13.05.2018 07:09, dat_boi@xxxxxxxxxxx пишет: > Hello, > I was wondering if it possible to embed a luks-key inside the initramfs? Yes, I have done it as proof of concept. https://forums.opensuse.org/showthread.php/525192-How-to-automatically-unlock-LUKS-encrypted-root-with-a-keyfile-from-a-USB?p=2826976#post2826976 > Several other initramfs solutions such as Debian's initramfs-tools and > Arch's mkinitcpio both allow this. > > However, I was unable to find the way to do this in dracut. > > For reference, in Debian: > --- > you have a key /etc/luks-keys/mykey > nano /etc/cryptsetup-initramfs/conf-hook > KEYFILE_PATTERN="/etc/luks-keys/mykey" > save and exit > nano /etc/initramfs-tools/initramfs.conf > add this > UMASK=0077 (to make the key secure in initrd against regular users) > nano /etc/crypttab > cryptolvm /dev/sda2 /etc/luks-keys/mykey luks,discard > update-initramfs -k all -u > --- > > For reference, in Arch Linux: > --- > mkdir -m 000 /etc/luks-keys > dd if=/dev/random of=/etc/luks-keys/mykey bs=1 count=512 > FILES="/etc/luks-keys/mykey" on /etc/mkinitcpio.conf > mkinitcpio -p linux > "cryptkey=rootfs:/etc/luks-keys/home" on grub kernel line (nano > /etc/default/grub) > cryptsetup luksAddKey /dev/sda2 /etc/luks-keys/mykey > --- > > > Please advise. > Thank you. > > - dat_boi > > -- > To unsubscribe from this list: send the line "unsubscribe initramfs" in > the body of a message to majordomo@xxxxxxxxxxxxxxx > More majordomo info at http://vger.kernel.org/majordomo-info.html > -- To unsubscribe from this list: send the line "unsubscribe initramfs" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
