Le 04/02/2018 à 13:06, Michael Kjörling a écrit :
On 4 Feb 2018 02:39 +0100, from 21naown@xxxxxxxxx:
I would like to open a LUKS container (which is the OS Debian)
through GRUB, but with the header stored in a USB key for example.
Through the file crypttab
(https://manpages.debian.org/stretch/cryptsetup/crypttab.5.en.html),
it seems possible to specify the path of the header, but I have
different failures and I do not know where the problem is.
/etc/crypttab is a Debian-ism, not something understood or used
natively by LUKS. The system startup scripts then parse that file and
translate it into various LUKS-related commands. And of course, if
you're storing your crypttab in the encrypted container, you can't
read it before you have unlocked the container and mounted the file
system therein, but you'd need to read the crypttab to unlock the
container; an obvious catch-22 situation.
The normal approach for using an encrypted root partition is to have a
small, unencrypted /boot which stores the kernel, an initrd, the boot
loader, and a few other odds and ends to get the system booted far
enough that it can unlock the LUKS container and proceed from there.
Is there some particular reason why you don't want to do it that way?
If you tell us _why_ you're going down this route, we might be able to
suggest a solution that would actually _work_...
I have an unencrypted boot partition with GRUB. My final goal is to have
this partition in a USB key, in the same partition or in another one
than the one where the header file will be stored, obviously unencrypted.
I assume crypttab is embedded in initrd when I do “update-initramfs -u”,
because, among the errors I got, it showed me just after selecting the
OS to launch in GRUB “LUKS header “/boot/headerFile” missing”, which is
the path I put in crypttab.
_______________________________________________
dm-crypt mailing list
dm-crypt@xxxxxxxx
http://www.saout.de/mailman/listinfo/dm-crypt