On 08/20/2012 04:47 PM, Adrian Pop wrote: > Hello, > > I'm trying to configure grub2 to read a keyfile from a usb flash drive > in order to decrypt the root partition. The grub2 wiki page specifies > that in order to decrypt the root partition, the following should be > added in /etc/default/grub: > Just to be clear, it's the mkinitcpio encrypt hook that's reading the keyfile, grub2 seems to be configure just fine (so far). > GRUB_CMDLINE_LINUX="cryptdevice=/dev/sda2:root" > > > Also an earlier version of the luks wiki page, that was intended for > grub-legacy, mentioned that to decrypt the root partition using a > keyfile, the following kernel parameter has to be added: > > cryptkey=/dev/disk/by-uuid/<uuid>:vfat:/keyfile > > > So I've attempted to add both of these parameters in /etc/default/grub: > > GRUB_CMDLINE_LINUX="cryptdevice=/dev/sda2:root > cryptkey=/dev/disk/by-uuid/3848-EFD5:vfat:/keyfile" > > > I've also added the encrypt hook and vfat module in > /etc/mkinitcpio.conf. > I don't remember if these are exempt from autodetect. You can try lsinitcpio /boot/initramfs-linux.img | grep fat to verify that it's on there. I think there's also a "fat" module which is needed by vfat, I don't know if mkinitcpio pulls in module deps as well. You can also try the fallback image. > This is displayed while booting up: > > :: running early hook [udev] > :: running hook [udev] > :: Triggering uevents... > :: running hook [encrypt] > Waiting 10 seconds for device /dev/disk/by-uuid/3848-EFD5 ... > Keyfile could not be opened. Reverting to passphrase. > I know that message kind of looks like the device is not found, but it's likely a problem with mounting the filesystem. > > The usb flash drive is formated with mkfs.vfat and contains just the > keyfile. I would greatly appreciate any advice. >
