How to specify cryptdevice by label using systemd boot?

Question

I'm running Arch Linux with systemd boot. In /boot/loader/entries/arch.conf I currently specify the luks crypto device with a line like this:

options        rw cryptdevice=/dev/sda1:ABC root=/dev/mapper/ABC

I know I can also use UUID instead of /dev/sda1. In that case the kernel options line would look like this:

options        rw cryptdevice=UUID=1f5cce52-8299-9221-b2fc-19cebc959f51:ABC root=/dev/mapper/ABC

However, can I instead use either a partition label or a volume label or any other kind of label? If so, what is the syntax?

score 4 · Accepted Answer · answered Oct 10 '18 at 18:15

If you're already using the new LUKS2 format, you can set a label:

For new LUKS2 containers:

# cryptsetup luksFormat --type=luks2 --label=foobar foobar.img
# blkid /dev/loop0
/dev/loop0: UUID="fda16145-822e-405c-9fe8-fe7e7f0ddb5e" LABEL="foobar" TYPE="crypto_LUKS"

For existing LUKS2 containers:

# cryptsetup config --label=barfoo /dev/loop0
# blkid /dev/loop0
/dev/loop0: UUID="fda16145-822e-405c-9fe8-fe7e7f0ddb5e" LABEL="barfoo" TYPE="crypto_LUKS"

However, it's not possible to set a label for the more common LUKS1 header.

With LUKS1, you can only set a label on a higher layer. For example, if you are using GPT partitions, you can set a PARTLABEL.

# parted /dev/loop0
(parted) name 1 foobar                                                    
(parted) print
Model: Loopback device (loopback)
Disk /dev/loop0: 105MB
Sector size (logical/physical): 512B/512B
Partition Table: gpt
Disk Flags: 

Number  Start   End    Size   File system  Name    Flags
 1      1049kB  104MB  103MB               foobar

This sets the partition label of partition 1 to "foobar".

You can identify it with PARTLABEL=foobar or find it in /dev/disk/by-partlabel/

# ls -l /dev/disk/by-partlabel/foobar 
lrwxrwxrwx 1 root root 13 Oct 10 20:10 /dev/disk/by-partlabel/foobar -> ../../loop0p1

Similarly, if you use LUKS on top of LVM, you could go with VG/LV names.

As always with labels, take extra care to make sure each label doesn't exist more than once. There's a reason why UUIDs are meant to be "universally unique". You get a lot of problems when trying to use the wrong device; it can even cause data loss (e.g. if cryptswap formats the wrong device on boot).

score 2 · Answer 2 · answered Sep 22 '18 at 06:53

2

cryptsetup can create a label on a cryptdevice. Look in /dev/disk/by-label to make sure it matches. So

cryptdevice=LABEL={labelname}

in the same way as

root=LABEL=ROOT

works for a ROOT labelled root device

answered Sep 22 '18 at 06:53

danblack

443
3
9

How to specify cryptdevice by label using systemd boot?

2 Answers2