Arch Linux

JamSnow

Member

Registered: 2025-12-31

Posts: 2

dm-crypt plain - Keyfile could not be opened. Reverting to passphrase

Hello,

I am trying to encrypt my disk using plain dm-crypt using the steps listed in the arch linux wiki here. I have carried out all the steps listed, and am able to view my MyVolGroup-* partitions after unencrypting with the keyfile and can arch-chroot into the partition. However, when I try reboot into my system I get this errort:

Keyfile could not be opened. Reverting to passphrase.

A password is required to access the cryptlvm volume:
WARNING: Using default options for hash (sha256) that could be incompatible with older versions.
For plain mode, always use options --cipher, --key-size and if no keyfile or keyring is used, then also --hash.
Enter passphrase for /dev/disk/by-id/wwn-abc..:

I currently have the following in my default grub (and have refreshed mkinitcpio and my grub.cfg)

GRUB_CMDLINE_LINUX_DEFAULT="cryptdevice=/dev/disk/by-id/wwn-abc..:cryptlvm:sector-size=512 cryptkey=/dev/disk/by-id/usb-xyz...-0\:0:0:64 crypto=:aes-xts-plain64:512:0 loglevel=3 quiet"
GRUB_CMDLINE_LINUX=""

(Note that I have escaped the : character as it is part of the drive id. I see a second ata id for the same /dev/sdd partition as the wwn one, but read online that the wwn one tends to be more stable)

Here is the command that I can run to successfully unlock my encrypted partition:

# cryptsetup open --type plain --cipher=aes-xts-plain64 --offset 0 --key-file=/dev/disk/by-id/usb-xyz...-0:0 --key-size=512 --sector-size 512 --keyfile-size 64 /dev/sdd cryptlvm
WARNING: The --keyfile-size option is being ignored, the read size is the same as the encryption key size.

No matter what I set the --key-file size value to (even 0) it seems to get this same error.

Now, potentially what might be causing the issue is that I am using a regular live ISO usb drive as my keyfile. I thought this would be an interesting idea in terms of encryption deniability, etc. I would expect this to be possible, as it would just be a byte stream like any other (although perhaps less random than a regular keyfile), and as it is able to decrypt my lvm partition when I run it using it as a keyfile, I don't see why it wouldn't work for grub as well. Feel free to let me know if this is a horribly bad idea.

Thanks in advance.

frostschutz

Member

Registered: 2013-11-15

Posts: 1,590

Re: dm-crypt plain - Keyfile could not be opened. Reverting to passphrase

Does `cat /proc/cmdline` in the initrd shell shows the escape character? If not, it was lost in transmission somewhere. It could still be lost in the init script itself... you can try doubling the \ ... \\, \\\\, if it changes anything.

You could edit the encrypt hook to include the keyfilename in that error message, otherwise you don't even know which one its trying to open at that point.

You can use partuuid, partlabel, label ... or even custom udev rule, to get a device name w/o strange characters, just to see if it works.

Not specifying a hash, I haven't tested but might be the reason why --keyfile-size does not work. Without a hash function producing a key of the required size, it might just read the key ad verbatim. Not sure.

A completely different approach would be to ditch the plain mode altogether. If you don't want a LUKS header on the encrypted device, you could use an external header.

JamSnow

Member

Registered: 2025-12-31

Posts: 2

Re: dm-crypt plain - Keyfile could not be opened. Reverting to passphrase

`cat /proc/cmdline` does not seem to show any escape characters when there's 1-2 \ characters, but when there's 3 I can see two of them.

I have edited the encrypt hook to include $ckeyfile in the output, and am seeing this message now, although I am not certain of the implications of it. Is it looking for a .bin file causing issues maybe? Also this is when I was using 3 '\'s, so maybe that's throwing something off:

Keyfile /crypto_keyfile.bin could not be opened. Reverting to passphrase

So '/crypto_keyfile.bin' seems to be what the $ckeyfile variable is set as.

When I try change it to a PARTUUID for the keyfile I instead see the following, with no mention of the keyfile/passphrase:

ERROR: device '/dev/mapper/MyVolGroup-root' not found. Skipping fsck.
mount: /new_root: fsconfig() failed: /dev/mapper/MyVolGroup-root: Can't lookup blockdev.
...

However, I may have set something incorrectly with this in the grub config as I am not 100% certain how it should be laid out. I had it as cryptkey=PARTUUID=defg...:0:64. Is there supposed to be quotes? Is it fine that this references /dev/sdx1 rather than /dev/sdx as there is not UUID for the physical disk?

I have tried specifying sha256 as the hash (i.e `crypto=sha256:aes-xts-plain64:512:0:0` but to no affect except removing the warning).

I may try that soon, but will likely need to revamp the whole thing then, especially as I saw somewhere that udev does not support external headers, and sd-encrypt would be required instead. As such, if I could get this configuration working that would be great!

My mkinitcpio hooks like is as follows:

HOOKS=(base udev block keyboard autodetect microcode modconf kms keymap consolefont encrypt lvm2 filesystems fsck)