[artix-general] [s6] system not decrypting/mounting (lvm on luks) a non root volume at boot

Dudemanguy dudemanguy at artixlinux.org
Tue Jul 14 00:20:10 CEST 2020

On 7/7/20 7:09 PM, Dudemanguy via artix-general wrote:
> Sorry, this got lost in the backlog somewhere. I'll get to actually testing this out this one out later this week.

Okay, I finally believe I've gotten to the bottom of this. The short 
answer is that I don't think this is possible with the current way s6 is 
setup on Artix, but at the very least it's not an issue with the script. 
During the boot process, the cryptsetup script gets executed, reads the 
/etc/crypttab with all the right arguments and everything but there's an 
error message that's sent to shell. Specifically, "Nothing to read on 
input". The reason I don't believe this can work as-is is because the 
early getty service that s6-linux-init starts is designed to capture any 
output from the started services and print them on /dev/console. This 
will interrupt any wait on input and thus cause the cryptsetup to fail.

I haven't tested this, but there are theoretically two potential fixes 
to this. One would be simply to disable printing on /dev/console. I'm 
not totally sure anything from the cryptsetup would even print on the 
early getty in the first place but it is a separate bash/shell call and 
not a complete execline script so it might work. I don't want to do this 
though because I've found error output on tty1 to be very useful in 
debugging and I don't think the tradeoff is worth it.

The other possibility would be to move the early getty to some other tty 
(say tty2) and print the cryptsetup stuff on a different tty (like 
tty1). This would be strange though because a user would have to 
manually switch to the other tty (you would still boot on whatever the 
early getty is defined as) and also said getty services would have to 
start before cryptsetup to work. I also don't think this hypothetical is 
worth it.

I know you probably already know this (and maybe already do this), but 
why not just generate a keyfile instead and add it to the luks device? 
That can be read on boot just fine and as long as it's in a secure 
location, it's a better solution than a passphrase anyway. If someone 
has access to your root, you're already compromised after all.

Sidenote: I did find a slight error when closing devices on s6. They 
weren't being unmounted, so at least that should be fixed now.

More information about the artix-general mailing list