I've put custom log message to see if hotplug executes decrypt script but it seems it doesn't:
marcin@OpenWrt:~$ cat /etc/hotplug.d/block/99-lukscrypt
# note: this needs bash and awk installed and the #!/bin/bash does not seem to work on 18.06
logger -s 'AAAAAAAAAAAAAAA hotplug decypt"
bash /bin/decrypt.sh
marcin@OpenWrt:~$ sudo logread |grep AAA
marcin@OpenWrt:~$
I don't encrypt my block devices, but I don't think so.
By way of reference:
Hotplug scripts require a trigger event to execute the script(s) in the /etc/hotplug.d/<device> folder. In your case, any Block Deviceevent will trigger all scripts contained in /etc/hotplug.d/block based on their numeric prefix - 00-media-change, 10-mount, and your 99-lukscrypt and executing each met condition in turn. Given you see nothing in the log, I suspect nothing triggers it.
A few things to consider:
Is bash installed as required for the 99-lukscrypt?
Can you mount and access your encrypted drive manually? If not, fix that first.
root@OpenWrt:/home/marcin# ll /dev/mapper/crypt
ls: /dev/mapper/crypt: No such file or directory
root@OpenWrt:/home/marcin# cryptsetup luksOpen /dev/sdb4 crypt --key-file /a-path-to-keyfile
root@OpenWrt:/home/marcin# ll /dev/mapper/crypt
brw------- 1 root root 253, 0 Jun 4 19:00 /dev/mapper/crypt
root@OpenWrt:/home/marcin# mount /dev/mapper/crypt /mnt/
root@OpenWrt:/home/marcin# ls /mnt/
Aparat Marcin
yes /dev/mapper/crypt is created after luksOpen - (see above ) it's required for mount
is was working on mid-may xr500 Snapshot but on r19726-b21b98627d not sure if I'm missing something (e.g. a hotplug package/config) or is this code fault
It's terminating because $ACTION" != "add" .
Not sure how it works executed from etc/hotplug.d/block/99-lukscrypt as it seems to be missing parameters but anyway 99-lukscrypt doesn't seems to be executed:/
I'm considering re-upgrade snapshot.
Script with logging :
cat /bin/decrypt.sh
#!/bin/bash
# Perform tasks when called by BLOCK hotplug (/etc/hotplug.d/block/99-lukscrypt)
# CC0: 21JUL18 by WaLLy3K, updated 09AUG18
# Further adapted for OpenWRT 18.06 by jmm on 2018-09-04
# Hotplug Vars: $ACTION (add/remove), $DEVICE (?), $DEVNAME (sdx)
logger -s "AAAAAAAAAAA starting decyption"
logger -s "start decrypt luks" $DEVNAME $ACTION
if [ -z "${DEVNAME}" ]
then
logger -s "AAAAAAAAAAA DEVNAME"
DEVNAME="${1##*/}"
fi
msg() {
logger -st "$(basename "${0%.*}")($DEVNAME)[$$]" -- "$@"
}
if [ "$ACTION" != "add" ]
then
#only do something if a device is being added
logger -s "AAAAAAAAAAA action not add"
exit 0
fi
if [[ "$DEVNAME" == dm-[0-9] ]]
then
logger -s "AAAAAAAAAAA blockmount exit 0"
#/dev/mapper block device has been created so now try to mount FS if set up
# in /etc/config/fstab (or LuCI > System > Mount Points)
block mount
exit 0
fi
BID_RAW="$(block info "/dev/$DEVNAME" | awk -v RS=' ' '{gsub("[:\"]",""); print $0}')"
BID_UUID="$(awk -F= '/UUID/ {print $2}' <<< "$BID_RAW")"
BID_TYPE="$(awk -F= '/TYPE/ {print $2}' <<< "$BID_RAW")"
logger -s "AAAAAAAAAAA will be chekcing crypttab in a moment"
# Determine whether drive needs to be decrypted
if [[ ! -r "/etc/crypttab" ]]
then
msg "Unable to read file: /etc/crypttab"
exit 1
fi
CT_RAW="$(grep "$BID_UUID" /etc/crypttab)"
if [[ -z "${CT_RAW:-}" ]]
then
exit 0
fi
CT_LABEL="$(awk '{print $1}' <<< "$CT_RAW")"
CT_KEYFILE="$(awk '{print $3}' <<< "$CT_RAW")"
CT_TYPE="$(awk -F '[ ,]+' '{print $4}' <<< "$CT_RAW")"
#CT_SCRIPT="$(awk -F "keyscript=" '{print $2}' <<< "$CT_RAW")"
if [[ -e "/dev/mapper/${CT_LABEL,,}" ]]
then
msg "Drive already decrypted: $CT_LABEL"
exit 0
fi
# Error Handling
if [[ ! -e "$CT_KEYFILE" ]]
then
msg "Unable to view keyfile: '$CT_KEYFILE'"
exit 1
fi
if [[ ! "${BID_TYPE,,}" == *"${CT_TYPE,,}"* ]]
then
msg "Unable to decrypt format: $CT_TYPE"
exit 1
fi
msg "Decrypting drive: $CT_LABEL (/dev/$DEVNAME)"
cryptsetup luksOpen "/dev/$DEVNAME" "${CT_LABEL,,}" -d "$CT_KEYFILE"
CS_EXIT="$?"
case "$CS_EXIT" in
0) if [ -e "/dev/mapper/${CT_LABEL,,}" ]
then
msg "Drive decrypted: $CT_LABEL"
else
msg "Drive not found after decrypting: $CT_LABEL"
exit 1
fi;;
5) msg "Device already exists: $CT_LABEL (Dmsetup stuck?)"; exit 1;;
*) msg "Unable to decrypt drive: $CT_LABEL ($CS_EXIT)"; exit 1;;
esac
marcin@OpenWrt:~$
Expected. 99-lukscrypt just calls the /bin/decrypt.sh when a Block event occurs (add, remove, . . .) This passes the hotplug variables needed to the script.
Leave your debug logging as it stands, unmount or remove /dev/mapper device, remove the usb device.
Add a logger -s “Block 99-lukscrypt triggered to line 1 of /etc/hotplug.d/block/99-lukscrypt
Now plug in your encrypted usb drive and let’s see if we can pin down where things fail.
Btw thanks to your comment I spot mismatch between my logger start and ending quote signs. This was blocking /bin/decrypt.sh execution.
So manual re- plug seems to be working:)
But still the decryption doesn't seem to be triggered at router boot time.
I don't understand.
Responding but not sure if I understood you correctly...
Do you automount the device?
I'm trying to automate the decryption and mounting using the script & crypttab (and fstab) entry like in instruction:
Automated:
The following script can be used to automate decrypting and mounting (...)
On mid-may 22.03-snapshot it was decrypting and amounting at boottime.
Without plugging in the usb device or mounting it the hotplug script just won’t trigger.
Device is connected all the time (also at boot time), but decryption doesn't happen at boot time.
There's no new device in /dev/mapper/ to be mounted.
We'd confirmed that once startup is done I can unplug and plug again the disk and then the decryption is working and so does the mounting.
So this is kind of workaround to unplug and re-plug device after fully booted.
I wish this could happen automaticly at boot time without need to unplug & plug again the disk.
PS: Attaching crypttab permissions - even everyone can read it:
$ cat /etc/rc.local
# Put your custom commands here that should be executed once
# the system init finished. By default this file does nothing.
/bin/decrypt-sdx4.sh
exit 0
If you are using the decrypt.sh from https://openwrt.org/docs/guide-user/storage/disk.encryption, I found those instructions to be very out of date. Even with the bash package installed and using the #!/bin/bash shebang, the script executed in ash and <<< redirection and adding extra ,, to variables does not work. I updated the script to be ash compatible (tested on 21.02.2):
#!/bin/ash
# Perform tasks when called by BLOCK hotplug (/etc/hotplug.d/block/99-lukscrypt)
# CC0: 21JUL18 by WaLLy3K, updated 09AUG18
# Further adapted for OpenWRT 18.06 by jmm on 2018-09-04
# Further apapted for OpenWRT 21.02.2 by mdpc on 2022-12-30
# Hotplug Vars: $ACTION (add/remove), $DEVICE (?), $DEVNAME (sdx)
# logger -s "start decrypt luks" $DEVNAME $ACTION
if [ -z "${DEVNAME}" ]
then
DEVNAME="${1##*/}"
fi
msg() {
logger -st "$(basename "${0%.*}")($DEVNAME)[$$]" -- "$@"
}
if [ "$ACTION" != "add" ]
then
#only do something if a device is being added
exit 0
fi
if [[ "$DEVNAME" == dm-[0-9] ]]
then
#/dev/mapper block device has been created so now try to mount FS if set up
# in /etc/config/fstab (or LuCI > System > Mount Points)
block mount
exit 0
fi
BID_RAW="$(block info "/dev/$DEVNAME" | awk -v RS=' ' '{gsub("[:\"]",""); print $0}')"
BID_UUID="$(echo $BID_RAW | awk -F['/=',' '] '{print $5}')"
BID_TYPE="$(echo $BID_RAW | awk -F['/=',' '] '{print $7}')"
# Determine whether drive needs to be decrypted
if [[ ! -r "/etc/crypttab" ]]
then
msg "Unable to read file: /etc/crypttab"
exit 1
fi
CT_RAW="$(grep "$BID_UUID" /etc/crypttab)"
if [[ -z "${CT_RAW:-}" ]]
then
exit 0
fi
CT_LABEL="$(echo $CT_RAW | awk '{print $1}')"
CT_KEYFILE="$(echo $CT_RAW | awk '{print $3}')"
CT_TYPE="$(echo $CT_RAW | awk -F '[ ,]+' '{print $4}')"
if [[ -e "/dev/mapper/${CT_LABEL}" ]]
then
msg "Drive already decrypted: $CT_LABEL"
exit 0
fi
# Error Handling
if [[ ! -e "$CT_KEYFILE" ]]
then
msg "Unable to view keyfile: '$CT_KEYFILE'"
exit 1
fi
if [[ ! "${BID_TYPE}" == *"${CT_TYPE}"* ]]
then
msg "Unable to decrypt format: $CT_TYPE"
exit 1
fi
msg "Decrypting drive: $CT_LABEL (/dev/$DEVNAME)"
cryptsetup luksOpen "/dev/$DEVNAME" "${CT_LABEL}" -d "$CT_KEYFILE"
CS_EXIT="$?"
case "$CS_EXIT" in
0) if [ -e "/dev/mapper/${CT_LABEL}" ]
then
msg "Drive decrypted: $CT_LABEL"
else
msg "Drive not found after decrypting: $CT_LABEL"
exit 1
fi;;
5) msg "Device already exists: $CT_LABEL (Dmsetup stuck?)"; exit 1;;
*) msg "Unable to decrypt drive: $CT_LABEL ($CS_EXIT)"; exit 1;;
esac
Also, the entry in /etc/crypttab for type must match exactly what is given by block info. If anyone would like to give me a @wiki-account, I'll gladly update that wiki page.
Thanks, but it didn't work for me either ;( I'm using UUID.
I'm on fresh newly re-installed, without storing config files: OpenWrt 22.03.5, r20134-5f15225c1e
neither works on boot nor plugin in device once booted
#!/bin/bash
DEV="$(blkid -o device --uuid <MY_DEVICE_UUDI>)"
/usr/sbin/cryptsetup open $DEV crypt --key-file <MY_KDEVICE_KEY_FILE>
mount /dev/mapper/crypt /media
which is called from
$ cat /etc/rc.local
# Put your custom commands here that should be executed once
# the system init finished. By default this file does nothing.
/etc/luks/script.sh
exit 0