Device Lockup Following Encryption Key Entry During SD Card Encryption Setup

Dear Purism Community,
Thank you so much for reading my response.

My device appears to be frozen after entering the encryption key to decrypt the OS. This is after my attempt to follow the steps in the forum post: “Auto Decrypt Encrypted SD Card on Boot for L5”

I am assuming these are connected and would greatly appreciate any help this community can provide to get my L5 booting normally.

Here are the steps I recently committed and that likely cause the error:

Create luks-keys:

1. sudo mkdir /etc/luks-keys

Set Permission for luks-keys:

2. sudo chown root /etc/luks-keys

3. sudo chown 700 /etc/luks-keys

Create Key:

4. dd if=/dev/urandom of=/etc/luks-keys/disk_secret_key bs=512 count=8
   Note: sudo may be needed before this command

Format/Partition:

5. Ensure a Luks Partition is on the device.

I used built in program “Disks” (also known as GNOME Disks) for this.

Add key to luks device

6. sudo cryptsetup -v luksAddKey /dev/sda1/etc/luks-keys/disk_secret_key

Add to /etc/crypttab

7. For this next step I opened Disks and copied the UUID in the SD Card’s information page.

Then replaced <UUID> with that number

first nano into/etc/crypttab:

sudo nano /etc/crypttab

then pasted the following on a new line:

sda1_crypt UUID=<UUID> /etc/luks-keys/disk_secret_key luks

Finally:

sudo nano /ets/fstab

and paste:

/dev/mapper/sda1_crypt /media/gerhard/Daten ext4 defaults 0 2

and saved

I thought I did this correct, however my device no longer boots properly.

Does anyone here have any knowledge that might help me repair my mistake?
As always, your support is greatly appreciated.

Best,
Mercy

Use Jumpdrive to export the phone’s eMMC as a USB Mass Storage device, mount it on your PC and remove the added line from fstab.

You can download latest build of Jumpdrive for Librem 5 from here (the one from upstream repo will also work, but may require a few retries before it sees the storage):

Maybe the nofail option added to the options in the line in /etc/fstab but as the previous post says, you will need to use Jumpdrive either to remove the line or to edit the line.

PS Your instructions refer to both sda1 and sdb1, which looks a bit suss.

Ah–thank you for pointing that out. I’ll make sure to fix that line.

Could either of you confirm if the steps are otherwise correct? I’m trying to determine if the error originated from my side or from another post on the forum.

I’ll be trying out jumpdrive and will keep you updated on how it goes.

Thank you so much for all of your time and energy. Your feedback and guidance is always appreciated.

For me, not easily. My µSD card slot is being used and is not encrypted and I don’t want to mess with it.

It looks like i may have potentially misinputed my /ets/fstab when setting it up originally.

Absolutely no worries, and I really want to make sure and express how much I appreciate both your own and dos’s assistance. The machine appears to boot properly currently.

Using the nofail option may save you from problems in /etc/fstab that relate to mounting of the µSD card - at least as long as the µSD card is not essential to the booting of the device.

I figure out how to use it with the Graphical Application Disks:

I executed the following command:

rm -r /etc/luks-keys/disk_secret_key

and removed the line from /etc/crypttab.

Which I think should (alongside removing the line in /ets/fstab ) revert the device to its previous state.