0

On Debian, how can I instruct clevis/initramfs to unlock two LUKS devices before booting?

I currently have both devices configured to be unlocked through TPM2, which is correctly configured as I can regenerate the bindings without having to provide the volume password.

~# clevis luks regen -d /dev/nvme0n1 -s 1 Regenerating binding (device /dev/nvme0n1, slot 1): Pin: tpm2, Config: '{"hash":"sha256","key":"ecc","pcr_bank":"sha256","pcr_ids":"REDACTED"}' Do you want to proceed? [ynYN] y Binding regenerated successfully ~# clevis luks regen -d /dev/nvme1n1p3 -s 0 Regenerating binding (device /dev/nvme1n1p3, slot 0): Pin: tpm2, Config: '{"hash":"sha256","key":"ecc","pcr_bank":"sha256","pcr_ids":"REDACTED"}' Do you want to proceed? [ynYN] y Binding regenerated successfully

Within the /etc/crypttab, both devices are listed and the UUID matches the crypto_LUKS devices in blkid. Using update-initramfs -u does not complain about missing references.

nvme0n1_crypt UUID=REDACTED none luks,discard nvme1n1p3_crypt UUID=REDACTED none luks,discard

However, whenever I boot only the second device nvme1n1p3_crypt is automatically decrypted without the first device being mentioned at all. After a while, the boot fails with the following message.

Please unlock disk nvme1n1p3_crypt: cryptsetup: nvme1n1p3_crypt: set up successfully Gave up waiting for suspend/resume device Gave up waiting for root file system device. Common problems: ... (initramfs)

From there, I have to manually open the second device before proceeding.

(initramfs) cryuptsetup luksOpen /dev/nvme0n1 nvme0n1_crypt Enter passphrase for /dev/nvme0n1: # Provided passphrase (initramfs) exit /dev/mapper/lab--vg-root: clean, REDACTED files, REDACTED blocks

The devices are set up as follow:

~# lsblk NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINTS nvme0n1 259:0 0 ----- 0 disk └─nvme0n1_crypt 252:1 0 ----- 0 crypt ├─lab--vg-data_tmeta 252:4 0 ----- 0 lvm │ └─lab--vg-data-tpool 252:6 0 ----- 0 lvm │ ├─lab--vg-data 252:7 0 ----- 1 lvm │ └─... 252:22 0 ----- 0 lvm └─lab--vg-data_tdata 252:5 0 ----- 0 lvm └─lab--vg-data-tpool 252:6 0 ----- 0 lvm ├─lab--vg-data 252:7 0 ----- 1 lvm └─... 252:22 0 ----- 0 lvm nvme1n1 259:1 0 ----- 0 disk ├─nvme1n1p1 259:2 0 ----- 0 part /boot/efi ├─nvme1n1p2 259:3 0 ----- 0 part /boot └─nvme1n1p3 259:4 0 ----- 0 part └─nvme1n1p3_crypt 252:0 0 ----- 0 crypt ├─lab--vg-root 252:2 0 ----- 0 lvm / ├─lab--vg-swap_1 252:3 0 ----- 0 lvm [SWAP] ├─lab--vg-data_tmeta 252:4 0 ----- 0 lvm │ └─lab--vg-data-tpool 252:6 0 ----- 0 lvm │ ├─lab--vg-data 252:7 0 ----- 1 lvm │ └─... 252:22 0 ----- 0 lvm └─lab--vg-data_tdata 252:5 0 ----- 0 lvm └─lab--vg-data-tpool 252:6 0 ----- 0 lvm ├─lab--vg-data 252:7 0 ----- 1 lvm └─... 252:22 0 ----- 0 lvm 
~# uname -a Linux lab 6.8.12-4-pve #1 SMP PREEMPT_DYNAMIC PMX 6.8.12-4 (2024-11-06T15:04Z) x86_64 GNU/Linux
Improve this question

1 Answer 1

Reset to default
0

To have initramfs unlock arbitrary devices, the initramfs option can be used in the /etc/crypttab file.

nvme0n1_crypt UUID=REDACTED none luks,discard,initramfs nvme1n1p3_crypt UUID=REDACTED none luks,discard,initramfs

As per the crypttab(5) manual:

initramfs
The initramfs hook processes the root device, any resume devices and any devices with the initramfs option set. These devices are processed within the initramfs stage of boot. As an example, that allows the use of remote unlocking using dropbear.

This option is specific to the Debian crypttab format. It's not supported by systemd.

Improve this answer

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.