Need some help with Luks Encryption and automounting with fstab

Hi Everyone! I am on SLES12.5 and could use some serious help.
i was given an existing golden image and told to setup data at rest encryption on the /home directory and the /DATA(our custom Data dir). It was also requersted that I not use a keyfile but make the user enter the password on boot. I did not want to break the system so I decided I would create a new partition for /home and start from there. it ended up being sda9. I used luks to encrypt the partition. opened the partition, mounted it manually successfully.

I created the entry in the /etc/crypttab file as follows:

luksHome /dev/sda9 none luks

I created the entry in the /etc/fstab file as follows:

/dev/mapper/luksHome /mnt ext4 nosuid,nodev,acl,user_xattr 1 2

I ensured the boot.crypto init script was installed from here and was enabled:
OpenSuse boot.crypto github

The system starts to boot normally, and pauses durring boot to ask me to enter the encryption passphrase. Upon successfully entering the passphrase boot continues and does the following:

WARNING: Locking directory /run/cryptsetup is missing!
Enter passphrase for /dev/sda9: You are in emergency mode after login type journalctl -xb to view system logs.

Trying to enter the passphrase just reprompts for the passphrase. if you get it wrong 3 times it will then let you log in as the root user like normal rescue mode.
Running an ll on /dev/mapper to find luksHome you can see it hasnt unlocked and mapped the drive yet.

ll /dev/mapper/
control

IF I then go and comment out the fstab entry for /dev/mapper/luksHome and reboot, the system boots as expected. It Pauses booting to ask for the password and continues to boot successfully. Once logged into the OS, I open a terminal, su to root, and run the ll on /dev/mapper again.

ll /dev/mapper/
control
luksHome

Can Anyone at all tell me what I am doing wrong? I am almost positive it it is in the /etc/fstab entry, but the entry looks ok and I have even tried the enrty as follows with no success. This stuff is usually my bread and butter so saying i have reached peak frustration is an understatement.

/dev/mapper/luksHome			  /testluksmnt	       ext4	  defaults			     1 2

Thanks again!

This is the openSUSE forum and not the SLES/SLED forums.

We don’t really know what you did, so we cannot guess what you did wrong.

Have you tried rebuilding the “initrd”? I’m not sure whether that is needed for encrypted “/home”, but it won’t hurt to try.

Hi and welcome to the OpenSuse forums

Could you provide the outputs of:

cryptsetup open /dev/sda9 luksHome
cryptsetup status luksHome
lsblk -f
# with the fstab entry for the encrypted dir uncommented
mount -av

Do they have a forum? Seems like anyone not having a support contract is on their own.

Why not doing a basic research before asking? It helps! Really!

Right there on the SUSE Customer Center Page, Clearly marked as “Forum”
https://scc.suse.com/home

Why would the openSUSE Community, which is largely volunteers, be responsible for answering questions about a Paid Product, that has it’s own Forums?

Why are you asking me?

I only make the OP aware of the fact that this is not the place for SLED/SLES questions. I assume he is perfectly able to find the place where to go for the products he has. And when you are interested in those places then search for yourself. Can not be that difficult.

@pavinjoseph they have, before openSUSE even… It’s been through a few name changes and iterations, but now at Rancher as indicated by @sfalken

Ah, thanks both of you! I would never have guessed the forums for SLE would be colocated with Rancher, priorities I suppose

Hi, thanks for the response!
unfortunately the system only goes to rescue if i uncomment the fstab entry.
I will have access to the system again tomorrow and i will share what i get from those commands then.

The rancher forum is incredibly inactive. SO i really appreciate your help

Comment out the offending fstab entry and complete the normal bootup, then uncomment and mount -av, would be good to see the actual error message for why it fails, it should prompt you to check dmesg as well on failing.

Glad to be of help!

@RobKSim Not really, if one doesn’t post then it won’t get noticed by SUSE or Forum Users

Did you browse the documentation at https://documentation.suse.com/sles/12-SP5/html/SLES-all/cha-security-cryptofs.html?

@pavinjoseph these Forums are for openSUSE users, SUSE product users are encouraged to use the appropriate support medium (Forums, Support Ticket etc) provided by the openSUSE Project sponsors.

Sorry, to an outsider like me it looks the same.
Every single key person I’ve interacted with (Forums, Bugzilla, Github) was a paid employee of SUSE who also just happened to be contributing to OpenSuse.
I’ve yet to see someone who’s not

@pavinjoseph Not me, never have been… I’m active in both SUSE and openSUSE products though.

Yes i did. Read through the documentation and walked through the process.

Comment out the offending fstab entry and complete the normal bootup, then uncomment and mount -av , would be good to see the actual error message for why it fails, it should prompt you to check dmesg as well on failing

It has no problem mounting to /mnt.

Rebooting with the line uncommented returns me back to maintenance mode.

I’ve never recieved dime one from SUSE S.A. For work on openSUSE or otherwise. Neither have most of the developers that I’m aware of.

You contribute to OpenSuse on your own time and work for … (SUSE LLC)?

Ah okay, so no problem with the mount then

Seems like an unrelated problem. Check the journal logs for any priority 3 errors and failed units:

journalctl -p3 -b
systemctl --failed

I do not. I’ve never been employed by SUSE, under any name.