This is a good example how to uncrypt via tpm https://aur.archlinux.org/packages/mkinitcpio-tpm2-encrypt/ On Thu, 23 Jul 2020, 16:03 Giancarlo Razzolini via arch-general, < arch-general@xxxxxxxxxxxxx> wrote: > Em julho 23, 2020 7:09 Riccardo Paolo Bestetti via arch-general escreveu: > > > > I would like to change my current crypto setup in a way that would > require more step to unlock the root than just typing in a passphares. For > this reason, sd-encrypt clearly cannot serve my use case. > > > > What step would that be? And how it would be secure? > > > For this reason, I would like to write a custom hook to mount the root > volume. Now, systemd boot doesn't have a concept of runtime hooks. Thus, I > need to make a systemd unit that gets pulled in by cryptsetup.target in the > place of systemd-cryptsetup@.service. (Basically, I need to replace the > whole systemd-cryptsetup-generator and systemd-cryptsetup logic.) > > > > It doesn't need to be in place of, you can simply have a unit that runs > either before or after systemd-cryptsetup@. Or you can even override > systemd-cryptsetup to require your unit. > There are several options. > > > However, I really have no idea on how to achieve this. Should I write a > custom mkinitcpio hook which completely bypasses sd-crypt/cryptsetup.target > and instead starts a different unit with my own decryption logic? Or is > there a way to hook into cryptsetup.target and instruct it to pull in my > logic instead of systemd-cryptsetup*? > > > > If you write a unit file and a script, they can probably be added to the > FILES section and that would be it. Main issue is the enabling of the unit, > so, for that, you would probably need a custom install hook. > > > Of course, the other possibility is to just stop using a systemd boot > and instead setting up a busybox early userspace. Then it's just a matter > of writing a shell script. However, since I'm already using systemd for > everything - from the bootloader to userspace - I don't think it makes much > sense to do that. > > > > If you use the base hook, you already have busybox on the initramfs. > > Regards, > Giancarlo Razzolini