Extroot on a LUKS encrypted USB -?

lejeczek · August 12, 2022, 11:17am

Hi guys.

Although I've had Extroot on USB for a while - docs made it simple - I'm still new to oWRT so go easy on me.
I got larger USB and decided to take my oWRT installation seriously - in terms of security - and I thought I should start by encrypting my USB, so..

inasmuch as luks-encrypting a block device seems same easy as everywhere, I failed to find any info on how to auto-open such encrypted device, so device mapper will do that @boot.
Is that possible without any "hackery" ?

Then, if above is possible - which I thought it'd be in 2022 by "standard" - then would Extroot be possible on such block device?

many thanks, L.

lejeczek · August 12, 2022, 1:01pm

A partial answer to my question - auto-unlocking LUKS usb is possible with hotplug.d @boot time.

But such an unlock does not seem to satisfy 'extroot', as extroot does not find the device early enough and fails to mount '/overlay', even with:

fstab.@global[0].delay_root='99'

-> $ logread | cut -d\  -f 6- | sed -n -e "/- preinit -/,/- init -/p"
...
user.info kernel: [   11.358546] block: attempting to load /tmp/ubifs_cfg/upper/etc/config/fstab
user.info kernel: [   11.362806] block: extroot: device not present, retrying in 99 seconds
kern.notice kernel: [   12.156971] scsi 0:0:0:0: Direct-Access              USB DISK 3.0     PMAP PQ: 0 ANSI: 6
kern.notice kernel: [   12.167816] sd 0:0:0:0: [sda] 967860480 512-byte logical blocks: (496 GB/462 GiB)
kern.notice kernel: [   12.170934] sd 0:0:0:0: [sda] Write Protect is off
kern.debug kernel: [   12.174389] sd 0:0:0:0: [sda] Mode Sense: 2b 00 00 08
kern.notice kernel: [   12.174978] sd 0:0:0:0: [sda] Write cache: disabled, read cache: enabled, doesn't support DPO or FUA
kern.notice kernel: [   12.677003] sd 0:0:0:0: [sda] Attached SCSI removable disk
user.err kernel: [  110.561603] block: extroot: cannot find device luks-sda
user.info kernel: [  110.563991] mount_root: switching to ubifs overlay
...

Anybody have any suggestions - much appreciated.
many thanks, L.

crass · November 9, 2022, 1:55am

I just wrote instructions on doing this. See if that doesn't work for you or how those instructions might be improved.