I followed a Suse wiki to set up an encripted area, now I can not boot up the system.

OK so as usual I have probably screwed something up but it has been a while.

I was following this link
https://doc.opensuse.org/documentation/leap/security/html/book.security/cha.security.cryptofs.html

OK I did not recognise it was for Opensuse leap 15 but it worked when running

I was doing this section:
11.1.3 Creating an Encrypted Virtual Disk
Instead of encrypting an entire disk or partition, you can use YaST to set up a file-based encrypted virtual disk. It will appear as a regular file in the file system, but can be mounted and used like a regular folder. Unlike encrypted partitions, encrypted virtual disks can be created without re-partitioning the hard disk.
To set up an encrypted virtual disk, you need to create an empty file first (this file is called loop file). In the terminal, switch to the desired directory and run the touch FILE command (where FILE is the desired name, for example: secret). It is also recommended to create an empty directory that will act as a mount point for the encrypted virtual disk. To do this, use the mkdir DIR command (replace DIR with the actual path and directory name, for example: ~/my_docs).
To set up an encrypted virtual disk, launch YaST, switch to the System section, and start Partitioner. Switch to the Crypt Files section and press Add Crypt File. Enter the path to the created loop file into the Path Name of Loop File field. Enable the Create Loop File option, specify the desired size, and press Next. In the Mount Point field, enter the path to the directory that serves as a mount point (in this example, it is ~/my_docs). Make sure that the Encrypt Device option is enabled and press Next. Provide the desired password and press Finish.
And I did the above and it worked I had a file area that was encrypted, well I think it was, all signs where good and then I shut the PC down for the night to come back again in the morning.
Unfortunately the start up now basically hangs waiting for something to happen at:-
A start job is running for dev-mapper-cr_secret.device (Xmins Y s/no limit)

I get no prompt for any password that I would assume it is waiting for it just hangs there for hours if I let it!

So what can I do to get my system back, assistance would be appreciated.

The operating system was up to date a few days ago when I did this, it would normally just log me in, without password is the any way I can undo what I have done or even get the system booted?

Cheers

Adrian

I’m pulling this from memory on the single user mode. So, someone may correct me.

My assumption is it is waiting for a password.

My mount point in /etc/fstab became:


3vnull@kvm:/etc>  sudo grep secret /etc/fstab /dev/mapper/cr_secret  /home/d3vnull/mnt/secret xfs        loop,nofail           0 0
d3vnull@kvm:/etc> 

I also had to do a chown because YaST changed ownership.:


d3vnull@kvm:/etc> sudo chown -R d3vnull:users ~/mnt

interesting thing was following that process and doing a touch ~/mnt/secret/secret and then after the yaST partitioner there was no “secret” file.

Going back into YaST->System->Partitioner there were no Crypt Files listed.

Before it boots press ‘e’ go to the end of the line that starts with linux or linuxefi and add a 1 or a 3.
F10 or Ctl-X

Once in single user you will need to remount the file system read/write. Something like:


mount -o remount,rw /

Edit your /etc/fstab and /etc/crypttab to remove the mount point to your mnt_doc

Reboot.

As to why yast failed I’d rather investigate on a 42.3 virtual system, but will try to take a look at it later :wink:

Scratch the didn’t create a “secret” file. It apparently did when I copied something to the directory.

In my directions change the 1 or 3 to init=/bin/bash at the end of the linux or linuxefi line.

OK sorry but I am failing on the most simple things.

Here is my Grub file after using ‘e’ hope I type it correctly!

setparams 'openSUSE Leap 42.3’load_video
set gfxpayload=keep
insmod gzio
insmod part_msdos
insmod ext2
set root=‘hd0,msdos2’
if x$feature_platform_search_hint = xy ]; then
[INDENT=2]search --no-floppy --fs-uuid --set=root --hint-bios=hd0,msdos2 --hint-efi
[/INDENT]
=hd0,msdos2 --hint-baremetal=ahcio,msdos2 --hint=‘hd0,msdos2’ 0cf74f6a-3542-4efc-a
eb0-62babbfc1695else
[INDENT=2]search --no-floppy --fs-uuid --set=root 0cf74f6a-3542-4efc-aeb0-62babbfc1
[/INDENT]
695fi
echo ‘Loading Linux 4.4.132-53-default…’
linux /boot/vmlinuz-4.4.132-53-defauilt root=0cf74f6a-3542-4efc-
aeb0-62babbfc1695 resume=/dev/sda1 splash=silent quiet showoptsecho ‘Loading initial ram disk …’
initrd /boot/initrd-4.4.1`32-53

I have tried to type this as seen on the screen but not sure if the editing stands, but I tried 1 and 3 at the end of showopts such as

showopts 1
and
showopts 3

I still got the long waiting, so sorry I am not following you very well?

Adrian

Sorry just seen the amendment trying that now

This line change it to (see what I added on the end):


linux  /boot/vmlinuz-4.4.132-53-defauilt root=0cf74f6a-3542-4efc-\aeb0-62babbfc1695 resume=/dev/sda1 splash=silent quiet showopts init=/bin/bash

Once you edit the /etc/fstab and /etc/crypttab then reboot (Remember to do the mount remount command first on /).

Now here is where you went wrong.

~/my_doc is your mount point
If your file is “secret” it cannot be inside ~/my_doc.

So instead:


touch ~/secret # Or where ever you want your secret file
mkdir ~/my_doc

secret is the file you browse to and the complete path (e.g. /home/your_user/my_doc) is the mount point.

Finally you have to do a chmod your_user;your_group my_doc as root to be able to write to it.

The system will prompt you for a password.

OK I got down to the stage where I was in root,

I did the entry

 	 	mount -o remount,rw / 

I then navigated to /home/adrian and with ls could see a directory called locked and inside a file called secret.

Could you please elaborate for me on the next section how to remove the lines in fstab and crypttab, could I just use vi and add a : or a ; to rem out a line or is it # ?

Adrian

Ok do this:


cd /etc
cp fstab fstab.orig
cp crypttab crypttab.orig
vi fstab # scroll to the bottom. last line should be mounting your my_doc, or whatever directory you created. Delete it and save.
vi crypttab # scroll to the bottom. last line should be mounting your my_doc, or whatever directory you created. Delete it and save.

Then reboot and you are good.

Then try again. It does work :wink: The secret file just can’t be inside the directory you use as a mount point.

I recommend creating a /home/adrian/mnt directory and then create a directory inside /home/adrian/mnt (e.g. /home/adrian/mnt/my_doc). That way if you need to mount other things in the future you mount them under your /home/adrian/mnt directory.

OK Sir I thank you for your patience, I am working again, I edited the files and rebooted, then I was able to remove the file it self, not sure if I have lost the space or not but that I will check out when I can.

Partitioner is not showing any crypt files and the disks are sda overall, sda1 for swap and sda2 for / and the sizes match up.

I will have a play when I next feel brave and I will read your comments as well as the wiki I think I understand that the files should not be within the directory as I am setting the directory to be the mount point for the file.

It’s late and sleep once again calls.

Thank you.
Adrian

happy to help. As long as you removed the secret file you have your space back.

Perhaps try using “ecryptfs” instead of what you previously tried.

OK, looks like the only time I get to play with these things is around midnight.
But!

I have it working.

As before from terminal in home directory

~> touch secret
~> mkdir locked

Then into yast and followed the instructions to create the loop file, gave it a reasonable size of around 3Gig used /home/adrian/locked as the mount point added the password and it created it.

Restart of the computer it asked for the password and booted up OK.
Looked in Dolphin (file manager) and locked now has a lost and found folder in it, looking good so far.
But could not place anything in the locked folder, checked permissions and found as suspected only root could access. So File manager super user mode selected the locked folder and changed user to adrian and groups to users, selected apply to all sub folders and OK.

Out of super user mode and back into standard file manager and stick some documents into my locked folder.

Reboot computer and just hit return when prompted for the password (5 times) and the computer moves on and boots up, nothing is shown in the locked folder. The secret is there as a 3 Gig file in my home, but again not accessible.

Reboot again this time give it the password, boots up and once again I can access the files I stuck in the locked encrypted folder.

Job done.

Thanks for the help looks like the wiki page needs to be amended slightly to change the permissions as suggested.

One happy novice.

Cheers

Adrian

I submitted the recommendation on the page the other night.

Glad you got this going.

It cannot be for Leap 15 because Leap 15 does not even have Crypt Files section in Partitioner; rather it is a bug in documentation which did not remove obsolete section.

Anyway, I briefly tested it on Leap 42.3 using instructions on this page and it worked fine. I used paths directly under / (/test-crypt.img and /test-crypt for mount point). Using paths inside of separate filesystem may lead to problems due to systemd units dependencies; it is hard to say without more information.

Thanks for the info on LEAP 15. I’m pretty sure I made the recommendation on the old LEAP 42.3 docs, since we were playing with 42.3. I never even looked at LEAP 15 :wink: