Arch Linux

rdeckard

Wiki Maintainer

Registered: 2015-01-28

Posts: 137

[Solved] GRUB with dm-crypt without initrd

GRUB can decrypt LUKS dm-crypt partitions. I currently have one system partition encrypted with LUKS dm-crypt which is decrypted by GRUB upon entering a passphrase. From there the initramfs is loaded and the system partiton is closed (encrypted again). The initramfs then decrypts the system partition again (this time using an embedded key) and mounts the specified subvolume (its BTRFS).

My question is: can this process be done without using initrd/initramfs? I have rebuilt my kernel with the needed filesystem support as well as dm-crypt support (not as modules, but in the kernel). I am thinking GRUB could just decrypt the system partition and then load the kernel.

Has anyone done this? What changes would I need to make?

Last edited by rdeckard (2016-09-29 01:29:04)

frostschutz

Member

Registered: 2013-11-15

Posts: 1,417

Re: [Solved] GRUB with dm-crypt without initrd

You misunderstand something.

GRUB has some support for LUKS encryption, so it can get at its (encrypted) data, menu, kernel etc. files.

Then GRUB loads the kernel and GRUB is gone.

The kernel does not know nor care how it came into existence... it has to load its own drivers, make its own discoveries about the hardware environment, load its own initramfs which creates its own crypt mappings...

Of course, if you for some reason used encrypted /boot, but unencrypted everything else [or at least unencrypted root], THEN you could get by with out initramfs. But that's not the setup you were asking about, right?

rdeckard

Wiki Maintainer

Registered: 2015-01-28

Posts: 137

Re: [Solved] GRUB with dm-crypt without initrd

Thanks for the clarification on the boot process. It seems like there is no getting around the fact that GRUB closes the partition after it loads what the kernel needs, so the kernel/initrd are going to have to decrypt it again, and a minimal initrd is needed to embed a keyfile for that. Thanks again.