[pkg-cryptsetup-devel] Bug#914458: cryptsetup-initramfs: Unable to open the LUKS system container at boot with the right password 6 times

Mikhail Morfikov mmorfikov at gmail.com
Fri Nov 23 16:05:13 GMT 2018


Package: cryptsetup-initramfs
Version: 2:2.0.5-1
Severity: important

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Dear Maintainer,

I have the whole /boot/ partition on an external USB drive. I also have LUKSv2
header detached from the system container and also placed inside of that
external
USB drive. So, to open my laptop, I have to connect the USB device (my phone)
first. In order to make this work, I had to write some script and put it in the
/etc/initramfs-tools/scripts/local-block/mount-boot file. Here's the file.

===========================================
#!/bin/sh
PREREQ=""
prereqs()
{
   echo "$PREREQ"
}

case $1 in
prereqs)
   prereqs
   exit 0
   ;;
esac

# source for log_*_msg() functions, see LP: #272301
. /scripts/functions

# Default PATH differs between shells, and is not automatically exported
# by klibc dash.  Make it consistent.
export PATH=/sbin:/usr/sbin:/bin:/usr/bin

[ -d /boot ] || mkdir -m 0755 /boot

mount -t ext4 -o ro /dev/disk/by-uuid/6f3b0020-0491-4a12-98ca-c97a7a80f5b7
/boot

exit 0
===========================================

This setup was working well for some time, but it's not working as well as
before, and I don't really know when it exactly sopped working. I thought the
situation was temporary, but it looks like it's not.

When I boot my system, I get prompt for password, so I type it correctly, and
my system is unable to open the encrypted system container. No matter what I
do, first 6 tries always fail -- I can type whatever, or even left it empty and
just press enter. The 7th time works, and everything backs to normal. For
some time I thought it's a really nice security feature, but I'm getting tired
of it. :D

Looking for some answers, I found this:
1. When the system with detached LUKS header boots, it looks for the external
USB device. The device isn't available when the first password prompt shows. In
the earlier version (when everything was working well), some errors were
printed on the screen when the system was probing for the external USB device
(because of the /etc/initramfs-tools/scripts/local-block/mount-boot file). It
was saying something about "Error LUKS header missing" several times, one after
another till I got the password prompt. Now, only the first error is printed,
but after that, it stops, and it doesn't probe for the USB device till I type
some password.
2. When I type 3x the password, I can see "Running /script/local-premount".
Some messages also are written to the screen, and then I see "Running
/scripts/local-block", and boot hangs again waiting for another password.
3. Also after those 3 bad passwords, I get the message "maximum numbers of
tries exceeded". Usually this should lock the user from typing another password
for 60s or something, but in this case it doesn't do that.
4. After another 3 tries, I can see another "Running /scripts/local-block" and
some other messages are displayed, including also another "maximum numbers of
tries exceeded" also without preventing the user from typing another password.
5. So, after those 6 tries, when I try for the 7th time, it finally works, and
my system is able to decrypt the encrypted system container.

So where's the problem? Why it's not working well now, and it was working in
the past?



- -- Package-specific info:

- -- System Information:
Debian Release: buster/sid
  APT prefers unstable
  APT policy: (990, 'unstable'), (130, 'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 4.18.0-2-amd64 (SMP w/2 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8),
LANGUAGE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages cryptsetup-initramfs depends on:
ii  busybox                                 1:1.27.2-3
ii  cryptsetup-run                          2:2.0.5-1
ii  initramfs-tools [linux-initramfs-tool]  0.132

Versions of packages cryptsetup-initramfs recommends:
ii  console-setup  1.187
ii  kbd            2.0.4-4

cryptsetup-initramfs suggests no packages.




-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEE5JPPWm5C7TFDUMqpzQRoEHcbZSAFAlv4JTkACgkQzQRoEHcb
ZSBcQhAAzQYz4+h6a8MLX9yUoFJipoYq/PStms8goCiUI09e1HUDVpvt9dknJRBs
eZrijfd08VfSiMqz7CrHyIArvDwAtLCajW8k/TWKDH9wTSA+27GZXSJPPOUUnk9H
zXCeAuJAX4LUasyOrTHTMDrM9w842xyfKEs6TwZf/lxi+9EuIRFTLuJQnlpTT3bv
t5oKC5j+rFgOxsp7XKuZnxi82blb8EAsFNYTJb5f4ZKnP5qamUU1yaHV/o1tzisF
LgtFCRkP03NUh1M4lzGD70Tp6A+Bc8O9H/kMrBx2yWVg5AN/439uWsDIBk++4kTC
I4FuzPcWnChtZMjO5HlFME59k0ET4hEh53Vf9So3PSbcWEFxCcG9IKymOx7IWO64
v9Yb3CHDBB98UcdRw9Rbr9VexVi+EqsoywP2eUPjBExEjh9jDcdCYjac9rplZUOT
qS2vHfy93kWl7TOo//o5qvVjjYpIrOBQWItFR3UrQuZHdQbx0zoNL/GHXO0l2e81
yL7RZRwXlVk0A+XJODnZz4b+qsdfkCR3LKwfqdlhbLmpul9CwKlA3bhV3c55BqXL
oADUWk9ve5uzsu+9RLZ05hdmz361aXsIthky0D9S1PnohqpnvyvaAMYCyZR/DGa7
zsUQnqzEaYNqXxSqTWyFHaLGZV7DF3P/bwp6t0M1smHbWoOH+tU=
=szAv
-----END PGP SIGNATURE-----



More information about the pkg-cryptsetup-devel mailing list