# dm-crypt hangs at boot [SOLVED]

## ExecutorElassus

I have a laptop that has been running gentoo for over a year. My /home is on an encrypted partition. In the middle of an "emerge world" update I had to shut down. Now, on boot, I get an error thatmy password doesn't work for the encrypted volume. Later in the boot prcess, however, I am adked fir my password afain, and now it works. However, /home is also occasionally not mounted, and I have to do so manually.

What might be causing this behavior? Might updating some package have caused dm-crypt to break?

Cheers,

EELast edited by ExecutorElassus on Fri Mar 17, 2017 5:23 am; edited 1 time in total

----------

## tberger2

Could be the same problem as here.

Check your /etc/init.d/dmcrypt config file.

----------

## khayyam

 *ExecutorElassus wrote:*   

> I have a laptop that has been running gentoo for over a year. My /home is on an encrypted partition. In the middle of an "emerge world" update I had to shut down. Now, on boot, I get an error thatmy password doesn't work for the encrypted volume. Later in the boot prcess, however, I am adked fir my password afain, and now it works. However, /home is also occasionally not mounted, and I have to do so manually.

 

ExecutorElassus ... when you say "password doesn't work for the encrypted volume" you mean in the initramfs? I ask because then "later in the boot process" makes sense (as you have dmcrypt in a runlevel). The symptoms don't really point to anything, because if the luksHeader were corrupted the decryption happening "later in the boot process" would fail similarly. If the filesystem is corrupted (which might explain the filesystem not being mounted, perhaps due to failing fsck) then that doesn't explain the issue providing the password. Did you make a backup of the luksHeader? If so does replacing the existing header with the backup resolve this issue, or if you provide another password with luksAddKey does this password fail similarly?

For the mount ro I think this is an issue with openrc's fsck, something I think I may have encountered (but had attributed to the fact that I'm using the now depreciated =sys-apps/openrc-0.12.4), does your filesystem (I'm assuming ext4) show as being clean?

```
# tune2fs -l /dev/mapper/<volume_name> | grep 'Filesystem.state'
```

Have you run fsck on it since the crash, does the fsck service return success when run on /home? In my case it would show the filesystem was clean, and fsck would return success, but re-making the filesystem and replacing the filesystem contents from a backup, resolved the issue (which is what leads me to suspect the fsck service isn't working correctly).

 *ExecutorElassus wrote:*   

> What might be causing this behavior? Might updating some package have caused dm-crypt to break?

 

The crash may have corrupted something, and the PM has nothing to do with it.

best ... khay

----------

## ExecutorElassus

Well, the exact message I get is:

```
*Setting system clock using the hardware clock [UTZ]

*Setting up dm-crypt mappings

*   swap using: -c aes-xts-plain -s 512 -d /dev/urandom create swap /dev/sdb3

*      pre_mount: mkswap /dev/mapper/swap

*   home using: open /dev/sda1 home

Enter passphrase for /dev/sda1:

No key available with this passphrase

```

it then fails out, continues with boot, enters runlevel 3, and then comes back to starting dm-crypt. This time, when I enter the exact same password, it succeeds, but does not mount /home

So, what might be doing this?

Cheers,

EE

----------

## frostschutz

keyboard layout?

http://unix.stackexchange.com/a/174657/30851

otherwise some missing module...

----------

## ExecutorElassus

I thought it might be a layout issue (my keyboard it QWERTZ), but trying it assuming swapped Y-Z keys still didn't work. So, probably a missing module? 

I did reboot it in the middle of an 'emerge -uD world' process (not a hard reboot: properly terminated the emerge, then shut down in an orderly fashion) so it's possible that a module got updated without a necessary dependency. 

I'm finishing the emerge now, so I'll reboot again and report back.

Cheers,

EE

----------

## khayyam

ExecutorElassus ...

the output of the following might help us debug the issue:

```
# if [[ -e /proc/config.gz ]] ; then zgrep -Ei '(_dm_|crypt)' /proc/config.gz ; else egrep -i '(_dm_|crypt)' /usr/src/linux-$(uname -r)/.config ; fi

# cryptsetup luksDump /dev/sda1

# egrep -v '^(#|$)' /etc/conf.d/dmcrypt

# egrep -v '^(#|$)' /etc/conf.d/modules

# rc-status boot |tr -s ' '
```

best ... khay

----------

## ExecutorElassus

```
 # if [[ -e /proc/config.gz ]] ; then zgrep -Ei '(_dm_|crypt)' /proc/config.gz ; else egrep -i '(_dm_|crypt)' /usr/src/linux-$(uname -r)/.config ; fi

# CONFIG_BLK_DEV_CRYPTOLOOP is not set

CONFIG_BLK_DEV_DM_BUILTIN=y

# CONFIG_DM_MQ_DEFAULT is not set

# CONFIG_DM_DEBUG is not set

CONFIG_DM_CRYPT=y

# CONFIG_DM_SNAPSHOT is not set

# CONFIG_DM_THIN_PROVISIONING is not set

# CONFIG_DM_CACHE is not set

# CONFIG_DM_ERA is not set

# CONFIG_DM_MIRROR is not set

CONFIG_DM_RAID=m

# CONFIG_DM_ZERO is not set

# CONFIG_DM_MULTIPATH is not set

# CONFIG_DM_DELAY is not set

# CONFIG_DM_UEVENT is not set

# CONFIG_DM_FLAKEY is not set

# CONFIG_DM_VERITY is not set

# CONFIG_DM_SWITCH is not set

# CONFIG_DM_LOG_WRITES is not set

# CONFIG_EXT4_ENCRYPTION is not set

# CONFIG_FS_ENCRYPTION is not set

# CONFIG_ECRYPT_FS is not set

# CONFIG_ENCRYPTED_KEYS is not set

CONFIG_CRYPTO=y

# Crypto core or helper

CONFIG_CRYPTO_ALGAPI=y

CONFIG_CRYPTO_ALGAPI2=y

CONFIG_CRYPTO_AEAD=y

CONFIG_CRYPTO_AEAD2=y

CONFIG_CRYPTO_BLKCIPHER=y

CONFIG_CRYPTO_BLKCIPHER2=y

CONFIG_CRYPTO_HASH=y

CONFIG_CRYPTO_HASH2=y

CONFIG_CRYPTO_RNG=y

CONFIG_CRYPTO_RNG2=y

CONFIG_CRYPTO_RNG_DEFAULT=y

CONFIG_CRYPTO_AKCIPHER2=y

CONFIG_CRYPTO_KPP2=y

CONFIG_CRYPTO_ACOMP2=y

# CONFIG_CRYPTO_RSA is not set

# CONFIG_CRYPTO_DH is not set

# CONFIG_CRYPTO_ECDH is not set

CONFIG_CRYPTO_MANAGER=y

CONFIG_CRYPTO_MANAGER2=y

# CONFIG_CRYPTO_USER is not set

CONFIG_CRYPTO_MANAGER_DISABLE_TESTS=y

CONFIG_CRYPTO_GF128MUL=y

CONFIG_CRYPTO_NULL=y

CONFIG_CRYPTO_NULL2=y

# CONFIG_CRYPTO_PCRYPT is not set

CONFIG_CRYPTO_WORKQUEUE=y

# CONFIG_CRYPTO_CRYPTD is not set

# CONFIG_CRYPTO_MCRYPTD is not set

# CONFIG_CRYPTO_AUTHENC is not set

# CONFIG_CRYPTO_TEST is not set

# Authenticated Encryption with Associated Data

CONFIG_CRYPTO_CCM=y

CONFIG_CRYPTO_GCM=y

# CONFIG_CRYPTO_CHACHA20POLY1305 is not set

CONFIG_CRYPTO_SEQIV=y

CONFIG_CRYPTO_ECHAINIV=m

CONFIG_CRYPTO_CBC=y

CONFIG_CRYPTO_CTR=y

# CONFIG_CRYPTO_CTS is not set

CONFIG_CRYPTO_ECB=y

# CONFIG_CRYPTO_LRW is not set

CONFIG_CRYPTO_PCBC=m

CONFIG_CRYPTO_XTS=y

# CONFIG_CRYPTO_KEYWRAP is not set

# CONFIG_CRYPTO_CMAC is not set

CONFIG_CRYPTO_HMAC=y

# CONFIG_CRYPTO_XCBC is not set

# CONFIG_CRYPTO_VMAC is not set

CONFIG_CRYPTO_CRC32C=y

# CONFIG_CRYPTO_CRC32C_INTEL is not set

# CONFIG_CRYPTO_CRC32 is not set

# CONFIG_CRYPTO_CRC32_PCLMUL is not set

# CONFIG_CRYPTO_CRCT10DIF is not set

CONFIG_CRYPTO_GHASH=y

# CONFIG_CRYPTO_POLY1305 is not set

# CONFIG_CRYPTO_POLY1305_X86_64 is not set

# CONFIG_CRYPTO_MD4 is not set

CONFIG_CRYPTO_MD5=y

CONFIG_CRYPTO_MICHAEL_MIC=y

# CONFIG_CRYPTO_RMD128 is not set

# CONFIG_CRYPTO_RMD160 is not set

# CONFIG_CRYPTO_RMD256 is not set

# CONFIG_CRYPTO_RMD320 is not set

CONFIG_CRYPTO_SHA1=y

# CONFIG_CRYPTO_SHA1_SSSE3 is not set

# CONFIG_CRYPTO_SHA256_SSSE3 is not set

# CONFIG_CRYPTO_SHA512_SSSE3 is not set

# CONFIG_CRYPTO_SHA1_MB is not set

# CONFIG_CRYPTO_SHA256_MB is not set

# CONFIG_CRYPTO_SHA512_MB is not set

CONFIG_CRYPTO_SHA256=y

# CONFIG_CRYPTO_SHA512 is not set

# CONFIG_CRYPTO_SHA3 is not set

# CONFIG_CRYPTO_TGR192 is not set

# CONFIG_CRYPTO_WP512 is not set

# CONFIG_CRYPTO_GHASH_CLMUL_NI_INTEL is not set

CONFIG_CRYPTO_AES=y

CONFIG_CRYPTO_AES_X86_64=y

# CONFIG_CRYPTO_AES_NI_INTEL is not set

# CONFIG_CRYPTO_ANUBIS is not set

CONFIG_CRYPTO_ARC4=y

CONFIG_CRYPTO_BLOWFISH=y

CONFIG_CRYPTO_BLOWFISH_COMMON=y

# CONFIG_CRYPTO_BLOWFISH_X86_64 is not set

# CONFIG_CRYPTO_CAMELLIA is not set

# CONFIG_CRYPTO_CAMELLIA_X86_64 is not set

# CONFIG_CRYPTO_CAMELLIA_AESNI_AVX_X86_64 is not set

# CONFIG_CRYPTO_CAMELLIA_AESNI_AVX2_X86_64 is not set

# CONFIG_CRYPTO_CAST5 is not set

# CONFIG_CRYPTO_CAST5_AVX_X86_64 is not set

# CONFIG_CRYPTO_CAST6 is not set

# CONFIG_CRYPTO_CAST6_AVX_X86_64 is not set

# CONFIG_CRYPTO_DES is not set

# CONFIG_CRYPTO_DES3_EDE_X86_64 is not set

# CONFIG_CRYPTO_FCRYPT is not set

# CONFIG_CRYPTO_KHAZAD is not set

# CONFIG_CRYPTO_SALSA20 is not set

# CONFIG_CRYPTO_SALSA20_X86_64 is not set

# CONFIG_CRYPTO_CHACHA20 is not set

# CONFIG_CRYPTO_CHACHA20_X86_64 is not set

# CONFIG_CRYPTO_SEED is not set

# CONFIG_CRYPTO_SERPENT is not set

# CONFIG_CRYPTO_SERPENT_SSE2_X86_64 is not set

# CONFIG_CRYPTO_SERPENT_AVX_X86_64 is not set

# CONFIG_CRYPTO_SERPENT_AVX2_X86_64 is not set

# CONFIG_CRYPTO_TEA is not set

# CONFIG_CRYPTO_TWOFISH is not set

CONFIG_CRYPTO_TWOFISH_COMMON=y

CONFIG_CRYPTO_TWOFISH_X86_64=y

# CONFIG_CRYPTO_TWOFISH_X86_64_3WAY is not set

# CONFIG_CRYPTO_TWOFISH_AVX_X86_64 is not set

# CONFIG_CRYPTO_DEFLATE is not set

# CONFIG_CRYPTO_LZO is not set

# CONFIG_CRYPTO_842 is not set

# CONFIG_CRYPTO_LZ4 is not set

# CONFIG_CRYPTO_LZ4HC is not set

# CONFIG_CRYPTO_ANSI_CPRNG is not set

CONFIG_CRYPTO_DRBG_MENU=y

CONFIG_CRYPTO_DRBG_HMAC=y

# CONFIG_CRYPTO_DRBG_HASH is not set

# CONFIG_CRYPTO_DRBG_CTR is not set

CONFIG_CRYPTO_DRBG=y

CONFIG_CRYPTO_JITTERENTROPY=y

# CONFIG_CRYPTO_USER_API_HASH is not set

# CONFIG_CRYPTO_USER_API_SKCIPHER is not set

# CONFIG_CRYPTO_USER_API_RNG is not set

# CONFIG_CRYPTO_USER_API_AEAD is not set

CONFIG_CRYPTO_HW=y

# CONFIG_CRYPTO_DEV_PADLOCK is not set

# CONFIG_CRYPTO_DEV_FSL_CAAM_CRYPTO_API_DESC is not set

# CONFIG_CRYPTO_DEV_CCP is not set

# CONFIG_CRYPTO_DEV_QAT_DH895xCC is not set

# CONFIG_CRYPTO_DEV_QAT_C3XXX is not set

# CONFIG_CRYPTO_DEV_QAT_C62X is not set

# CONFIG_CRYPTO_DEV_QAT_DH895xCCVF is not set

# CONFIG_CRYPTO_DEV_QAT_C3XXXVF is not set

# CONFIG_CRYPTO_DEV_QAT_C62XVF is not set

```

then

```
 # cryptsetup luksDump /dev/sda1 

LUKS header information for /dev/sda1

Version:          1

Cipher name:      aes

Cipher mode:      xts-plain

Hash spec:        sha256

Payload offset:   4096

MK bits:          512

MK digest:        bb cd 2b 95 99 e6 7e 67 ae 46 34 03 74 2d 3d 27 9e c9 19 59 

MK salt:          7d ab 74 0f 25 00 76 3c ae a4 84 bb 86 1c 0d 31 

                  a6 62 bc c0 35 c9 3d d8 7b 11 ad a6 05 70 f6 47 

MK iterations:    180750

UUID:             c3523f4e-5a95-4363-a74b-ae283df93941

Key Slot 0: ENABLED

   Iterations:            1438201

   Salt:                  7c 6e 23 19 c1 fc f2 fa 09 53 e3 fb 19 bb 40 d1 

                            0d b2 be 7b b5 4a 9c eb bc a9 3b 91 a6 6d c6 f4 

   Key material offset:   8

   AF stripes:               4000

Key Slot 1: DISABLED

Key Slot 2: DISABLED

Key Slot 3: DISABLED

Key Slot 4: DISABLED

Key Slot 5: DISABLED

Key Slot 6: DISABLED

Key Slot 7: DISABLED

```

and 

```
 # egrep -v '^(#|$)' /etc/conf.d/dmcrypt 

dmcrypt_key_timeout=1

dmcrypt_retries=5

swap=swap

source='/dev/sdb3'

options='-c aes-xts-plain -s 512 -d /dev/urandom'

target=home

source='/dev/sda1'

```

and

```
# egrep -v '^(#|$)' /etc/conf.d/modules

```

 (ie, no output)

lastly:

```
# rc-status boot |tr -s ' '

 * Caching service dependencies ... [ ok ]

Runlevel: boot

 hwclock [ started ]

 sysctl [ started ]

 modules [ started ]

 dmcrypt [ started ]

 fsck [ started ]

 root [ started ]

 mtab [ started ]

 swap [ started ]

 localmount [ started ]

 opentmpfiles-setup [ started ]

 bootmisc [ started ]

 termencoding [ started ]

 keymaps [ started ]

 procfs [ started ]

 alsasound [ started ]

 hostname [ started ]

 loopback [ started ]

 binfmt [ started ]

 urandom [ started ]

```

Anything useful there?

Cheers,

EE

----------

## frostschutz

 *ExecutorElassus wrote:*   

> but trying it assuming swapped Y-Z keys still didn't work.

 

You have no special characters in your phrase? Otherwise it's not just y z.

----------

## ExecutorElassus

no special characters. As per this XKCD, it is a long string of regular characters (and no, it isn't "correct horse battery staple").

UPDATE: I finished emerging everything and rebooted. Same problem.

----------

## khayyam

 *ExecutorElassus wrote:*   

> Anything useful there?

 

ExecutorElassus ... no, nothing at all. I was half expecting something the encrypted partition required to be a module (and so perhaps not loaded before dmcrypt was run in 'boot'), but no.

I think frostschutz may be right, it's an input/kbd issue, please try the following:

```
rc_after="keymaps"
```

HTH & best ... khay

----------

## ExecutorElassus

huh. far out: it turns out that it was a keyboard layout problem: I tried my password again, this time with z-y swapping, and this time it worked. I must have made some other typo when I tried the first time.

Anyway, now, adding that line in /etc/conf.d/dmcrypt did not help (except that now the boot sequence complains about fsck on root failing because it isn't mounted). Is there some other way to set the layout?

Cheers,

EE

UPDATE: nvm, that solution linked on stackexchange worked for me. setting to [SOLVED]

----------

