This might do you: http://grub.johnlane.ie/ /D On 10/04/2016 11:43 AM, Arno Wagner - arno@xxxxxxxxxxx wrote: > Hi Tim, > > full disk encryption is provided by your distribution, usually > by some mechanism in the initrd. This is out of scope for this > mailing-list here. > > However I can tell you that I have personally done something > similar to what you want. > > What you need to do is either drop to a shell in the initrd > and mount the usb-key using that, or that you modify the > code in the initrd to mount that USB-stick and read the passphrase > from it. The other thing you could do with a remotely-accessible > shell in the initrd is that you could use that to > mount the encrypted volumes manually yourself and then > continue the root process, on debian with something like this: > > exec switch_root /mnt/root /sbin/init > > You copuld also hardcode the passprase in the initrd and > place initrd and kernel on that USB-key. That is what I have > done. > > I can give you a bit of background about what a Debian initrd > looks like, and Ubuntu may be similar. All action happens in > /init, which on the initrd is a shell-script executed > by busybox and hence pretty straight-forward to change. For > testing, I just used the following "init". You can use something > like this to find out what commands work. After that > you can put in your custom init instead. You can also add > binaries to teh initrd, but you must make sure they are > either statically compiled or all libraries are there. > > ---- > #!/bin/sh > > export PATH=/sbin:/bin > [ -d /sys ] || mkdir /sys > [ -d /proc ] || mkdir /proc > [ -d /tmp ] || mkdir /tmp > mount -t sysfs -o nodev,noexec,nosuid sysfs /sys > mount -t proc -o nodev,noexec,nosuid proc /proc > > echo > echo "initrd is running" > echo "Using BusyBox..." > echo > exec /bin/ash --login > ---- > > Now, how do you create or modify an initrd? Best reference I > have is this one here: > > http://www.thegeekstuff.com/2009/07/how-to-view-modify-and-recreate-initrd-img/ > > Regards, > Arno > > > > > On Tue, Oct 04, 2016 at 10:37:36 CEST, Tim Kerby wrote: >> I've enabled full disk encryption on a recent server install of Ubuntu >> (using the checkbox in the installer). This is there mainly for security >> when disks are replaced >> >> Unfortunately, we've had a few power failures and the requirement to enter >> the passphrase for LUKS at the physical terminal is an issue. >> >> I'd be happy to keep a keyfile on a USB key or SD card as I could mount >> these internal to the server which is physically secured >> >> Is there a method to ensure the USB key is mounted prior to the password >> prompt and adding the keyfile as an additional method at startup? >> >> Thanks >> >> Tim >> >> _______________________________________________ >> dm-crypt mailing list >> dm-crypt@xxxxxxxx >> http://www.saout.de/mailman/listinfo/dm-crypt > _______________________________________________ dm-crypt mailing list dm-crypt@xxxxxxxx http://www.saout.de/mailman/listinfo/dm-crypt
