk(8) for more details about device identifiers. Note that mount(8) uses UUIDs as strings. The string representation of the UUID should be based on lower case characters. But when specifying the volume ID of FAT or NTFS file systems upper case characters are used (e.g UUID="A40D-85E7" or UUID="61DB7756DB7779B3").
I’m not sure if I’ve misunderstood the man pages, or if I’m not specifying the correct syntax in /etc/crypttab.
Does anyone have this working and, if so, could they point me in the correct direction.
Many thanks in advance.