Cannot mount encrypted external storage to /overlay through fstab?

I can mount external storage to /overlay via fstab just fine:

mount /dev/mmcblk0 /mnt
tar -C /overlay -cvf - . | tar -C /mnt -xf -
umount /mnt
block detect > /etc/config/fstab

Then I edit /etc/config/fstab so that the /overlay target is enabled:

config 'mount'
  option  target  '/overlay'
  ...
  option  enabled '1'

Then with a reboot I get:

Filesystem                Size      Used  Available Use% Mounted on
...
/dev/mmcblk0             14.5G     40.3M      13.7G   0% /overlay
overlayfs:/overlay       14.5G     40.3M      13.7G   0% / 

Now instead of doing this, I want to encrypt /dev/mmcblk0. So I create an encrypted container "crypt" on mmcblk0, format the container to ext4, and (just as above) copy the /overlay files and generate the fstab file:

cryptsetup luksFormat /dev/mmcblk0
cryptsetup luksAddKey /dev/mmcblk0 /etc/luks_key.txt
crypsetup open /dev/mmcblk0 crypt
mkfs.ext4 /dev/mapper/crypt
mount /dev/mapper/crypt /mnt
tar -C /overlay -cvf - . | tar -C /mnt -xf -
umount /mnt
block detect > /etc/config/fstab

Then I create a file in /etc/hotplug.d/block/ to decrypt the container on startup:

cryptsetup open /dev/mmcblk0 crypt -d /etc/luks_key.txt

With block info I can also confirm the UUID which matches the target mount in my fstab file:

/dev/mapper/crypt: UUID="{UUID}" VERSION="1.0" TYPE="ext4"

and the fstab file:

...
config mount
        option uuid '{UUID}'
        option target '/overlay'
        option enabled '1'

Except now the external storage isn't mounting to /overlay on boot:

Filesystem                Size      Used Available Use% Mounted on
/dev/root                 5.5M      5.5M         0 100% /rom
tmpfs                    61.0M     72.0K     60.9M   0% /tmp
/dev/mtdblock6            8.7M      1.2M      7.5M  13% /overlay
overlayfs:/overlay        8.7M      1.2M      7.5M  13% /
tmpfs                   512.0K         0    512.0K   0% /dev

But I can mount to /mnt. That is, if I switch the fstab target to /mnt instead of /overlay, it works:

/dev/mapper/crypt        14.5G     41.7M     13.7G   0% /mnt

My best guess is that there is some sort of overlay initialization that happens before the container in /dev/mmcblk0 is decrypted?

Overlay is mounted at the preinit stage.
You likely need to modify the preinit scripts to achieve the goal.
Those should be invoked from ROM, so I guess it requires building your own image.

1 Like

Thank you for the reply.

I'm completely lost here, is there any documentation to understand these files or specifically what functions or files to look at?

sorry but is there point to encrypt the external storage if router flash has its key in plaintext?

Our external storage is an SD card which is easier to grab and take than the device.