Custom `hotplug.d/*lukscrypt` not being executed?

I'm on Netgear XR500 OpenWrt SNAPSHOT, r19726-b21b98627d. 2 days ago I made asu since then I cannot auto decrypt my drive.

I've changes according to Disk Encryption guide (lines "The following script can be used to automate decrypting and mounting removable storage that is encrypted by using entries in /etc/crypttab")

marcin@OpenWrt:~$ ll /bin/decrypt.sh 
-rw-r--r--    1 root     root          2423 Jun  4 07:28 /bin/decrypt.sh
marcin@OpenWrt:~$ ll /etc/hotplug.d/block/99-lukscrypt
-rw-r--r--    1 root     root           157 Jun  4 07:27 /etc/hotplug.d/block/99-lukscrypt
marcin@OpenWrt:~$ ll /etc/crypttab
-rw-r--r--    1 root     root           109 Jun  3 21:14 /etc/crypttab

I've put custom log message to see if hotplug executes decrypt script but it seems it doesn't:

marcin@OpenWrt:~$ cat /etc/hotplug.d/block/99-lukscrypt 
# note: this needs bash and awk installed and the #!/bin/bash does not seem to work on 18.06
logger -s 'AAAAAAAAAAAAAAA hotplug decypt"
bash /bin/decrypt.sh
marcin@OpenWrt:~$ sudo logread |grep AAA
marcin@OpenWrt:~$ 

I do have block* packages installed

marcin@OpenWrt:~$ opkg list-installed |grep block
block-mount - 2022-06-02-93369be0-1
blockd - 2022-06-02-93369be0-1
blockdev - 2.38-2

TLDR: Am I missing a package/configuration that custom hotplug is not executed?

I don't encrypt my block devices, but I don't think so.

By way of reference:
Hotplug scripts require a trigger event to execute the script(s) in the /etc/hotplug.d/<device> folder. In your case, any Block Device event will trigger all scripts contained in /etc/hotplug.d/block based on their numeric prefix - 00-media-change, 10-mount, and your 99-lukscrypt and executing each met condition in turn. Given you see nothing in the log, I suspect nothing triggers it.

A few things to consider:

  1. Is bash installed as required for the 99-lukscrypt?
  2. Can you mount and access your encrypted drive manually? If not, fix that first.
  3. Can you see /dev/mapper/[map-name]
1 Like

@RuralRoots thanks for replay.

  1. yes I do have bash:
marcin@OpenWrt:~$ opkg list-installed |grep bash
bash - 5.1.16-1
  1. yes I can decrypt it manually.
root@OpenWrt:/home/marcin# ll /dev/mapper/crypt
ls: /dev/mapper/crypt: No such file or directory
root@OpenWrt:/home/marcin# cryptsetup luksOpen /dev/sdb4 crypt --key-file /a-path-to-keyfile
root@OpenWrt:/home/marcin# ll /dev/mapper/crypt
brw-------    1 root     root      253,   0 Jun  4 19:00 /dev/mapper/crypt
root@OpenWrt:/home/marcin# mount /dev/mapper/crypt /mnt/
root@OpenWrt:/home/marcin# ls /mnt/
Aparat Marcin

  1. yes /dev/mapper/crypt is created after luksOpen - (see above :wink: ) it's required for mount

is was working on mid-may xr500 Snapshot but on r19726-b21b98627d not sure if I'm missing something (e.g. a hotplug package/config) or is this code fault :frowning:

asu should negate that by design. And if run manually, it works as advertised.

What returns do you get by running the script directly:

/bin/decrypt.sh

Directly there's no output.

To see what's going on I put some logging inside this code.

Here's output for my changes (below)

marcin@OpenWrt:~$ bash /bin/decrypt.sh
marcin: AAAAAAAAAAA starting decyption
marcin: start decrypt luks
marcin: AAAAAAAAAAA DEVNAME
marcin: AAAAAAAAAAA action not add
marcin@OpenWrt:~$ 

It's terminating because $ACTION" != "add" .
Not sure how it works executed from etc/hotplug.d/block/99-lukscrypt as it seems to be missing parameters but anyway 99-lukscrypt doesn't seems to be executed:/

I'm considering re-upgrade snapshot.

Script with logging :

cat /bin/decrypt.sh
#!/bin/bash
# Perform tasks when called by BLOCK hotplug (/etc/hotplug.d/block/99-lukscrypt)
# CC0: 21JUL18 by WaLLy3K, updated 09AUG18
# Further adapted for OpenWRT 18.06 by jmm on 2018-09-04

# Hotplug Vars: $ACTION (add/remove), $DEVICE (?), $DEVNAME (sdx)

logger -s "AAAAAAAAAAA starting decyption"
logger -s "start decrypt luks" $DEVNAME $ACTION

if [ -z "${DEVNAME}" ]
then
        logger -s "AAAAAAAAAAA DEVNAME"
    DEVNAME="${1##*/}"
fi

msg() {
    logger -st "$(basename "${0%.*}")($DEVNAME)[$$]" -- "$@"
}

if [ "$ACTION" != "add" ]
then
    #only do something if a device is being added
logger -s "AAAAAAAAAAA action not add"
    exit 0
fi

if [[ "$DEVNAME" == dm-[0-9] ]]
then

logger -s "AAAAAAAAAAA blockmount exit 0"
    #/dev/mapper block device has been created so now try to mount FS if set up
    # in /etc/config/fstab (or LuCI > System > Mount Points)
    block mount
    exit 0
fi

BID_RAW="$(block info "/dev/$DEVNAME" | awk -v RS=' ' '{gsub("[:\"]",""); print $0}')"
BID_UUID="$(awk -F= '/UUID/ {print $2}' <<< "$BID_RAW")"
BID_TYPE="$(awk -F= '/TYPE/ {print $2}' <<< "$BID_RAW")"

logger -s "AAAAAAAAAAA will be chekcing crypttab in a moment"
# Determine whether drive needs to be decrypted
if [[ ! -r "/etc/crypttab" ]]
then
    msg "Unable to read file: /etc/crypttab"
    exit 1
fi
CT_RAW="$(grep "$BID_UUID" /etc/crypttab)"
if [[ -z "${CT_RAW:-}" ]]
then
    exit 0
fi

CT_LABEL="$(awk '{print $1}' <<< "$CT_RAW")"
CT_KEYFILE="$(awk '{print $3}' <<< "$CT_RAW")"
CT_TYPE="$(awk -F '[ ,]+' '{print $4}' <<< "$CT_RAW")"
#CT_SCRIPT="$(awk -F "keyscript=" '{print $2}' <<< "$CT_RAW")"

if [[ -e "/dev/mapper/${CT_LABEL,,}" ]]
then
    msg "Drive already decrypted: $CT_LABEL"
    exit 0
fi

# Error Handling
if [[ ! -e "$CT_KEYFILE" ]]
then
    msg "Unable to view keyfile: '$CT_KEYFILE'"
    exit 1
fi
if [[ ! "${BID_TYPE,,}" == *"${CT_TYPE,,}"* ]]
then
    msg "Unable to decrypt format: $CT_TYPE"
    exit 1
fi

msg "Decrypting drive: $CT_LABEL (/dev/$DEVNAME)"
cryptsetup luksOpen "/dev/$DEVNAME" "${CT_LABEL,,}" -d "$CT_KEYFILE"
CS_EXIT="$?"
case "$CS_EXIT" in
0)  if [ -e "/dev/mapper/${CT_LABEL,,}" ]
    then
        msg "Drive decrypted: $CT_LABEL"
    else
        msg "Drive not found after decrypting: $CT_LABEL"
        exit 1
    fi;;
5)  msg "Device already exists: $CT_LABEL (Dmsetup stuck?)"; exit 1;;
*)  msg "Unable to decrypt drive: $CT_LABEL ($CS_EXIT)"; exit 1;;
esac
marcin@OpenWrt:~$

Expected. 99-lukscrypt just calls the /bin/decrypt.sh when a Block event occurs (add, remove, . . .) This passes the hotplug variables needed to the script.

Leave your debug logging as it stands, unmount or remove /dev/mapper device, remove the usb device.

Add a logger -s “Block 99-lukscrypt triggered to line 1 of /etc/hotplug.d/block/99-lukscrypt

Now plug in your encrypted usb drive and let’s see if we can pin down where things fail.

Thanks so it got executed when I manually re-plug the usb device:

marcin@OpenWrt:~$ sudo logread |grep 99-          Tue Jun  7 04:57:21 2022 user.notice root: Block 99-lukscrypt triggered                             Tue Jun  7 04:57:21 2022 user.notice root: Block 99-lukscrypt triggered                             Tue Jun  7 04:57:21 2022 user.notice root: Block 99-lukscrypt triggered
Tue Jun  7 04:57:21 2022 user.notice root: Block 99-lukscrypt triggered
Tue Jun  7 04:57:49 2022 user.notice root: Block 99-lukscrypt triggered                             Tue Jun  7 04:57:49 2022 user.notice root: Block 99-lukscrypt triggered                             Tue Jun  7 04:57:49 2022 user.notice root: Block 99-lukscrypt triggered                             marcin@OpenWrt:~$

Btw thanks to your comment I spot mismatch between my logger start and ending quote signs. This was blocking /bin/decrypt.sh execution.
So manual re- plug seems to be working:)

But still the decryption doesn't seem to be triggered at router boot time.

based on hotplug docs

I created :

marcin@OpenWrt:~$ cat /etc/hotplug.d/block/00-logger 
logger -t hotplug $(env)
marcin@OpenWrt:~$ 

but after reboot it gave again nothing:(

marcin@OpenWrt:~$ sudo logread -e hotplug
Tue Jun  7 20:04:04 2022 authpriv.notice sudo:   marcin : TTY=pts/0 ; PWD=/home/marcin ; USER=root ; COMMAND=/sbin/logread -e hotplug
marcin@OpenWrt:~$

I keep going back over the wiki, and this keeps nagging at me.

On a fresh reboot, you just need for perform the mapping and mount (Note: the mapping will require a passphrase)

cryptsetup open [encrypted-device] [map-name]
mount /dev/mapper/[map-name] [mount-point]

Do you automount the device? Without plugging in the usb device or mounting it the hotplug script just won’t trigger.

I don't understand.
Responding but not sure if I understood you correctly...

Do you automount the device?

I'm trying to automate the decryption and mounting using the script & crypttab (and fstab) entry like in instruction:

Automated:

The following script can be used to automate decrypting and mounting  (...)

On mid-may 22.03-snapshot it was decrypting and amounting at boottime.

Without plugging in the usb device or mounting it the hotplug script just won’t trigger.

Device is connected all the time (also at boot time), but decryption doesn't happen at boot time.
There's no new device in /dev/mapper/ to be mounted.

We'd confirmed that once startup is done I can unplug and plug again the disk and then the decryption is working and so does the mounting.
So this is kind of workaround to unplug and re-plug device after fully booted.
I wish this could happen automaticly at boot time without need to unplug & plug again the disk.

PS: Attaching crypttab permissions - even everyone can read it:

marcin@OpenWrt:~$ ll /etc/crypttab
-rw-r--r--    1 root     root           109 Jun  3 21:14 /etc/crypttab