Auto mount encrypted device at boot

I can't figure it out myself so decided to get some help from you. OpenWrt 22.03 x86.

24/7 SATA connected HDD drive. Followed this and an attempt to decrypt by cryptsetup open /dev/sdb hdd asks for password and cryptsetup open /dev/sdb hdd --key-file path-to-keyfile automatically unlocks the drive for me. Issuing block mount command automatically mount the drive so things works as they should. Trying to get it auto mount at boot which is the problem.

It seems that the install-decrypt.sh from the guide above doesn't do anything in my case.

root@router:~# pwd
/root
root@router:~# nano install-decrypt.sh

# Pasted the code in the file above.

root@router:~# ./install-decrypt.sh
-ash: ./install-decrypt.sh: Permission denied
root@router:~# chmod +x install-decrypt.sh
root@router:~# ./install-decrypt.sh
root@router:~# find / -name 99-lukscrypt
/etc/hotplug.d/block/99-lukscrypt
root@router:~# find / -name decrypt.sh
/sbin/decrypt.sh

# Rebooted but the drive remains locked.

root@router:~# /etc/hotplug.d/block/99-lukscrypt
-ash: /etc/hotplug.d/block/99-lukscrypt: Permission denied

root@router:~# ll /etc/hotplug.d/block/
-rw-r--r--    1 root     root        3.4K 2024-01-04 12:22:35 +0100 99-lukscrypt
root@router:~# ll /sbin
-rw-r--r--    1 root     root        3.3K 2024-01-04 12:22:35 +0100 decrypt.sh

chmod +x /sbin/decrypt.sh; chmod +x /etc/hotplug.d/block/99-lukscrypt

root@router:~# /etc/hotplug.d/block/99-lukscrypt
root@router:~# lsblk
root@router:~# ash /etc/hotplug.d/block/99-lukscrypt
root@router:~# lsblk
root@router:~# sh /etc/hotplug.d/block/99-lukscrypt
root@router:~# lsblk

root@router:~# /sbin/decrypt.sh
root@router:~# lsblk
root@router:~# ash /sbin/decrypt.sh
root@router:~# lsblk
root@router:~# sh /sbin/decrypt.sh
root@router:~# lsblk

# No changes. Restarted - no drive auto unlocked.

Added the following to grub config file and restarted. No auto unlock.

menuentry "OpenWrt (22.03.3)" {
    linux /boot/vmlinuz root=PARTUUID=..................cryptdevice=UUID=UUID_FROM_/ETC/CRYPTTAB:hdd
    initrd /boot/glk_dmc.cpio
}

Not working. Changed it to a new grub command

GRUB_CMDLINE_LINUX_DEFAULT="cryptdevice=UUID=UUID_FROM_/ETC/CRYPTTAB:hdd"

Manually unlocking and mounting

root@router:~# cryptsetup open /dev/sdb hdd --key-file path-to-keyfile
root@router:~# block mount
root@router:~# lsblk
sdb 8:16 0 931.5G 0 disk
└─hdd 253:0 0 931.5G 0 crypt /mnt/hdd
root@router:~# logread
Thu Jan 4 12:18:53 2024 kern.info kernel: [ 1331.353265] EXT4-fs (dm-0): mounted filesystem with ordered data mode. Opts:

What's wrong?

Anyone? Updated to 23.05.2 and still can't get it to automatically open at boot.

[    1.295006] ata2: SATA link up 3.0 Gbps (SStatus 123 SControl 300)
[    1.295778] ata2.00: ATA-9: HGST HTS541010B9E380, 01.01H01, max UDMA/133
[    1.296227] ata2.00: ATA Identify Device Log not supported
[    1.296242] ata2.00: 1953525168 sectors, multi 16: LBA48 NCQ (depth 32), AA
[    1.297552] ata2.00: ATA Identify Device Log not supported
[    1.297578] ata2.00: configured for UDMA/133
[    1.297994] scsi 1:0:0:0: Direct-Access     ATA      HGST HTS541010B9 1H01 PQ: 0 ANSI: 5
[    1.298785] sd 1:0:0:0: [sdb] 1953525168 512-byte logical blocks: (1.00 TB/932 GiB)
[    1.298790] sd 1:0:0:0: [sdb] 4096-byte physical blocks
[    1.298804] sd 1:0:0:0: [sdb] Write Protect is off
[    1.298808] sd 1:0:0:0: [sdb] Mode Sense: 00 3a 00 00
[    1.298834] sd 1:0:0:0: [sdb] Write cache: enabled, read cache: enabled, doesn't support DPO or FUA
[    1.312690] sd 1:0:0:0: [sdb] Attached SCSI disk

Here are dmesg entries related to kmodloader. Errors appears at the end of boot process.
I couldn't see them before installing cryptdevice needed kernel modules. The same behaviour/errors appeared in 22.03.x before update.
Could it be because of that or is there something else I'm missing or it simply not gonna work in OpenWrt?

dmesg | grep kmod
[    1.411756] kmodloader: loading kernel modules from /etc/modules-boot.d/*
[    1.437367] kmodloader: done loading kernel modules from /etc/modules-boot.d/*
[    3.788993] mount_root: loading kmods from internal overlay
[    3.792959] kmodloader: loading kernel modules from //etc/modules-boot.d/*
[    3.793618] kmodloader: done loading kernel modules from //etc/modules-boot.d/*
[    4.505536] kmodloader: loading kernel modules from /etc/modules.d/*
[    9.281538] kmodloader: 7 modules could not be probed
[    9.282082] kmodloader: - camellia-aesni-avx-x86_64 - 0
[    9.282593] kmodloader: dependency not loaded camellia-aesni-avx-x86_64
[    9.283205] kmodloader: - camellia-aesni-avx2 - 1
[    9.283670] kmodloader: - cast5-avx-x86_64 - 0
[    9.284111] kmodloader: - cast6-avx-x86_64 - 0
[    9.284569] kmodloader: - serpent-avx-x86_64 - 0
[    9.285019] kmodloader: dependency not loaded serpent-avx-x86_64
[    9.285583] kmodloader: - serpent-avx2 - 1
[    9.286004] kmodloader: - twofish-avx-x86_64 - 0

I don't think so even if these errors came along with some of kernel module installed with cryptdevice package. This machine seems not support AVX and probably it's why they appear? It's a Celeron J4125 CPU so there should be AES-NI support.

[    4.529459] AVX or AES-NI instructions are not detected.
[    4.603559] CPU feature 'AVX registers' is not supported.
[    4.672503] CPU feature 'AVX registers' is not supported.
[    4.752432] CPU feature 'AVX registers' is not supported.
[    4.824250] CPU feature 'AVX registers' is not supported.
[    8.615156] AVX or AES-NI instructions are not detected.
[    8.702305] CPU feature 'AVX registers' is not supported.
[    8.772527] CPU feature 'AVX registers' is not supported.
[    8.852121] CPU feature 'AVX registers' is not supported.
[    8.932060] CPU feature 'AVX registers' is not supported.

Manually issuing cryptsetup open /dev/sdb hdd --key-file path-to-keyfile; block mount after boot does unlock it and mount however.

Line 81 --disable-device-mapper

Does it mean GRUB2 is compiled without this functionality? Anyone, anything?

I believe I've figured it out.

GRUB 2.06 installed with OpenWrt is a very minimal one without modules like luks, luks2, cryptomount etc. needed for it to be able to decrypt a device. Even after testning with these modules and a couple of more copied from a Debian Bookworm (other modules like echo, ext2 or loopback works) installation to the OpenWrt and pointing to them in GRUB, it's not able to decrypt because the HDD in OpenWrt box is LUKS2 encrypted with the standard Argon key type or whatever. It's only able to decrypt PBKDF2 instead of Argon and full LUKS1 support and I don't care about changing anything so I simply put a cryptsetup line in /etc/init.d/fstab to open it at boot before mounting as I already stated in another thread on this forum. It works this way so I'm fine.

You can't mix and match grub modules (files) from different origins or versions, there is no ABI compatibility between them. If OpenWrt's grub doesn't work for you, you either need to adapt its packaging (so it does include the desired functionality) XOR use another grub (e.g. from Debian) in its entirety.

It's fine here running GRUB 2.06.13 modules from my Debian Bookworm installation on OpenWrt 2.06.5. To be precise, with modules loopback, ext2 and iso9660 I got LiveISO of latest Linux Mint running like a charm booted directly from GRUB menu of the OpenWrt with a new menuentry for it, which otherwise wouldn't be possible, at least with so little effort. I also tested couple of other modules and they all worked. There's another thread on this forum from a member running Arch Linux installation beside OpenWrt on his NVMe, also with couple of needed GRUB modules from Arch.