2

I installed Debian 9 on a VPS and configured the root partition to be encrypted. However, due to the installer giving me trouble when attempting to encrypt, I had to do this manually.

To be able to unlock the root partition via SSH during boot I also installed dropbear-initramfsand updated the initramfs using update-initramfs -u. On boot, I am now able to connect to the dropbearserver.

After the login process, cryptroot-unlock (which is invoked automatically when logging in via SSH) fails with the following error message:

Error: Timeout reached while waiting for askpass.

and closes the connection.

I didn't find anything on this exact error message on the web and tried to make sure I didn't make any config mistakes, but nothing seemed to help so far.

At the moment, I am able to chroot into the system using a rescue live system; what can I do to fix this error?

Julian Eckhardt
  • 151
  • 1
  • 6

2 Answers2

3

I was able to fix the problem myself, but maybe someone else runs into the same problem, so I'll post the solution here:

As it turns out, my /etc/crypttab had syntax errors, which led to askpass(amongst others) not being included in the initramfs when running update-initramfs -u.

For me, it was enough to add each separate logical volume into /etc/crypttab instead of the volume group as a whole. Here's an example:

#name       underlying device       passphrase  cryptsetup options
vg-root     /dev/mapper/vg-root     none        luks,retry=1
vg-swap     /dev/mapper/vg-swap     none        luks,retry=1

After updating your initramfs once again your system should ask for the logical volume passphrases on startup and then resume booting normally.

Julian Eckhardt
  • 151
  • 1
  • 6
0

Writing this here as I have found this thread while trying to solve the same issue on Kali Linux.

On Kali in particular there is a package installed by default which is cryptsetup-nuke-password. This replaces /lib/cryptsetup/askpass with a script that calls the original ‘askpass’ binary and renames askpass to /lib/cryptsetup/askpass.cryptsetup (see here), causing the same exact error when using cryptroot-unlock:

Error: Timeout reached while waiting for askpass.

A possible solution is to edit /usr/share/cryptsetup/initramfs/bin/cryptroot-unlock to point to /lib/cryptsetup/askpass.cryptsetup instead of /lib/cryptsetup/askpass:

ASKPASS=/lib/cryptsetup/askpass.cryptsetup
Amedeo
  • 101