solution: luks setup without waiting for password

Thorsten Strusch strusch at ksan.de
Thu May 17 11:16:29 CEST 2018 

Hello everybody,

in this mailing list I found a lot of clever things and learned
a ton about fai. So I would like to post a solution as well.

My small backup servers have an LUKS encrypted BTRFS on a software
raid1 (just one encrypted partition for backup-data).
Since they are sometimes restarted under external control, it must be
ensured that the password entry dialog does not delay/suppress a proper
boot process (a hardware token is no solution here).

So I created
»/etc/systemd/system/systemd-cryptsetup at backup.service.d/override.conf«
with the following content:
 [Service]
 TimeoutSec=1
This overrides settings of the runtime created
»/run/systemd/generator/systemd-cryptsetup at backup.service«

Now the server does not stop booting and waiting forever for entering
a password.
The system sends a mail after booting, then we can either unlock 
the partition via ssh||tty or let nagios do this job via nrpe.
After that »urbackupsrv« can be started.

I also renamed the luks-target from crypt_dev_md3 to backup.

Here are the individual scripts:
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
$ cat /srv/fai/config/disk_config/BACKUP
# 2 hard disks with RAID1, luks and btrfs on top

# <type> <mountpoint> <size>   <fs type> <mount options> <misc options>


disk_config disk1    disklabel:gpt-bios
primary  -           500     - -
primary  -           20G     - -
primary  swap         4G     swap sw,pri=1
primary  -           25G     - -
primary  -           50G-    - -

disk_config disk2    sameas:disk1

# preserve here with RAID starts again from 0, name the md device
number,
# not the partition number
disk_config raid  fstabkey:uuid
raid1   /boot     disk1.1,disk2.1    ext4  rw,noatime
raid1   /         disk1.2,disk2.2    ext4  rw,noatime,errors=remount-ro
raid1   /var      disk1.4,disk2.4    ext4  rw,noatime
raid1   -         disk1.5,disk2.5    -     -

disk_config cryptsetup
luks:"secretPW"    -   /dev/md3    - - lukscreateopts="-c
serpent-xts-plain64 -s 512 -h sha512"

disk_config btrfs fstabkey:label
btrfs single - /dev/mapper/crypt_dev_md3 rw,subvol=@/ createopts="-m
single -L BACKUP"

$
cat /srv/fai/config/files/etc/systemd/system/systemd-cryptsetup at backup.service.d/override.conf/BACKUP 
[Service]
TimeoutSec=1


$ cat /srv/fai/config/scripts/BACKUP/03-cryptsetuptimeout 
#! /bin/bash
# rename crypt_dev_md3 to backup ( →/dev/mapper/backup )
sed -i 's/^crypt_dev_md3/backup/' /target/etc/crypttab
#
# override Timeoutsec=0 → 1
fcopy -Dv
'/etc/systemd/system/systemd-cryptsetup at backup.service.d/override.conf'

I hope this helps somebody.

/thorsten

More information about the linux-fai mailing list