Welcome
Welcome to refracta

You are currently viewing our boards as a guest, which gives you limited access to view most discussions and access our other features. By joining our free community, you will have access to post topics, communicate privately with other members (PM), respond to polls, upload content, and access many other special features. In addition, registered members also see less advertisements. Registration is fast, simple, and absolutely free, so please, join our community today!

Unencrypt volume

Ask your questions here.

Unencrypt volume

Postby aquilarubra » Thu Oct 23, 2014 7:07 pm

Now I am stuck. I decided to reinstall from my snapshot created from an encrypted filesystem, but with unencrypted partition this time. I'm getting to the real issue of the busybox in virtualbox.

So, now, at boot, the system asks me for the passphrase to mount the encrypted partition that is now unencrypted. I hit enter a few times and it boots fine and mounts the unencrypted partition just fine. But the system is still fooled into thinking that it has to mount is as an encrypted partition.

How does refracta tools allow cryptsetup to start at boot?

How do I remove the /dev/mapper/... device that continues to think it is an encrypted partition while it's not?
aquilarubra
 
Posts: 39
Joined: Wed Sep 10, 2014 7:07 am

Re: Unencrypt volume

Postby aquilarubra » Thu Oct 23, 2014 8:40 pm

I manage to solve it, but I don't know what worked in the thousand commands I tried.

Maybe it is just the apt-get purge cryptsetup and apt-get install cryptsetup.

update-initramfs continues to complain, but system loads fine now, without requesting a password.

There was another file: etc/initramfs-tools/conf.d/resume contained the UUID of the swap file, which I also had encrypted. So, files causing problems are:

etc/crypttab
etc/initramfs-tools/conf.d/resume

etc/fstab gets cleaned in the snapshot. The other two should be taken care of. I also noticed that a change to the crypt things requires a reboot to see effects, which I did not do before. That's why, maybe, I was thinking it was not working, while it was.
aquilarubra
 
Posts: 39
Joined: Wed Sep 10, 2014 7:07 am

Re: Unencrypt volume

Postby fsmithred » Thu Oct 23, 2014 8:44 pm

Is there a crypttab file in the iso, and did you exclude it from being copied? The installer will create a crypttab if you choose to install to encrypted partitions. It will also create the encrypted partitions. Other than that, nothing else is done with cryptsetup or crypttab.

My wheezy on encrypted partitions has etc/init.d/cryptmount and cryptmount-early, which my unencrypted jessie installation does not have. They both have cryptdisks and cryptdisks-early. I don't know what they do.

Normally, I'd try this myself, but I'm kind of busy with other things right now. If you're patient, I'll eventually get a chance to really focus on it.

OK, you posted while I was composing. Thanks for all the feedback. I'll add those to the snapshot excludes file in the next version, which will probably be pretty soon.
User avatar
fsmithred
 
Posts: 1987
Joined: Wed Mar 09, 2011 9:13 pm

Re: Unencrypt volume

Postby aquilarubra » Fri Oct 24, 2014 10:39 am

In addition, after commenting out etc/initramfs-tools/conf.d/resume, you need to run

update-initramfs -u -k all

Otherwise, the initram goes into the snapshot and it will ask you for a password (and drop you into the busybox in virtualbox). Checked today. So, the 3 steps are:

exclude/delete: etc/crypttab
exclude/delete: etc/initramfs-tools/conf.d/resume
run: update-initramfs -u -k all

I can confirm that the snapshot copies the etc/crypttab and etc/initramfs-tools/conf.d/resume without taking care of them.
aquilarubra
 
Posts: 39
Joined: Wed Sep 10, 2014 7:07 am

Re: Unencrypt volume

Postby fsmithred » Fri Oct 24, 2014 7:26 pm

I tried it, but it's not working right.

I installed from a jessie snapshot to an encrypted partition (all this in virtualbox)
Booted into that installation, which worked correctly, then added crypttab and initramfs-tools/conf.d/resume (full path in both cases) to the excludes list. Ran 'update-initramfs -u' (I only have one kernel). Made a snapshot, tried to boot the snapshot, and it asks for the password. As you said, hit enter a few times and it continues to boot. The excluded files are not in the snapshot. What else needs to go?

What am I doing differently from you?
User avatar
fsmithred
 
Posts: 1987
Joined: Wed Mar 09, 2011 9:13 pm

Re: Unencrypt volume

Postby aquilarubra » Sun Oct 26, 2014 9:42 am

Oh... I run so many commands that I lost track. What seems most obvious to me, now, is to purge cryptsetup before creating the snapshot.

I found myself having installed from the snapshot, burned on a DVD, created from the encrypted partition. My installation was on unencrypted partitions, but nevertheless it was asking me for the password of the old encrypted volume (despite, now, it was unencrypted).
I guess that purging and reinstalling cryptsetup did the job. But it seems that we will still wander in the dark. So close and so far.

P.S.: If you purge cryptsetup, run after that update-initramfs again. Most of the other commands I used are grub related (grub-install /dev/sda; grub-update). I found in many posts that older grub versions work. It seems an issue between grub and lvm2. Maybe grub stores something that needs to be reset too.
aquilarubra
 
Posts: 39
Joined: Wed Sep 10, 2014 7:07 am

Re: Unencrypt volume

Postby fsmithred » Sun Oct 26, 2014 1:55 pm

One problem with removing cryptsetup before making the snapshot is that it won't be available in the live-CD in case you want to mount an encrypted partition. That might be ok in some situations, but I need that ability, so...

Inside the initrd is conf/conf.d/cryptroot, which contains a line that describes the encrypted volume. I'm now testing what happens if I change that line from "target=<encrypted volume info, including device name>" to just "target="

I took the initrd.img from /home/work/myfs/boot, copied it to my user's home, unpacked it, edited the file, repacked it, copied it back to /home/work/myfs/boot/, and then ran refractasnapshot with the no_copy option (found in Setup, in the first screen).

If this works, I need to figure out a way to make the changes in the script, instead of doing all this manually. Or figure out where that file gets its information. I'm guessing it comes from crypttab, so maybe temporarily renaming crypttab and running update-initramfs in a chrooted work dir might do it.

Still squashing. I'll report back when the snapshot is finished and I see how it boots.
User avatar
fsmithred
 
Posts: 1987
Joined: Wed Mar 09, 2011 9:13 pm

Re: Unencrypt volume

Postby aquilarubra » Sun Oct 26, 2014 3:51 pm

That might be a good find. It could be that file being updated by my purge and reinstall of cryptsetup.

cryptroot is in:

/usr/share/initramfs-tools/scripts/local-block/cryptroot
/usr/share/initramfs-tools/scripts/local-top/cryptroot
/usr/share/initramfs-tools/hooks/cryptroot

Maybe you might want to check/blank those before running:

update-initramfs -u -k all

The file in the hooks directory looks the most promising.
aquilarubra
 
Posts: 39
Joined: Wed Sep 10, 2014 7:07 am

Re: Unencrypt volume

Postby fsmithred » Sun Oct 26, 2014 4:15 pm

It work, sort of. I got the message "cryptsetup: source parameter missing." But I didn't get asked for the password.

Summary:

save_work="yes" in etc/refractasnapshot.conf, so that there's a copy of the filesystem to work with. You could alternately do it on the fly if you have edit_boot_menu="yes". Then, when the editor comes up with the boot menu, you go to another virtual console or terminal and work on the copied filesystem just before it gets squashed.

As unprivileged user:
The initrd you want to edit is at /home/work/iso/live/initrd.img
Copy it to your home. Make a new directory in your home and cd to it. Unpack the initrd with
Code: Select all
fakeroot zcat ../initrd.img | cpio -i

Edit:
Delete conf/conf.d/cryptroot (and you won't get the error message about the missing parameter.)

Repack the initrd with
Code: Select all
fakeroot find . -print0 | cpio -0 -H newc -o | gzip -c > ../initrd.nocrypt


Then as root, copy /home/<user>/initrd.nocrypt to /home/work/iso/live/initrd.img

Then run refractasnapshot with the no_copy option (or close the editor window if you paused the program to edit the boot menu.)

Bonus points if you make a backup copy of initrd.img in the iso/live/ folder and create an extra boot menu entry to use that initrd, in case the repacked one doesn't work.

Obviously, this isn't exactly right, or I wouldn't be getting that error message, but I think we're getting close.
User avatar
fsmithred
 
Posts: 1987
Joined: Wed Mar 09, 2011 9:13 pm

Re: Unencrypt volume

Postby aquilarubra » Sun Oct 26, 2014 5:02 pm

I noticed cryptroot looks in /dev/mapper for the canonical_device. When it was asking for the password, and I didn't give it, or the partition was no more encrypted, it complained about not finding "canonical device" /dev/sdb6.

Maybe this makes sense to somebody:

canonical_device() {
local dev altdev original
dev="$1"
opt="$2"

altdev="${dev#LABEL=}"
if [ "$altdev" != "$dev" ]; then
dev="/dev/disk/by-label/$altdev"
fi

altdev="${dev#UUID=}"
if [ "$altdev" != "$dev" ]; then
dev="/dev/disk/by-uuid/$altdev"
fi

original="$dev"
if [ -h "$dev" ]; then
dev=$(readlink -e "$dev")
fi

if [ "$opt" = "--no-simplify" ]; then
echo "$dev"
return 0
fi

if [ "x${dev%/dev/dm-*}" = "x" ]; then
# try to detect corresponding symlink in /dev/mapper/
for dmdev in /dev/mapper/*; do
if [ "$(readlink -e "$dmdev")" = "$dev" ]; then
dev="$dmdev"
fi
done
fi

altdev="${dev#/dev/mapper/}"
if [ "$altdev" != "$dev" ]; then
echo "$altdev"
return 0
elif [ "x${original%/dev/disk/by-*/*}" = "x" ]; then
# support crypttab UUID/LABEL entries
# this is a /dev/disk/by-*/ path so return just the 'basename'
echo "${original##/dev/disk/by-*/}"
return 0
fi

echo "cryptsetup: WARNING: failed to detect canonical device of $original" >&2
return 1
}
aquilarubra
 
Posts: 39
Joined: Wed Sep 10, 2014 7:07 am

Next

Return to Help

Who is online

Users browsing this forum: No registered users and 0 guests

suspicion-preferred