You are not logged in.
I need to know because I'll edit the wiki to make a few improvements.
Currently the documentation is not very clear on this point. As a result, I spent several hours trying to figure out why my root partition wasn't being decrypted at boot, even though I made a keyfile and included it in my initramfs.
I managed to find a decisive piece of information under dm-crypt/System_configuration#cryptkey. It says:
Also note that if cryptkey is not specified, it defaults to /crypto_keyfile.bin (in the initramfs)
In other words, if that's not exactly the name of the keyfile included in the initramfs, it won't work. The main dm-crypt wiki rambles on and on about keyfiles, but doesn't explain this important bit of information until much later.
This specified under the kernel parameters section of that wiki, not sure why, as this goes into /etc/crypttab:
For a file included in the initramfs the format is[1]:
cryptkey=rootfs:pathExample: cryptkey=rootfs:/secretkey
This is the part I didn't quite understand.
So I had a system.key file in my initramfs, and I put this in my crypttab:
# <name> <device> <password> <options>
system UUID=2619f5bc-0302-4ceb-ba84-635f002995d cryptkey=rootfs:/system.keyIt didn't work. Replacing the "rootfs" part with a forward slash didn't work. Using just /system.key didn't work either.
But then I regenerated the initramfs with default name and changed the crypttab accordingly, to look like this:
<name> <device> <password> <options>
system UUID=2619f5bc-0302-4ceb-ba84-635f002995db crypto_keyfile.binRebooted and now it works fine.
I'd like to know what is wrong here, so can make it clearer in the wiki.
Last edited by ezequiel.ezb (2023-04-11 22:23:12)
Offline
This specified under the kernel parameters section of that wiki, not sure why, as this goes into /etc/crypttab:
No, those are different things. That wiki page has two main sections. The first is for early userspace in the initramfs, where you need the kernel parameters (details depending on the initramfs implementation, and the systemd version can also use crypttab.initramfs). Unlocking via /etc/crypttab is covered in the second section, where it also says
This file can be used for automatically mounting encrypted swap devices or secondary file systems.
[..]
Note that crypttab is read after the system has booted up, therefore it is not a replacement for unlocking encrypted partitions by using mkinitcpio hooks and configuring them by using kernel parameters as in the case of encrypting the root partition.
So /etc/crypttab is not useful for your root partition. It only works for you now because you used the default name.
The default of crypto_keyfile.bin is specifically for the cryptkey kernel parameter used by the (default) busybox-based mkinitcpio. systemd(-cryptsetup) in late userspace (or also early with a systemd-based initramfs) uses different defaults; these are mentioned in the wiki, but you can also check (the description of the third field in) crypttab(5).
Offline