Encrypted btrfs root/boot system - keyfile in initramfs?

Freso · 2016-08-04 16:19:35

I'm trying to follow https://wiki.archlinux.org/index.php/Dm … _with_swap for setting up a new system which only has /boot/efi non-encrypted. However, I'd also like to use a keyfile for the system encryption… and the guide links to https://wiki.archlinux.org/index.php/Dm … _initramfs for that, but wouldn't the initramfs be in /boot (ie., rather than /boot/efi) and thus part of the system encryption? So GRUB wouldn't actually be able to get to it without decrypting the system to begin with, rendering the keyfile useless?

I'm contemplating doing a 3-partition setup instead (/boot/efi, /boot (encrypted, has keyfile), / (encrypted with keyfile)), but just want to hear back first. I might very well have missed something somewhere.

R00KIE · 2016-08-04 21:31:42

The initramfs has to be inside an unencrypted partition. You need it because all the drivers and programs needed to start the boot process are there.

On the other hand if I understand correctly, you want to have the key to unlock your encrypted volume(s) in the initramfs. That sounds like a very bad idea, it's like getting a safe and leaving a post-it attached with the combination to open the safe.

Freso · 2016-08-04 21:49:54

R00KIE wrote:

The initramfs has to be inside an unencrypted partition.

Unless you use GRUB over EFI: https://wiki.archlinux.org/index.php/GR … _partition

But I guess that answers my question. If I am to do what I want to do, I'll need to go for a 3-partition setup (/boot/efi, /boot, and /(btrfs)).

ewaller · 2016-08-04 22:42:41

R00KIE wrote:

The initramfs has to be inside an unencrypted partition.

As an old Gentoo user, one can always build a custom kernel that has everything one needs to boot and just skip the whole initramfs thing. The only problem is compiling it yourself to keep it in sync with the Arch kernel. It only sounds scary.

Freso · 2016-08-04 22:55:26

ewaller wrote:

It only sounds scary.

Whether it's the kernel or the initramfs that has the keyfile in it, as long as it lives in a non-encrypted FS, the cryptographic value is basically non-existent.

(Oh, and I also came from Gentoo with a non-initramfs kernel before coming to Arch. )

Last edited by Freso (2016-08-04 22:55:52)

ewaller · 2016-08-04 23:09:04

True. I was envisioning an encrypted root partition. The drivers needed to read the partition baked into the kernel. The kernel in an non-encrypted EFI partition, and the keys kept on something you own that is separated from the system when you are not booting -- a thumbdrive or an SD card.

R00KIE · 2016-08-05 12:17:51

I didn't think about the option of having the kernel with every driver you need baked in, but would you still be able to use keyfiles without having the auxiliary scripts in the initramfs? I suppose grub does not support that.

Arch Linux

#1 2016-08-04 16:19:35

Encrypted btrfs root/boot system - keyfile in initramfs?

#2 2016-08-04 21:31:42

Re: Encrypted btrfs root/boot system - keyfile in initramfs?

#3 2016-08-04 21:49:54

Re: Encrypted btrfs root/boot system - keyfile in initramfs?

#4 2016-08-04 22:42:41

Re: Encrypted btrfs root/boot system - keyfile in initramfs?

#5 2016-08-04 22:55:26

Re: Encrypted btrfs root/boot system - keyfile in initramfs?

#6 2016-08-04 23:09:04

Re: Encrypted btrfs root/boot system - keyfile in initramfs?

#7 2016-08-05 12:17:51

Re: Encrypted btrfs root/boot system - keyfile in initramfs?

Board footer