Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
luks zfs initramfs and crypt_root
View unanswered posts
View posts from last 24 hours

Reply to topic    Gentoo Forums Forum Index Installing Gentoo
View previous topic :: View next topic  
Author Message

Joined: 15 Aug 2004
Posts: 449

PostPosted: Tue Jun 06, 2017 8:01 am    Post subject: luks zfs initramfs and crypt_root Reply with quote

I use genkernel to create an initramfs that supports luks and zfs
genkernel --install --luks --zfs initramfs

The --luks parameter provides support for a kernel parameter called crypt_root and real_root. The problem is that I have more then one encrypted device that makes up the root. How can I express this fact with the crypt_root and real_root kernel params?

I have two drives that are luks encrypted using the same passphrase. /dev/sda1 and /dev/nvme0n1p2.


 livecd / # lsblk
sda           8:0    0 931.5G  0 disk 
└─sda1        8:1    0 931.5G  0 part 
  └─crypt2  252:1    0 931.5G  0 crypt
sdb           8:16   1   7.2G  0 disk 
└─sdb1        8:17   1   7.2G  0 part 
loop0         7:0    0     2G  0 loop 
nvme0n1     259:0    0   477G  0 disk 
├─nvme0n1p1 259:1    0   512M  0 part  /boot
└─nvme0n1p2 259:2    0 476.4G  0 part 
  └─crypt1  252:0    0 476.4G  0 crypt

Once decrypted the devices are striped vdevs and can be imported into a zpool called tank.

livecd / # zpool status
  pool: tank
 state: ONLINE
  scan: none requested

        NAME        STATE     READ WRITE CKSUM
        tank        ONLINE       0     0     0
          crypt1    ONLINE       0     0     0
          crypt2    ONLINE       0     0     0

errors: No known data errors

I would like to be able to configure grub2 so that the fact that there are multiple encrypted root devices is properly expressed and handled. For example:
linux   /vmlinuz-4.9.16-gentoo dozfs crypt_root=/dev/nvme0n1p2 real_root=/dev/mapper/crypt1 crypt_root=/dev/sda2 real_root=/dev/mapper/crypt2 root=ZFS=tank/root ro

I don't think that passing crypt_root twice is the answer of course. How can this be achieved?

-- EDIT #1 --
Is it possible to do what I want to do with device mapper multipath? I did not know about device mapper multipath when I wrote the above, but if I could somehow pass to the initramfs the multipath device then maybe it would know to scan the increments of the device.
Given that I have the following multi path device mapped
/dev/mapper/crypt1 and /dev/mapper/crypt2

would it be possible to set crypt_root=/dev/mapper/crypt perhaps? Or maybe even crypt_root=/dev/mapper/crypt{1,2}

I was told by someone on irc that with zfs I do not want to use real_root, just crypt_root and root params. So by using device mapper I might end up with something like this:
linux   /vmlinuz-4.9.16-gentoo dozfs crypt_root=/dev/mapper/crypt{1,2} root=ZFS=tank/root ro

But the above does not actually work, but I am wondering if something similar to that might be supported. There is no documentation on this that I can find.
Unanswered Post Initiative:
Back to top
View user's profile Send private message

Joined: 14 Jan 2016
Posts: 21
Location: Switzerland

PostPosted: Thu Aug 03, 2017 4:17 pm    Post subject: Reply with quote

If you don't insist on using genkernel to create the initramfs you could use sys-kernel/bliss-initramfs. An initramfs created with it is capable of decrypting multiple devices.

For instance, the cmdline for my raidz2 with 6 LUKS encrypted hard drives looks like this:

BOOT_IMAGE=/bzImage-zfs triggers=luks,zfs enc_drives=ID=ata-TOSHIBA_DT01ACA100_24E0V05MS,ID=ata-TOSHIBA_DT01ACA100_24E0A5YMS,ID=ata-TOSHIBA_DT01ACA100_24E0TBAMS,ID=ata-TOSHIBA_DT01ACA100_24E0KJLMS,ID=ata-Hitachi_HDT721010SLA360_STF607MH1HH7MW,ID=ata-TOSHIBA_DT01ACA100_24E0UE1MS enc_type=pass root=tresor/OS/rootvol usr=tresor/OS/usr initrd=/initrd-zfs

When the system boots up bliss-initramfs asks for your LUKS passphrase and then applies it to all drives indicated by the enc_drives option.
Back to top
View user's profile Send private message

Joined: 08 May 2004
Posts: 645
Location: Washington, DC

PostPosted: Thu Nov 09, 2017 2:28 pm    Post subject: Reply with quote

If you use genkernel or genkernel-next then instead of passing crypt_root use crypt_roots as follows:
crypt_roots=/dev/sda2 crypt_roots=/dev/sdb2

You can have only one real_root, but if you use software raid, then the two partitions will be opened and ready to be assembled by the raid software.
Back to top
View user's profile Send private message

Joined: 07 Jun 2011
Posts: 245

PostPosted: Fri Nov 10, 2017 8:24 pm    Post subject: Reply with quote

You could also use btrfs - nowadays a pretty reasonable replacement for zfs - and then multi disk root is possible by including the btrfs utility and running a btrfs device scan in the initramfs.

After that you don't need to pass multiple devices any more by kernel command line.

I personally have better experiences with better-initramfs than with genkernel.
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Installing Gentoo All times are GMT
Page 1 of 1

Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum