You are not logged in.

#1 2016-09-26 07:23:16

alxcrlsn
Member
From: Denver, CO
Registered: 2013-08-04
Posts: 11
Website

Question about full disk encryption

Hello!

Quick question for you all. I just finished an Arch install and encrypted the boot partition. All is good.

However, there's a minor instruction that I needed to follow to get things up and running, that I don't quite understand conceptually: I have a keyfile that unlocks my root/home/swap volumes so that I don't need to enter my password twice. However, the system only runs the keyfile successfully when it's stored on root/home/swap partition, which, in theory, is the volume that it's supposed to unlock. How does that work? To me it makes sense to put it in the boot partition, since that's the partition that I unlock at the beginning. I don't understand how a file on an encrypted partition can be used to unlock the same encrypted partition.

In other words, why does grub prompt for password > password unlocks /boot > somehow my keyfile gets retrieved from still encrypted root/home/swap partition(?) > root/home/swap partition unlocks? Shouldn't it be grub prompting for password > password unlocks /boot > keyfile on /boot unlocks root/home/swap?

My current setup has a keyfile stored at / that's setup as a key for my encrypted partition, per wiki. Then, I configured mkinitpcio to point to that file using the "FILE=" parameter, which gets picked up by the encrypt hook and unlocks the system. I thought it might be that when I run mkinitpcio to create my initramfs, the file is copied and included. However, when I delete the file the auto decryption no longer works, even if I don't run mkinitpcio a second time.

Clearly I'm missing something. Can anyone help me better understand what's going on?

Thank you!

Offline

#2 2016-09-26 09:31:45

beta990
Member
Registered: 2011-07-10
Posts: 207

Re: Question about full disk encryption

Your root is mounted first.

Offline

Board footer

Powered by FluxBB