#41 Loop aes and lvm2



I've got this setup and tried the advice form https://sourceforge.net/tracker/?func=detail&aid=3301954&group_id=28891&atid=394668 but I got error "USEPIVOT>0 but setup looks like USEPIVOT=0" - or something very similar.

I have old laptop with 160gb drive partitioned like this: first 20 GB for WinXP (using on it OCR), than 200MB for boot and than rest as a loop-AESed partition on top of which is LVM2, but I'm stuck at he boot time with that error (setup is made exactly as in the support request shown at the beginig of my post.
In attachemet is my zipped build-initrd.sh and build-initird.conf (which I edited as I thought to be edited in previous support request)

Thanks in advance for help


  • samuraiii

    samuraiii - 2011-07-29

    build-initrd.sh and .conf

  • samuraiii

    samuraiii - 2011-07-29
    • priority: 5 --> 6
  • samuraiii

    samuraiii - 2011-07-29

    Im sorry I forgot to compress in attachment my rootsetup file.
    content of file is here:
    if [ "x$1" != "x-d" ] ; then
    /lib/mkdir -p /proc /dev/mapper
    /lib/mount -n -t proc proc /proc
    /lib/losetup -e AES256 -K /lib/gpg.key.gpg -G /lib /dev/loop1 /dev/sda3
    /lib/lvm vgscan --ignorelockingfailure
    /lib/lvm vgchange -ay --ignorelockingfailure
    /lib/umount -n /proc
    exit ${x} # exit with return status of losetup
    /lib/losetup -d /dev/loop5
    exit ${x} # exit with return status of losetup

  • Jari Ruusu

    Jari Ruusu - 2011-07-30

    That sounds like a problem in bootloader
    configuration. Can you include your full
    bootloader config and full kernel config?
    Both in compressed form.

  • samuraiii

    samuraiii - 2011-07-30

    Hope this ones are the right ones :)

  • samuraiii

    samuraiii - 2011-07-30

    I uploaded configs you requested.
    Hope they are I right ones you wanted.

    Its kernel compile config
    a classic grub.conf from boot directory

  • Jari Ruusu

    Jari Ruusu - 2011-07-30

    Bootloader and kernel configs looked OK to me, so that is
    not where the problem is.

    The initrd.gz that you are trying to use is most likely not
    the one you believe you are using. That build-initrd.sh
    script with your config fails to create new initrd.gz, it
    stops with an error:

    # ./build-initrd.sh build-initrd.conf
    Loading config from 'build-initrd.conf'
    *** Internal build-initrd.sh error condition detected. This ***
    *** script was supposed to create block device nodes for ***
    *** BOOTDEV=, CRYPTROOT= and possibly EXTERNALGPGDEV= but ***
    *** lacked knowledge of how to create at least one of them. ***
    *** Script aborted. ***
    # echo $?

    That is because CRYPTROOT=/dev/dm-1 is a device name for
    which the script doesn't know how to create a block special
    device node.

    Your rootsetup script seems to use hardcoded /dev/sda3 as
    the backing device for /dev/loop1 . If you specify
    CRYPTROOT=/dev/sda3 in the build-initrd.sh config, then the
    script will work. Your rootsetup script seems to ignore most
    of the parameters passed to it, so it doesn't matter what
    CRYPTROOT= is as long as it is something that the script is
    able to create a block special device node for it.

    After changing CRYPTROOT=/dev/sda3 in the config, it works:

    # ./build-initrd.sh build-initrd.conf
    Loading config from 'build-initrd.conf'
    11 blocks
    -rw------- 1 root root 2382 Jul 30 15:01 /boot/initrd.gz
    Copying /sbin/losetup to /boot/losetup
    Copying /lib/libc.so.6 to /boot
    Copying /lib/ld-linux.so.2 to /boot
    Copying /sbin/insmod to /boot/insmod
    Copying /lib/libc.so.6 to /boot
    Copying /lib/ld-linux.so.2 to /boot
    Copying /bin/loadkeys to /boot/loadkeys
    Copying /lib/libcfont.so.0 to /boot
    Copying /lib/libctutils.so.0 to /boot
    Copying /lib/libconsole.so.0 to /boot
    Copying /lib/libc.so.6 to /boot
    Copying /lib/ld-linux.so.2 to /boot
    Copying /usr/bin/gpg to /boot/gpg
    # echo $?

  • samuraiii

    samuraiii - 2011-07-30

    Yes we moved a bit:

    Now I get mountig /dev/sda2 as /lib failed

  • Jari Ruusu

    Jari Ruusu - 2011-07-30

    INITIALDELAY=3 in build-initrd.sh config may
    help if devices are detected slowly.

  • samuraiii

    samuraiii - 2011-07-30

    No help, still the same even with 10 sec delay.

  • Jari Ruusu

    Jari Ruusu - 2011-07-31

    Failing mount can be caused by one or more of these:

    (1) Block special device node /dev/sda2 is not in /dev
    directory in initramfs file system that gets extracted to
    RAM. build-initrd.sh script put it there, so this is
    unlikely cause.

    (2) Block device driver not statically linked to your
    kernel. I don't know what device driver your hardware

    (3) File system not statically linked to your kernel. ext4
    file system appears to be statically linked to your kernel,
    so this is unlikely cause.

    (4) Device detection may take small amount of time. You said
    10 second delay didn't help, so this is unlikely cause.

    (5) /dev/sda2 partition doesn't have valid ext4 file system
    on it. Can you mount that partition normally as ext4 file

  • samuraiii

    samuraiii - 2011-07-31

    I'm going to recheck the device driver, in meantime I uploaded tar of my boot folder here


    Can you please check that everything needed is there?

    One more thing I'm runnig build-initrd from chrooted environment - cant this be a problem?

  • samuraiii

    samuraiii - 2011-07-31

    After recompile of kernel and loop module i got another error:
    mounting /dev/loop1 failed
    loop: cant delete device /dev/loop5 #??? why I dont understand
    Command "/lib/rootsetup -d /dev/loop1" returned error

    (I set INITDELAY=0)

  • samuraiii

    samuraiii - 2011-07-31

    Also there is another problem... before messages from my last post I get another error:
    losetup complainig about -K option

  • Jari Ruusu

    Jari Ruusu - 2011-07-31

    Your rootsetup script sets up /dev/loop1. If mounting
    encrypted root file system fails for whatever reason,
    rootsetup script is called again to clean up. Your rootsetup
    script attempts to detach /dev/loop5 in clean up case. That
    is why you see that error about /dev/loop5.

    losetup complaining about -K option means that the losetup
    program that was copied to /boot partition, is not loop-AES
    version of losetup. To check that losetup is correct
    version, do this:

    # strings -a /sbin/losetup | grep multi-key-v3
    # strings -a /boot/losetup | grep multi-key-v3

    If you don't see multi-key-v3 string in the output, then
    losetup program is wrong version.

    Encrypted root file system mount failed because one or more
    of these:

    (1) You used wrong version of losetup that doesn't put loop
    device into multi-key-v3 mode.

    (2) Backing device didn't have encrypted file system on it.

    (3) rootsetup script / lvm commands didn't put a /dev/dm-1
    block special device node to /dev directory on initramfs
    file system that was extracted to RAM.

    (4) You typed wrong passphrase.

    Failed encrypted root file system mount error message is
    little bit misleading because you changed build-initrd.sh
    script to mount /dev/dm-1, but the error case of that
    failing mount prints "Mounting /dev/loop1 failed".

  • samuraiii

    samuraiii - 2011-08-01

    I redownloaded and recompiled loop-aes (in order to get working losetup - dont know why it wasnt there already) from my distro (gentoo) and when I was doing this I updated every toool which is needed for this setup (even kernel).
    Including losetup module which is now version 3.6d.
    rootsetup was also corrected to pint to /dev/loop5 in all occasions

    All configs (especially new ones) which we were discussing are uploaded together with tar of my boot folder here:


    And here is the newest error
    [time]VFS: Cannot open root device "(null)" or unknown-block(253.1)
    [time]Please append a correct "root=" boot option: here are the available partitions:
    <list of partitions - sda sda1 sda2 sda3 sr0>
    [time]Kernel panic - not syncing: VFS: Unable to mount root fs on unknown-block(253.1)

    And with old kernel (same file set as with new kernel - except is loop module) I get behind the password prompt but then:
    Failed to find sysfs mount point
    read_urandom: /dev/urandom: opne failed: No such file or directory
    Reading all physical volumes. This may take a while...
    Found volume group "enc" using metadata type lvm2
    Failed to find sysfs mount point
    read_urandom: /dev/urandom: opne failed: No such file or directory
    5 logical volume(s) in volume group "enc" now active
    Mounting /dev/loop5 failed
    ioctl: LOOP_CLR_FD: Device or resource busy
    command "/lib/rootsetup -d /dev/loop5" returned error

  • Jari Ruusu

    Jari Ruusu - 2011-08-01

    "Cannot open root device" is caused by spelling error /
    missing initrd line in grub.conf:
    "intrd /initrd.gz" -> "initrd /initrd.gz"
    initrd has 2 i letters.

    I have to admit that I have never tried build-initrd.sh
    based encrypted root setup that uses lvm devices. With that
    kind of setup, you are on your own. Sorry.

    How about plan B, keep it simple. Normal partitions with or
    without MD RAID, work just fine for simple workstation and
    laptop computer setups. And they don't need special
    rootsetup script or build-initrd.sh patching. loop-AES
    README section 7.5. even explains how to make
    build-initrd.sh set up more than one encrypted loop device
    but requiring only one passphrase to be typed in at boot

  • samuraiii

    samuraiii - 2011-08-02

    May I ask you not to close this ticket?

    I promise I'll do it when I'll get to conclusion (and maybe publish solution).

    Thank you

  • samuraiii

    samuraiii - 2011-08-24

    I've run into another problem:
    with lvm there are created files /dev/lvg/lvolume
    these files are not present in /dev/ folder of my "new-root" after changing from initrd root to root of gentoo

    therefore my mount command fails

    I tried to circumvent this by calling 'vgscan -ay --mknodes' as first custom command in build-initrd.conf but this fails with enigmatic command ended with error (or similar nothing saying warning)
    and therefore every other custom command fails because of non existing reference in /dev

    So are there some ways to either:
    a) "mount" at /dev folder in "new-root" old /dev folder from init phase
    b) make the warning more verbose to find where is the problem

    Thank you in advance for help

  • Jari Ruusu

    Jari Ruusu - 2011-08-24

    There are three /dev directories total.

    First /dev directory is inside initramfs root.
    build-initrd.sh script writes device nodes to cpio archive
    at build-initrd.sh run time. At kernel boot time, these
    device nodes (and rest of files) are extracted to initramfs
    file system that resides in RAM. Not sure if this file
    system is write protected.

    Second /dev directory is on encrypted root file system,
    which is initially mounted read-only. This file system
    should remain read-only mounted until init scripts have
    fsck'ed it. Init scripts then eventually mount root file
    system read-write. In normal cases when udev is in use, this
    directory is not normally visible because udev mounts a
    tmpfs file system on top of it. You can access this
    directory by booting from rescue CD, and mounting the
    encrypted file system at some other suitable directory.

    Third /dev directory is the tmpfs file system mounted by and
    populated by udev. udev is started in early init scripts.

    rootsetup script runs inside first type "initramfs" context.

    EXTRACOMMANDSTR? scripts run inside second type "encrypted
    root" context. Meaning: read-only mounted root file system,
    nearly empty /dev directory, and udev not running yet.

    Maybe the solution is: boot from rescue CD, mount your
    encrypted file system at /mnt, and create static device
    nodes there at /mnt/dev/???

  • samuraiii

    samuraiii - 2011-10-28
    • status: open --> closed
  • samuraiii

    samuraiii - 2011-10-28

    so I finally gave up and choose the dm-crypt implementation of encryption
    not only for problems with setup but also form better customizability.

    Anyway thank you for your time


Get latest updates about Open Source Projects, Conferences and News.

Sign up for the SourceForge newsletter:

JavaScript is required for this form.

No, thanks