Jump to content
Read the Funtoo Newsletter: Summer 2023 ×
  • 0

Add passphrase from keyfile to luks encrypted swap disk [SOLVED]



I'm trying to install funtoo and I want my laptop to be encrypted.  I choose to install firstly funtoo on a USB disk to test how it behave before moving it to the laptop disk eventually.

I'm using the regular gnome stage 3.

Everything is going well until now. I'm in at the chroot on  my laptop actually trying to finalize installatiion.

But I'm having an issue to add a new passphrase on a keyfile for the 2 encrypted disks (root and swap).

Here is the disk  (One touch HDD USB3  1Tb):

# lsblk /dev/sda
sda        8:0    0 931.5G  0 disk
├─sda1     8:1    0     1G  0 part
├─sda2     8:2    0 447.7G  0 part
│ └─root 254:3    0 447.7G  0 crypt funtoo root encrypted
├─sda3     8:3    0    17G  0 part
│ └─swap 254:2    0    17G  0 crypt funtoo swap encrypted
└─sda4     8:4    0 465.8G  0 part  backup disk ext4


I can't add the new passphrase from the keyfile.   Here is what happens :

### keyfile was generated with dd if=/dev/random bs=63 of=bt_keyfile.bin ###
# ls -al bt_keyfile.bin
-rw------- 1 root root 63 Dec 29 15:42 bt_keyfile.bin
cryptsetup open /dev/sda3 swap
####typing passphrase here###
###Now trying to add a new key from the keyfile
# cryptsetup -v luksAddKey swap bt_keyfile.bin --debug
# cryptsetup 2.4.2 processing "cryptsetup -v luksAddKey swap bt_keyfile.bin --debug"
# Running command luksAddKey.
# Locking memory.
# Installing SIGINT/SIGTERM handler.
# Unblocking interruption on signal.
# Allocating context for crypt device swap.
# Trying to open and read device swap with direct-io.
# Trying to open device swap without direct-io.
Device swap does not exist or access denied.
# Unlocking memory.
Command failed with code -4 (wrong device or file specified).
### But the device is really there and open. Why ?????? 
# ls /dev/mapper
control   swap
# cryptsetup status swap
/dev/mapper/swap is active.
  type:    LUKS1
  cipher:  aes-xts-plain64
  keysize: 512 bits
  key location: dm-crypt
  device:  /dev/sda3
  sector size:  512
  offset:  4096 sectors
  size:    35647488 sectors
  mode:    read/write

I have been searching/googling around for a while, but no luck.

I have the same error if I try to add the new passphrase from the  linux on the laptop (GarudaLinux (arch based)) or if I try from the funtoo live iso either.

Anybody would have some clues to help me solve this ?  I need to be able to mount the swap without typing a second passphrase.



My emerge --info

(chroot) gag4ruda ~ # emerge --info
Portage 3.0.14 (python 3.7.10-final-0, funtoo/1.0/linux-gnu/arch/x86-64bit, gcc-9.2.0, glibc-2.33, 5.15.11-zen1-1-zen x86_64)
System uname: Linux-5.15.11-zen1-1-zen-x86_64-AMD_Ryzen_7_5700U_with_Radeon_Graphics-with-gentoo-1.4
KiB Mem:    15829400 total,  10375752 free
KiB Swap:   50992832 total,  50990528 free
sh bash 5.0_p18
ld GNU ld (Gentoo 2.36.1 p1) 2.36.1
app-shells/bash:          5.0_p18::core-kit
dev-lang/perl:            5.32.0::perl-kit
dev-lang/python:          2.7.18::python-kit, 3.7.10::python-kit
dev-util/cmake:           3.19.7::core-kit
sys-apps/baselayout:      2.6.1-r2::core-kit
sys-apps/openrc:          0.41.2-r3::core-kit
sys-apps/sandbox:         2.24::core-kit
sys-devel/autoconf:       2.13-r1::core-kit, 2.69-r4::core-kit
sys-devel/automake:       1.16.1-r1::core-kit
sys-devel/binutils:       2.36.1-r1::core-kit
sys-devel/gcc:            9.2.0::core-kit
sys-devel/gcc-config:     2.4::core-kit
sys-devel/libtool:        2.4.6-r5::core-kit
sys-devel/make:           4.2.1-r4::core-kit
sys-kernel/linux-headers: 4.19::core-kit (virtual/os-headers)
sys-libs/glibc:           2.33::core-kit

    location: /var/git/meta-repo/kits/nokit
    masters: core-kit
    priority: -500

    location: /var/git/meta-repo/kits/browser-kit
    masters: core-kit
    priority: 1

    location: /var/git/meta-repo/kits/core-gl-kit
    masters: core-kit
    priority: 1

    location: /var/git/meta-repo/kits/core-hw-kit
    masters: core-kit
    priority: 1

    location: /var/git/meta-repo/kits/core-kit
    priority: 1
    aliases: gentoo

    location: /var/git/meta-repo/kits/core-server-kit
    masters: core-kit
    priority: 1

    location: /var/git/meta-repo/kits/desktop-kit
    masters: core-kit
    priority: 1

    location: /var/git/meta-repo/kits/dev-kit
    masters: core-kit
    priority: 1

    location: /var/git/meta-repo/kits/editors-kit
    masters: core-kit
    priority: 1

    location: /var/git/meta-repo/kits/games-kit
    masters: core-kit
    priority: 1

    location: /var/git/meta-repo/kits/gnome-kit
    masters: core-kit
    priority: 1

    location: /var/git/meta-repo/kits/haskell-kit
    masters: core-kit
    priority: 1

    location: /var/git/meta-repo/kits/java-kit
    masters: core-kit
    priority: 1

    location: /var/git/meta-repo/kits/kde-kit
    masters: core-kit
    priority: 1

    location: /var/git/meta-repo/kits/lang-kit
    masters: core-kit
    priority: 1

    location: /var/git/meta-repo/kits/lisp-scheme-kit
    masters: core-kit
    priority: 1

    location: /var/git/meta-repo/kits/llvm-kit
    masters: core-kit
    priority: 1

    location: /var/git/meta-repo/kits/mate-kit
    masters: core-kit
    priority: 1

    location: /var/git/meta-repo/kits/media-kit
    masters: core-kit
    priority: 1

    location: /var/git/meta-repo/kits/ml-lang-kit
    masters: core-kit
    priority: 1

    location: /var/git/meta-repo/kits/net-kit
    masters: core-kit
    priority: 1

    location: /var/git/meta-repo/kits/perl-kit
    masters: core-kit
    priority: 1

    location: /var/git/meta-repo/kits/python-kit
    masters: core-kit
    priority: 1

    location: /var/git/meta-repo/kits/python-modules-kit
    masters: core-kit
    priority: 1

    location: /var/git/meta-repo/kits/qt-kit
    masters: core-kit
    priority: 1

    location: /var/git/meta-repo/kits/ruby-kit
    masters: core-kit
    priority: 1

    location: /var/git/meta-repo/kits/science-kit
    masters: core-kit
    priority: 1

    location: /var/git/meta-repo/kits/security-kit
    masters: core-kit
    priority: 1

    location: /var/git/meta-repo/kits/text-kit
    masters: core-kit
    priority: 1

    location: /var/git/meta-repo/kits/xfce-kit
    masters: core-kit
    priority: 1

ACCEPT_KEYWORDS="amd64 ~amd64"
CFLAGS="-march=znver2 -O2 -pipe"
CONFIG_PROTECT="/etc /usr/share/gnupg/qualified.txt"
CONFIG_PROTECT_MASK="/etc/ca-certificates.conf /etc/dconf /etc/env.d /etc/fonts/fonts.conf /etc/gconf /etc/gentoo-release /etc/revdep-rebuild /etc/sandbox.d /etc/terminfo"
CXXFLAGS="-march=znver2 -O2 -pipe"
FEATURES="assume-digests binpkg-docompress binpkg-dostrip binpkg-logs config-protect-if-modified distlocks ebuild-locks fixlafiles ipc-sandbox merge-sync multilib-strict network-sandbox news parallel-fetch pid-sandbox preserve-libs protect-owned qa-unresolved-soname-deps sandbox sfperms strict unknown-features-warn unmerge-logs unmerge-orphans userfetch userpriv usersandbox usersync xattr"
FFLAGS="-march=znver2 -O2 -pipe"
LDFLAGS="-Wl,-O1 -Wl,--sort-common -Wl,--as-needed"
USE="X a52 aac acl alsa amd64 apng berkdb bluray btrfs bzip2 cdda cddb cdio cdr colord cracklib crypt cups curl cxx dbus dnssd dri dts dvd dvdr dvdread eds egl elogind encode evo exif faac faad ffmpeg flac gdbm gif glamor glvnd gnome gnome-keyring gnome-online-accounts gpm gstreamer gtk gtk3 gtkstyle ico iconv icu ieee1394 introspection ios ipod ipv6 jpeg jpeg2k lame libass libguess libmpeg2 libnotify mad matroska mjpeg mmx modules mp3 mpeg mtp mudflap nautilus ncurses nls nptl nsplugin nvenc ogg opengl openmp openrc-force pam pcre pdf png policykit postproc pppd pulseaudio python quicktime readline resolvconf sdl sdl1 sndfile sse sse2 ssl startup-notification svg taglib tcpd theora tiff tracker truetype twolame udev unicode v4l vaapi vdpau vorbis vpx vulkan wav wavpack webp win32codecs wmf x264 x265 xa xattr xinerama xml xvid xvmc zeroconf zlib" ABI_X86="64" ALSA_CARDS="ali5451 als4000 atiixp atiixp-modem bt87x ca0106 cmipci emu10k1x ens1370 ens1371 es1938 es1968 fm801 hda-intel ice1724 intel8x0 intel8x0m maestro3 trident usb-audio via82xx via82xx-modem ymfpci" ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop empty extplug file hooks iec958 ioplug ladspa lfloat linear meter mmap_emul mulaw multi null plug rate route share shm softvol" APACHE2_MODULES="actions alias auth_basic authn_alias authn_anon authn_dbm authn_default authn_file authz_dbm authz_default authz_groupfile authz_host authz_owner authz_user autoindex cache cgi cgid dav dav_fs dav_lock deflate dir disk_cache env expires ext_filter file_cache filter headers include info log_config logio mem_cache mime mime_magic negotiation rewrite setenvif speling status unique_id userdir usertrack vhost_alias authn_core authz_core socache_shmcb unixd" CALLIGRA_FEATURES="kexi words flow plan sheets stage tables krita karbon braindump author" COLLECTD_PLUGINS="df interface irq load memory rrdtool swap syslog" CPU_FLAGS_X86="aes avx avx2 f16c fma3 mmx mmxext pclmul popcnt rdrand sha sse sse2 sse3 sse4_1 sse4_2 sse4a ssse3" ELIBC="glibc" GPSD_PROTOCOLS="ashtech aivdm earthmate evermore fv18 garmin garmintxt gpsclock isync itrax mtk3301 nmea ntrip navcom oceanserver oldstyle oncore rtcm104v2 rtcm104v3 sirf skytraq superstar2 timing tsip tripmate tnt ublox ubx" GRUB_PLATFORMS="efi-64 pc" INPUT_DEVICES="evdev synaptics keyboard mouse" KERNEL="linux" L10N="en fr" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" LIBREOFFICE_EXTENSIONS="presenter-console presenter-minimizer" OFFICE_IMPLEMENTATION="libreoffice" PHP_TARGETS="php7-3" POSTGRES_TARGETS="postgres9_5" PYTHON_SINGLE_TARGET="python3_7" PYTHON_TARGETS="python3_7 python2_7" QEMU_SOFTMMU_TARGETS="i386 x86_64" QEMU_USER_TARGETS="i386 x86_64" RUBY_TARGETS="ruby27 ruby26" USERLAND="GNU" VIDEO_CARDS="radeon amdgpu vulkan-amdgpu gallium-radeonsi radeonsi fbdev gallium-r600 gallium-vmware nvidia osmesa qxl r600 swrast vaapi vdpau vmware xa xvmc" XTABLES_ADDONS="quota2 psd pknock lscan length2 ipv4options ipset ipp2p iface geoip fuzzy condition tee tarpit sysrq steal rawnat logmark ipmark dhcpmac delude chaos account"

(chroot) gag4ruda ~ #


my inxi -Faz info

(chroot) gag4ruda ~ # inxi -Faz -xxx
  Kernel: 5.15.11-zen1-1-zen x86_64 bits: 64 compiler: gcc v: 11.1.0
    parameters: initrd=\amd-ucode.img initrd=\initramfs-linux-zen.img
    root=/dev/mapper/luks-86691f1a-15a7-4cc6-823e-08eab8fb14b4 rootflags=subvol=@
    rd.luks.options=discard rw
  Console: pty pts/0 Distro: Funtoo Linux 1.4
  Type: Laptop System: ASUSTeK product: VivoBook_ASUSLaptop X513UA_M513UA v: 1.0 serial: <filter>
  Mobo: ASUSTeK model: X513UA v: 1.0 serial: <filter> UEFI: American Megatrends LLC.
    v: X513UA.305 date: 03/12/2021

(upower:1850851): UPower-WARNING **: 22:06:25.806: Cannot connect to upowerd: Could not connect: No such file or directory
  ID-1: BAT0 charge: 40.3 Wh (100.0%) condition: 40.3/42.1 Wh (95.8%) volts: 11.8 min: 11.8
    model: ASUSTeK ASUS Battery type: Li-ion serial: N/A status: Not charging cycles: 7
  Device-1: hidpp_battery_0 model: Logitech Wireless Mouse M325 serial: <filter> charge: Full
    status: Discharging
  Info: model: AMD Ryzen 7 5700U with Radeon Graphics bits: 64 type: MT MCP arch: Zen 2
    family: 0x17 (23) model-id: 0x68 (104) stepping: 1 microcode: 0x8608103
  Topology: cpus: 1x cores: 8 tpc: 2 threads: 16 smt: enabled cache: L1: 512 KiB
    desc: d-8x32 KiB; i-8x32 KiB L2: 4 MiB desc: 8x512 KiB L3: 8 MiB desc: 2x4 MiB
  Speed (MHz): avg: 1400 min/max: 1400/4370 boost: enabled scaling: driver: acpi-cpufreq
    governor: powersave cores: 1: 1400 2: 1400 3: 1400 4: 1400 5: 1400 6: 1400 7: 1400 8: 1400
    9: 1400 10: 1400 11: 1400 12: 1400 13: 1400 14: 1400 15: 1400 16: 1400 bogomips: 57494
  Flags: avx avx2 ht lm nx pae sse sse2 sse3 sse4_1 sse4_2 sse4a ssse3 svm
  Type: itlb_multihit status: Not affected
  Type: l1tf status: Not affected
  Type: mds status: Not affected
  Type: meltdown status: Not affected
  Type: spec_store_bypass mitigation: Speculative Store Bypass disabled via prctl
  Type: spectre_v1 mitigation: usercopy/swapgs barriers and __user pointer sanitization
  Type: spectre_v2
    mitigation: Full AMD retpoline, IBPB: conditional, IBRS_FW, STIBP: conditional, RSB filling
  Type: srbds status: Not affected
  Type: tsx_async_abort status: Not affected
  Device-1: AMD Lucienne vendor: ASUSTeK driver: amdgpu v: kernel bus-ID: 03:00.0
    chip-ID: 1002:164c class-ID: 0300
  Device-2: Quanta USB2.0 HD UVC WebCam type: USB driver: uvcvideo bus-ID: 3-3:3
    chip-ID: 0408:30d4 class-ID: 0e02 serial: <filter>
  Display: server: X.org 1.20.10 compositor: enlightenment driver: loaded: amdgpu
    note: n/a (using device driver) tty: 182x45
  Message: Advanced graphics data unavailable in console for root.
  Device-1: AMD driver: snd_hda_intel v: kernel bus-ID: 03:00.1 chip-ID: 1002:1637 class-ID: 0403
  Device-2: AMD Raven/Raven2/FireFlight/Renoir Audio Processor vendor: ASUSTeK driver: N/A
    bus-ID: 03:00.5 chip-ID: 1022:15e2 class-ID: 0480
  Device-3: AMD Family 17h HD Audio vendor: ASUSTeK driver: snd_hda_intel v: kernel
    bus-ID: 03:00.6 chip-ID: 1022:15e3 class-ID: 0403
  Sound Server-1: ALSA v: k5.15.11-zen1-1-zen running: yes
  Sound Server-2: JACK v: 0.125.0 running: no
  Sound Server-3: PulseAudio v: 14.0 running: no
  Sound Server-4: PipeWire v: 0.3.0 running: yes
  Device-1: Intel Wi-Fi 6 AX200 driver: iwlwifi v: kernel bus-ID: 01:00.0 chip-ID: 8086:2723
    class-ID: 0280
  IF: wlp1s0 state: up mac: <filter>
  IF-ID-1: docker0 state: down mac: <filter>
  Device-1: Intel AX200 Bluetooth type: USB driver: btusb v: 0.8 bus-ID: 3-2:2 chip-ID: 8087:0029
    class-ID: e001
  Report: rfkill ID: hci0 rfk-id: 2 state: up address: see --recommends
  Local Storage: total: 1.84 TiB used: 6.32 GiB (0.3%)
  SMART Message: Required tool smartctl not installed. Check --recommends
  ID-1: /dev/nvme0n1 maj-min: 259:0 vendor: Western Digital model: PC SN530 SDBPNPZ-1T00-1002
    size: 953.87 GiB block-size: physical: 512 B logical: 512 B speed: 31.6 Gb/s lanes: 4 type: SSD
    serial: <filter> rev: 21106000 temp: 34.9 C
  ID-2: /dev/sda maj-min: 8:0 type: USB vendor: Seagate model: One Touch HDD size: 931.51 GiB
    block-size: physical: 4096 B logical: 512 B type: N/A serial: <filter> rev: 1707
  ID-1: / raw-size: 447.66 GiB size: 447.66 GiB (100.00%) used: 6.3 GiB (1.4%) fs: btrfs
    block-size: 4096 B dev: /dev/dm-3 maj-min: 254:3 mapped: funtoo
  ID-2: /boot raw-size: 1024 MiB size: 1022 MiB (99.80%) used: 20.3 MiB (2.0%) fs: vfat
    block-size: 512 B dev: /dev/sda1 maj-min: 8:1
  ID-3: /home raw-size: 447.66 GiB size: 447.66 GiB (100.00%) used: 6.3 GiB (1.4%) fs: btrfs
    block-size: 4096 B dev: /dev/dm-3 maj-min: 254:3 mapped: funtoo
  ID-4: /var raw-size: 447.66 GiB size: 447.66 GiB (100.00%) used: 6.3 GiB (1.4%) fs: btrfs
    block-size: 4096 B dev: /dev/dm-3 maj-min: 254:3 mapped: funtoo
  Kernel: swappiness: 133 (default 60) cache-pressure: 100 (default)
  ID-1: swap-1 type: partition size: 16.54 GiB used: 0 KiB (0.0%) priority: -2 dev: /dev/dm-1
    maj-min: 254:1 mapped: luks-1436414a-f251-47a7-bf5f-6ba83c40e119
  ID-2: swap-2 type: zram size: 15.1 GiB used: 2.2 MiB (0.0%) priority: 100 dev: /dev/zram0
  ID-3: swap-3 type: partition size: 17 GiB used: 0 KiB (0.0%) priority: -3 dev: /dev/dm-2
    maj-min: 254:2 mapped: swap
  Missing: Required tool sensors not installed. Check --recommends
  Processes: 398 Uptime: 4h 51m wakeups: 24 Memory: 15.1 GiB used: 2.73 GiB (18.1%) Init: systemd
  v: N/A default: 3 tool: rc-service Compilers: gcc: 9.2.0 alt: 9.2.0 Packages: emerge: 1160
  lib: 178 Shell: Bash (su) v: 5.0.18 running-in: pty pts/0 inxi: 3.3.11



Info from


Edited by perfmonk
Link to comment
Share on other sites

1 answer to this question

Recommended Posts

  • 0

Answering my own question since I found a solution.

You have to use the partition name for that command, not the LUKS mapping ...

Here is what I did :

(chroot) # cryptsetup luksAddKey swap /bt_keyfile.bin
swap n'est pas un périphérique LUKS valide.
(chroot) # cryptsetup luksAddKey /dev/mapper/swap /bt_keyfile.bin
/dev/mapper/swap n'est pas un périphérique LUKS valide.
(chroot) # cryptsetup luksAddKey /dev/sda3 /bt_keyfile.bin
Entrez une phrase secrète existante :
(chroot) # echo ### yes it worked! ####


Sorry for the noise,


Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Create New...