Today, I installed Ubuntu 14.04 on a new machine with full disk encryption and a Btrfs root filesystem. As the disk partitioning tool of the Ubuntu installer gets easily confused by more complex setups, I decided to just setup one hard disk at first and add the second in a RAID1 configuration later. After I successfully booted into the new system, I started to add the second hard disk. First, I simply copied the GUID partition table (GPT) with
sgdisk -R /dev/sdb /dev/sda
where /dev/sda is the old drive and /dev/sdb the new one. Afterwards,
sgdisk -G /dev/sdb
is recommended to create a random GUID for the second hard drive as both would use the same otherwise. Then, I created an encrypted volume on the second disk as described in my previous post: Setting up full disk encryption for storage with a large 4k disk, GPT and Btrfs. In order to automatically open the encrypted volumes during boot, I added the following lines to /etc/crypttab
:
rootvol1 UUID=(insert your UUID here) none luks,keyscript=/etc/cryptkey.sh
rootvol2 UUID=(insert your UUID here) none luks,keyscript=/etc/cryptkey.sh
These should enable the Initramfs scripts to find the two encrypted volumes during boot and open them using the passphrase provided by the cryptkey.sh script. This script has to write the password to stdout. Hence, you can simply add an echo -n "mypassword" to test the script or use a more sophisticated mechanism like reading it from a removable USB stick. It is not necessary to change /etc/fstab as Btrfs automatically finds all required volumes once they are opened through the device-mapper and LUKS. I verified that the crypttab entries work by reopening the second volume using:
cryptdisks_start rootvol2
and added the volume to the main Btrfs filesystem as described in my linked article above. Before restarting the machine, I updated all Initramfs images using
update-initramfs -u -k all
and restarted the machine.
Unfortunately, the machine only started a rescue shell in the Initramfs environment during the next boot. After switching the terminal, I saw that it only opened one of the two required volumes and consequently Btrfs refused to mount the root filesystem. However, using the rescue shell, I was able to open the second volume and mount the root filesystem as planned. I checked every config file and did not find an error. After looking into the Initramfs scripts, I saw that they scan for LVM volumes necessary to mount a root filesystem but do not consider multiple volumes necessary to mount a multi-device Btrfs filesystem. Hence, the scripts only open the volume which is listed in /etc/fstab.
Sadly, I did not find an option in the configs to register the second volume. However, I noticed that the scripts create a config file in the Initramfs that contains a list of to-be-opened volumes. It is possible to manually override this config by putting lines like the following in /etc/initramfs-tools/conf.d/cryptroot
:
target=rootvol1,source=UUID=(insert your UUID here),key=none,rootdev,keyscript=/lib/cryptsetup/scripts/cryptkey.sh
target=rootvol2,source=UUID=(insert your UUID here),key=none,rootdev,keyscript=/lib/cryptsetup/scripts/cryptkey.sh
To simplify this step (or if you added other options to your crypttab), you can also copy the file from your malfunctioning Initramfs and modify it accordingly. Afterwards, I updated the Initramfs again with the above command and the machine booted without interruption.