[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Uniquely Identifying USB filesystem possible?
|
From: |
Harry Hirte |
|
Subject: |
Re: Uniquely Identifying USB filesystem possible? |
|
Date: |
Tue, 16 Jan 2024 16:39:21 +0000 (UTC) |
On Tuesday, January 16, 2024 at 03:28:43 PM GMT+1, Andrei Borzenkov
<arvidjaar@gmail.com> wrote:
> You specify it as (hd0) *where*?
instead of the ($keyfile)0+ I use (hd0) - then it does work
>> cryptomount -k ($keyfile)0+ -O xxx -S yyy -u $crypto_uuid
>Do you really have the file with the name "0+" on this filesystem?
>What type does this filesystem have?
I took that straight out of the grub manual:
"Devices are not allowed to be given as key files nor as detached header files.
However, this limitation can be worked around by using blocklist syntax. So for
instance, (hd1,gpt2) can not be used, but (hd1,gpt2)0+ will achieve the desired
result."
In my case the $keyfile would point to (hd0), so I tried the above.
>> set root=lvm/vg0-root
>> set prefix=(lvm/vg0-boot)/grub
>> insmod normal
>> normal
>And what happens when these commands are run?
since it is unable to open the $keyfile, decryption fails - subsequently the
lvm on the crypt volume cannot be opened
> the USB-stick is configured as luks-device with the UUID 24cc...
>it is absolutely unclear what it means. If it is a LUKS device, you
>need to open it first. If it is not a LUKS device, where exactly this
>UUID is defined?
Ok. I took an old 4GB usb stick, put a GPT on it with fdisk. Then I used
cryptsetup luksFormat /dev/sdx (x=whatever the entire usb stick is, as seen
with lsblk)
I enter the encryption key twice and then cryptsetup tells me the uuid, which I
can also see in /dev/disk/by-uuid:
lrwxrwxrwx 1 root root 9 Jan 16 14:42 24cc... -> ../../sda
# fdisk -l /dev/sda
Disk /dev/sda: 3.8 GiB, 4083351552 bytes, 7975296 sectors
Disk model: USB Flash Drive
Units: sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
# cryptsetup luksOpen /dev/sda cryptstick
Enter passphrase for /dev/sda:
afterwards:
# dmsetup ls
cryptstick (254:4)
I would say this qualifies as a luksvolume:
# cryptsetup luksDump /dev/sda
LUKS header information for /dev/sda
Version: 1
...
UUID: 24cc...
Key Slot 0: ENABLED
...
I also tried partitioning another usb-stick with partition1 as efi and
partition2 encrypted like shown above:
...
sdf 8:80 1 7.4G 0 disk
├─sdf1 8:81 1 100M 0 part <== efi partition
└─sdf2 8:82 1 100M 0 part <== sdf2 is encrypted
with luksFormat just like above
...
Same result. If I try to access the encrypted partition sdf2 grub returns
"unknown filesystem"
(Note: Of course I have used dd to extract some random data-string inside the
respective USB luks-partition and used it as key for the disk encryption,
as the successful attempt using (hd0) shows).
The structure is exactly as on the M.2 disk that I want to automatically
decrypt.
cryptomount -a only offers the M.2 and the SATA-disk that I have currently
installed. None of the USB devices show up.
>> As mentioned, this does not work - even using cryptomount with this UUID
>> fails.
>So it is probably *not* a LUKS device.
not for grub apparently - it (or the BIOS?) seems to handle disks connected via
M.2 slot or SATA differently from USB.
>You can start with describing the content of this USB stick. So far it
>is rather hard to understand what you use. Showing the commands that
>*do* work may be of some help. Showing the commands you use to create
>this USB stick would help further.
I hope what I wrote clears this up.
My main objective is to use unique device descriptors (hd0) will probably move
to (hd1) if I have another stick in the wrong USB port
I had hoped using luks would make the UUIDs detectable for grub , but I guess
that's not the case for USB.