On Tue, Nov 27, 2018 at 8:06 PM mark <m.roth@xxxxxxxxx> wrote:
> Sorry, I think you misunderstood. The key for root is *not* in
> /etc/crypttab - that's only for the secondary ones.
>
> mark
>
> I understood correctly, just that you mentioning that one can put the key
in the /etc/crypttab gave me the idea to check if the initramfs image will
have the same content for crypttab. So now I have 2 working solutions:
1) /etc/crypttab on OS has a reference to the file that contains the key to
decrypt the second volume (the key is on the encrypted root fs). I have
checked and the initramfs /etc/crypttab has only the line for the root
volume, without any reference to the second volume. The root volume gets
decrypted by clevis+tang. The second volume is decrypted after the root
volume is decrypted, /etc/crypptab is read and the key is found.
2) the initramfs /etc/crypttab was manually updated to add the line for the
second volume. Clevis + tang will decrypt both the root fs and the second
volume.
I was surprised to find out the the /etc/crypttab in initramfs is different
from the one in OS. So now I'm searching for the correct way to force
dracut to include /etc/crypttab unchanged in the initramfs image.
Radu
_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
https://lists.centos.org/mailman/listinfo/centos
