Encrypt hook no longer works when backslashes are used in a keyfile location
System and config info:
[zack@laptop ~]$ uname -a
Linux laptop 6.7.8-arch1-1 #1 SMP PREEMPT_DYNAMIC Sun, 03 Mar 2024 00:30:36 +0000 x86_64 GNU/Linux
[zack@laptop ~]$ cat /etc/kernel/cmdline
cryptdevice=/dev/disk/by-id/nvme-eui.002538b421a013b6:crypt:allow-discards cryptkey=/dev/disk/by-id/usb-Samsung_Type-C_0377322080001497-0\:0:0:64 crypto=:aes-xts-plain64:512:0: root=/dev/mapper/crypt rootflags=subvol=@ rw resume=/dev/mapper/crypt resume_offset=533760
[zack@laptop ~]$ cat /etc/mkinitcpio.conf
MODULES=()
BINARIES=()
FILES=()
HOOKS=(base udev autodetect microcode modconf kms keyboard keymap block encrypt btrfs filesystems fsck resume)
[zack@laptop ~]$ cat /etc/mkinitcpio.d/linux.preset
ALL_config="/etc/mkinitcpio.conf"
ALL_kver="/boot/vmlinuz-linux"
PRESETS=('default')
default_image="/boot/initramfs-linux.img"
default_uki="/boot/EFI/Linux/archlinux-linux.efi"
With the update to v38
for mkinitcpio(8)
, /usr/lib/initcpio/hooks/encrypt
is no longer able to decrypt the root disk using a keyfile on a raw USB disk. The problem is caused by the fact the by-id
disk name of the USB drive has :
which needs to be escaped via \
. Removing -r
from the read
command in the hook fixed the problem for me. Specifically the below diff resolved the issue for me:
[zack@laptop ~]$ diff encrypt /usr/lib/initcpio/hooks/encrypt
12c12
< IFS=: read -r ckdev ckarg1 ckarg2 <<EOF
---
> IFS=: read ckdev ckarg1 ckarg2 <<EOF
42c42
< IFS=: read -r cryptdev cryptname cryptoptions <<EOF
---
> IFS=: read cryptdev cryptname cryptoptions <<EOF
I tried first removing the backslash from /etc/kernel/cmdline
to see if that would work, but it did not. I am not 100% sure if this is a bug; but if not, how should cryptkey
s be specified if they contain characters that need to be escaped (e.g., :
)? I'd rather not modify /usr/lib/initcpio/hooks/encrypt
and instead use a working value in /etc/kernel/cmdline
.