You are not logged in.
Hi,
I was able to successfully follow the "Encrypted system using a remote LUKS header" wiki article to install Archlinux on a headerless fully encrypted drive. I used the "systemd hook" and it works well. I'd like to use a keyfile that's stored on the same USB drive as the header instead of a password. I realize this effectively turns 2FA into 1FA, but for my goals this is OK.
My crypttab.initramfs:
MyStoraage PARTUUID=000000-000-0-0-0-0-0-00-0-etc none header=/boot/header.img
After reading through a post "[SOLVED] Headerless LUKS-root-partition" it seems I (may) need to make a change to crypttab.initramfs and also (or alternatively?) add the cryptkey parameter to the kernel command line.
1. Do I need the crypttab.initramfs file when using a keyfile? If so, do I simply replace "none" with "/dev/disk/by-partuuid/000-0000-0-00-0-0000-etc/keyfile ? (didn't seem to work, but maybe there is a dependency on #2 below)
2. Where does one add the cryptkey parameter to the kernel command line? (sorry, been rolling with the newbie brothers here) I know how to do this using GRUB, but when using the systemd hook maybe there is another place to add this? Is this added to mkinitcpio.conf somehow?
thanks!
Last edited by blufinney (2015-10-01 04:27:36)
Offline
I was able to solve this by following the Encrypted system using a remote LUKS header wiki page (using the systemd hook section) along with the following deviations. Hope this helps someone trying to do the same.
/etc/crypttab.initramfs
MyStorage /dev/disk/by-id/ata-Samsung_SSD_1050_EVO_5000GB_DS87F6SD8F6887SETC /boot/keyfile.key header=/boot/header.imgI'm using the "by-id" method instead of PARTUUID since there's nothing but randomness on the encrypted drive - no headers, no partitions. There are arguments that say not having a partition on the encrypted drive is dangerous but that's another topic. Secondly instead of "none" as the third parameter I'm specifying the location of the key file. We make this available in the mkinitcpio.conf file below.
/etc/mkinitcpio.conf
FILES="/boot/header.img /boot/keyfile.key"I added the header.img as suggested by the wiki article and also added the keyfile which in my case I've stored in the /boot folder (on the usb thumb drive). Keep in mind there's more to the mkinitcpio.conf file (e.g. the HOOKS parameter), but this is what I did different from the aforementioned wiki article.
That was all I had to deviate to make this happen - no "cryptkey" additions to the kernal parameters as mentioned in much of the research I did. Apparently the systemd method supports this. Also I have no problems when un-mounting the usb thumb drive (containing /boot) after logging into the system. I know some have reported issues when using the systemd method, not sure what they were doing differently (maybe it wasn't supported yet?).
-blu
Offline