Custom `hotplug.d/*lukscrypt` not being executed?

mwoz123 · June 4, 2022, 11:04am

I'm on Netgear XR500 OpenWrt SNAPSHOT, r19726-b21b98627d. 2 days ago I made asu since then I cannot auto decrypt my drive.

I've changes according to Disk Encryption guide (lines "The following script can be used to automate decrypting and mounting removable storage that is encrypted by using entries in /etc/crypttab")

marcin@OpenWrt:~$ ll /bin/decrypt.sh 
-rw-r--r--    1 root     root          2423 Jun  4 07:28 /bin/decrypt.sh
marcin@OpenWrt:~$ ll /etc/hotplug.d/block/99-lukscrypt
-rw-r--r--    1 root     root           157 Jun  4 07:27 /etc/hotplug.d/block/99-lukscrypt
marcin@OpenWrt:~$ ll /etc/crypttab
-rw-r--r--    1 root     root           109 Jun  3 21:14 /etc/crypttab

I've put custom log message to see if hotplug executes decrypt script but it seems it doesn't:

marcin@OpenWrt:~$ cat /etc/hotplug.d/block/99-lukscrypt 
# note: this needs bash and awk installed and the #!/bin/bash does not seem to work on 18.06
logger -s 'AAAAAAAAAAAAAAA hotplug decypt"
bash /bin/decrypt.sh
marcin@OpenWrt:~$ sudo logread |grep AAA
marcin@OpenWrt:~$

I do have block* packages installed

marcin@OpenWrt:~$ opkg list-installed |grep block
block-mount - 2022-06-02-93369be0-1
blockd - 2022-06-02-93369be0-1
blockdev - 2.38-2

TLDR: Am I missing a package/configuration that custom hotplug is not executed?

RuralRoots · June 4, 2022, 2:27pm

I don't encrypt my block devices, but I don't think so.

By way of reference:
Hotplug scripts require a trigger event to execute the script(s) in the /etc/hotplug.d/<device> folder. In your case, any Block Device event will trigger all scripts contained in /etc/hotplug.d/block based on their numeric prefix - 00-media-change, 10-mount, and your 99-lukscrypt and executing each met condition in turn. Given you see nothing in the log, I suspect nothing triggers it.

A few things to consider:

Is bash installed as required for the 99-lukscrypt?
Can you mount and access your encrypted drive manually? If not, fix that first.
Can you see /dev/mapper/[map-name]

mwoz123 · June 4, 2022, 7:35pm

@RuralRoots thanks for replay.

yes I do have bash:

marcin@OpenWrt:~$ opkg list-installed |grep bash
bash - 5.1.16-1

yes I can decrypt it manually.

root@OpenWrt:/home/marcin# ll /dev/mapper/crypt
ls: /dev/mapper/crypt: No such file or directory
root@OpenWrt:/home/marcin# cryptsetup luksOpen /dev/sdb4 crypt --key-file /a-path-to-keyfile
root@OpenWrt:/home/marcin# ll /dev/mapper/crypt
brw-------    1 root     root      253,   0 Jun  4 19:00 /dev/mapper/crypt
root@OpenWrt:/home/marcin# mount /dev/mapper/crypt /mnt/
root@OpenWrt:/home/marcin# ls /mnt/
Aparat Marcin

yes /dev/mapper/crypt is created after luksOpen - (see above ) it's required for mount

is was working on mid-may xr500 Snapshot but on r19726-b21b98627d not sure if I'm missing something (e.g. a hotplug package/config) or is this code fault

RuralRoots · June 6, 2022, 4:51pm

asu should negate that by design. And if run manually, it works as advertised.

What returns do you get by running the script directly:

/bin/decrypt.sh

mwoz123 · June 6, 2022, 5:57pm

Directly there's no output.

To see what's going on I put some logging inside this code.

Here's output for my changes (below)

marcin@OpenWrt:~$ bash /bin/decrypt.sh
marcin: AAAAAAAAAAA starting decyption
marcin: start decrypt luks
marcin: AAAAAAAAAAA DEVNAME
marcin: AAAAAAAAAAA action not add
marcin@OpenWrt:~$

It's terminating because $ACTION" != "add" .
Not sure how it works executed from etc/hotplug.d/block/99-lukscrypt as it seems to be missing parameters but anyway 99-lukscrypt doesn't seems to be executed:/

I'm considering re-upgrade snapshot.

Script with logging :

cat /bin/decrypt.sh
#!/bin/bash
# Perform tasks when called by BLOCK hotplug (/etc/hotplug.d/block/99-lukscrypt)
# CC0: 21JUL18 by WaLLy3K, updated 09AUG18
# Further adapted for OpenWRT 18.06 by jmm on 2018-09-04

# Hotplug Vars: $ACTION (add/remove), $DEVICE (?), $DEVNAME (sdx)

logger -s "AAAAAAAAAAA starting decyption"
logger -s "start decrypt luks" $DEVNAME $ACTION

if [ -z "${DEVNAME}" ]
then
        logger -s "AAAAAAAAAAA DEVNAME"
    DEVNAME="${1##*/}"
fi

msg() {
    logger -st "$(basename "${0%.*}")($DEVNAME)[$$]" -- "$@"
}

if [ "$ACTION" != "add" ]
then
    #only do something if a device is being added
logger -s "AAAAAAAAAAA action not add"
    exit 0
fi

if [[ "$DEVNAME" == dm-[0-9] ]]
then

logger -s "AAAAAAAAAAA blockmount exit 0"
    #/dev/mapper block device has been created so now try to mount FS if set up
    # in /etc/config/fstab (or LuCI > System > Mount Points)
    block mount
    exit 0
fi

BID_RAW="$(block info "/dev/$DEVNAME" | awk -v RS=' ' '{gsub("[:\"]",""); print $0}')"
BID_UUID="$(awk -F= '/UUID/ {print $2}' <<< "$BID_RAW")"
BID_TYPE="$(awk -F= '/TYPE/ {print $2}' <<< "$BID_RAW")"

logger -s "AAAAAAAAAAA will be chekcing crypttab in a moment"
# Determine whether drive needs to be decrypted
if [[ ! -r "/etc/crypttab" ]]
then
    msg "Unable to read file: /etc/crypttab"
    exit 1
fi
CT_RAW="$(grep "$BID_UUID" /etc/crypttab)"
if [[ -z "${CT_RAW:-}" ]]
then
    exit 0
fi

CT_LABEL="$(awk '{print $1}' <<< "$CT_RAW")"
CT_KEYFILE="$(awk '{print $3}' <<< "$CT_RAW")"
CT_TYPE="$(awk -F '[ ,]+' '{print $4}' <<< "$CT_RAW")"
#CT_SCRIPT="$(awk -F "keyscript=" '{print $2}' <<< "$CT_RAW")"

if [[ -e "/dev/mapper/${CT_LABEL,,}" ]]
then
    msg "Drive already decrypted: $CT_LABEL"
    exit 0
fi

# Error Handling
if [[ ! -e "$CT_KEYFILE" ]]
then
    msg "Unable to view keyfile: '$CT_KEYFILE'"
    exit 1
fi
if [[ ! "${BID_TYPE,,}" == *"${CT_TYPE,,}"* ]]
then
    msg "Unable to decrypt format: $CT_TYPE"
    exit 1
fi

msg "Decrypting drive: $CT_LABEL (/dev/$DEVNAME)"
cryptsetup luksOpen "/dev/$DEVNAME" "${CT_LABEL,,}" -d "$CT_KEYFILE"
CS_EXIT="$?"
case "$CS_EXIT" in
0)  if [ -e "/dev/mapper/${CT_LABEL,,}" ]
    then
        msg "Drive decrypted: $CT_LABEL"
    else
        msg "Drive not found after decrypting: $CT_LABEL"
        exit 1
    fi;;
5)  msg "Device already exists: $CT_LABEL (Dmsetup stuck?)"; exit 1;;
*)  msg "Unable to decrypt drive: $CT_LABEL ($CS_EXIT)"; exit 1;;
esac
marcin@OpenWrt:~$

RuralRoots · June 6, 2022, 8:30pm

Expected. 99-lukscrypt just calls the /bin/decrypt.sh when a Block event occurs (add, remove, . . .) This passes the hotplug variables needed to the script.

Leave your debug logging as it stands, unmount or remove /dev/mapper device, remove the usb device.

Add a logger -s “Block 99-lukscrypt triggered to line 1 of /etc/hotplug.d/block/99-lukscrypt

Now plug in your encrypted usb drive and let’s see if we can pin down where things fail.

mwoz123 · June 7, 2022, 5:07am

Thanks so it got executed when I manually re-plug the usb device:

marcin@OpenWrt:~$ sudo logread |grep 99-          Tue Jun  7 04:57:21 2022 user.notice root: Block 99-lukscrypt triggered                             Tue Jun  7 04:57:21 2022 user.notice root: Block 99-lukscrypt triggered                             Tue Jun  7 04:57:21 2022 user.notice root: Block 99-lukscrypt triggered
Tue Jun  7 04:57:21 2022 user.notice root: Block 99-lukscrypt triggered
Tue Jun  7 04:57:49 2022 user.notice root: Block 99-lukscrypt triggered                             Tue Jun  7 04:57:49 2022 user.notice root: Block 99-lukscrypt triggered                             Tue Jun  7 04:57:49 2022 user.notice root: Block 99-lukscrypt triggered                             marcin@OpenWrt:~$

Btw thanks to your comment I spot mismatch between my logger start and ending quote signs. This was blocking /bin/decrypt.sh execution.
So manual re- plug seems to be working:)

But still the decryption doesn't seem to be triggered at router boot time.

mwoz123 · June 7, 2022, 8:10pm

based on hotplug docs

I created :

marcin@OpenWrt:~$ cat /etc/hotplug.d/block/00-logger 
logger -t hotplug $(env)
marcin@OpenWrt:~$

but after reboot it gave again nothing:(

marcin@OpenWrt:~$ sudo logread -e hotplug
Tue Jun  7 20:04:04 2022 authpriv.notice sudo:   marcin : TTY=pts/0 ; PWD=/home/marcin ; USER=root ; COMMAND=/sbin/logread -e hotplug
marcin@OpenWrt:~$

RuralRoots · June 13, 2022, 2:14am

I keep going back over the wiki, and this keeps nagging at me.

On a fresh reboot, you just need for perform the mapping and mount (Note: the mapping will require a passphrase)

cryptsetup open [encrypted-device] [map-name]
mount /dev/mapper/[map-name] [mount-point]

Do you automount the device? Without plugging in the usb device or mounting it the hotplug script just won’t trigger.

mwoz123 · June 13, 2022, 9:15pm

I don't understand.
Responding but not sure if I understood you correctly...

Do you automount the device?

I'm trying to automate the decryption and mounting using the script & crypttab (and fstab) entry like in instruction:

Automated:

The following script can be used to automate decrypting and mounting  (...)

On mid-may 22.03-snapshot it was decrypting and amounting at boottime.

Without plugging in the usb device or mounting it the hotplug script just won’t trigger.

Device is connected all the time (also at boot time), but decryption doesn't happen at boot time.
There's no new device in /dev/mapper/ to be mounted.

We'd confirmed that once startup is done I can unplug and plug again the disk and then the decryption is working and so does the mounting.
So this is kind of workaround to unplug and re-plug device after fully booted.
I wish this could happen automaticly at boot time without need to unplug & plug again the disk.

PS: Attaching crypttab permissions - even everyone can read it:

marcin@OpenWrt:~$ ll /etc/crypttab
-rw-r--r--    1 root     root           109 Jun  3 21:14 /etc/crypttab

mwoz123 · October 2, 2022, 5:32am

If someone had similar problem - I created very dirty workaround :

# cat /bin/decrypt-sdx4.sh 
#!/bin/bash

ACTION=add

DEVNAME=sda4
. /bin/decrypt.sh

DEVNAME=sdb4
. /bin/decrypt.sh

but as least it works.

and I'm calling this script in /etc/rc.local:

$ cat /etc/rc.local 
# Put your custom commands here that should be executed once
# the system init finished. By default this file does nothing.
/bin/decrypt-sdx4.sh
exit 0

mdclemen · December 30, 2022, 10:23pm

If you are using the decrypt.sh from https://openwrt.org/docs/guide-user/storage/disk.encryption, I found those instructions to be very out of date. Even with the bash package installed and using the #!/bin/bash shebang, the script executed in ash and <<< redirection and adding extra ,, to variables does not work. I updated the script to be ash compatible (tested on 21.02.2):

#!/bin/ash
# Perform tasks when called by BLOCK hotplug (/etc/hotplug.d/block/99-lukscrypt)
# CC0: 21JUL18 by WaLLy3K, updated 09AUG18
# Further adapted for OpenWRT 18.06 by jmm on 2018-09-04
# Further apapted for OpenWRT 21.02.2 by mdpc on 2022-12-30

# Hotplug Vars: $ACTION (add/remove), $DEVICE (?), $DEVNAME (sdx)

# logger -s "start decrypt luks" $DEVNAME $ACTION

if [ -z "${DEVNAME}" ]
then
    DEVNAME="${1##*/}"
fi

msg() {
    logger -st "$(basename "${0%.*}")($DEVNAME)[$$]" -- "$@"
}

if [ "$ACTION" != "add" ]
then
    #only do something if a device is being added
    exit 0
fi

if [[ "$DEVNAME" == dm-[0-9] ]]
then
    #/dev/mapper block device has been created so now try to mount FS if set up
    # in /etc/config/fstab (or LuCI > System > Mount Points)
    block mount
    exit 0
fi

BID_RAW="$(block info "/dev/$DEVNAME" | awk -v RS=' ' '{gsub("[:\"]",""); print $0}')"
BID_UUID="$(echo $BID_RAW | awk -F['/=',' '] '{print $5}')"
BID_TYPE="$(echo $BID_RAW | awk -F['/=',' '] '{print $7}')"

# Determine whether drive needs to be decrypted
if [[ ! -r "/etc/crypttab" ]]
then
    msg "Unable to read file: /etc/crypttab"
    exit 1
fi
CT_RAW="$(grep "$BID_UUID" /etc/crypttab)"
if [[ -z "${CT_RAW:-}" ]]
then
    exit 0
fi

CT_LABEL="$(echo $CT_RAW | awk '{print $1}')"
CT_KEYFILE="$(echo $CT_RAW | awk '{print $3}')"
CT_TYPE="$(echo $CT_RAW | awk -F '[ ,]+' '{print $4}')"

if [[ -e "/dev/mapper/${CT_LABEL}" ]]
then
    msg "Drive already decrypted: $CT_LABEL"
    exit 0
fi

# Error Handling
if [[ ! -e "$CT_KEYFILE" ]]
then
    msg "Unable to view keyfile: '$CT_KEYFILE'"
    exit 1
fi
if [[ ! "${BID_TYPE}" == *"${CT_TYPE}"* ]]
then
    msg "Unable to decrypt format: $CT_TYPE"
    exit 1
fi

msg "Decrypting drive: $CT_LABEL (/dev/$DEVNAME)"
cryptsetup luksOpen "/dev/$DEVNAME" "${CT_LABEL}" -d "$CT_KEYFILE"
CS_EXIT="$?"
case "$CS_EXIT" in
0)  if [ -e "/dev/mapper/${CT_LABEL}" ]
    then
        msg "Drive decrypted: $CT_LABEL"
    else
        msg "Drive not found after decrypting: $CT_LABEL"
        exit 1
    fi;;
5)  msg "Device already exists: $CT_LABEL (Dmsetup stuck?)"; exit 1;;
*)  msg "Unable to decrypt drive: $CT_LABEL ($CS_EXIT)"; exit 1;;
esac

Also, the entry in /etc/crypttab for type must match exactly what is given by block info. If anyone would like to give me a @wiki-account, I'll gladly update that wiki page.

mwoz123 · October 7, 2023, 10:20am

Thanks, but it didn't work for me either ;( I'm using UUID.
I'm on fresh newly re-installed, without storing config files:
OpenWrt 22.03.5, r20134-5f15225c1e
neither works on boot nor plugin in device once booted

mwoz123 · October 7, 2023, 10:59am

I ended up with such script.sh

#!/bin/bash
DEV="$(blkid -o device --uuid <MY_DEVICE_UUDI>)"

/usr/sbin/cryptsetup open $DEV crypt --key-file <MY_KDEVICE_KEY_FILE>

mount /dev/mapper/crypt /media

which is called from

$ cat /etc/rc.local 
# Put your custom commands here that should be executed once
# the system init finished. By default this file does nothing.

/etc/luks/script.sh

exit 0

system · October 17, 2023, 11:01am

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.