You are not logged in.
Yes, I'm aware that automatically opening encrypted drive (with a key file stored on it) defeats the whole purpose of disk encryption. Save your keystrokes by not pointing it out. With that out of the way, here's my problem.
Fresh Arch install, encrypted root (with boot). I want to embed luks key in initramfs to avoid two password prompts. I did follow the wiki, and it did work... partially. The prompt for / is gone (yay!) but GRUB is still insisting on asking for one. This occurs during the initial boot, the "Welcome to GRUB!" screen. Here's are the exact steps I'm taking:
# partitioning
parted -s /dev/sda mklabel msdos
parted -s /dev/sda mkpart primary btrfs 1MB 100%
# cryptsetup
echo -en "password" | cryptsetup -q luksFormat /dev/sda1
echo -en "password" | cryptsetup -q open /dev/sda1 toor
# filesystem & mounts
mkfs.btrfs /dev/mapper/toor
mount /dev/mapper/toor /mnt
# base & chroot
pacstrap /mnt base grub
genfstab -Up /mnt >> /mnt/etc/fstab
arch-chroot /mnt
# crypttab
echo -en "toor\tUUID=$(blkid /dev/sda1 -s UUID -o value)\t/crypto_keyfile.bin\tluks" >> /etc/crypttab.initramfs
# keyfile
dd bs=512 count=4 if=/dev/urandom of=/crypto_keyfile.bin
chmod 000 /crypto_keyfile.bin
chmod 600 /boot/initramfs-linux*
echo -en "password" | cryptsetup luksAddKey /dev/sda1 /crypto_keyfile.bin
# mkinitcpio.conf
sed -i "s#^FILES=.*#FILES=(/usr/bin/btrfs /crypto_keyfile.bin)#g" /etc/mkinitcpio.conf
sed -i "s#^HOOKS=.*#HOOKS=(base systemd autodetect keyboard modconf block sd-encrypt filesystems btrfs)#g" /etc/mkinitcpio.conf
mkinitcpio -p linux
# grub
echo -en "GRUB_ENABLE_CRYPTODISK=y" >> /etc/default/grub
sed -i "s#^GRUB_CMDLINE_LINUX=.*#GRUB_CMDLINE_LINUX=\"rd.luks.uuid=$(blkid /dev/sda1 -s UUID -o value) rd.luks.key=/crypto_keyfile.bin\"#g" /etc/default/grub
grub-install --target=i386-pc --recheck /dev/sda
grub-mkconfig -o /boot/grub/grub.cfg
How can I shush GRUB? Make it obediently take the key instead of insisting on asking for password?
Offline
So you have a single, encrypted, partition, right? Then you expect GRUB to somehow open it how exactly, if it doesn't ask for the passphrase? Before you say "use the keyfile" think about where that file would be...
Offline
Yes, I'm aware that automatically opening encrypted drive (with a key file stored on it) defeats the whole purpose of disk encryption.
Yes it does. The analogy is having a safe and leaving a piece of paper on the outside with the combination written on it.
At best what you are trying to accomplish is security through obscurity. You're going to invest more work to get it to work than the security gain you're going to get out of it.
R00KIE
Tm90aGluZyB0byBzZWUgaGVyZSwgbW92ZSBhbG9uZy4K
Offline