You are not logged in.

#1 2017-02-13 12:38:15

mmFooD
Member
Registered: 2017-02-12
Posts: 8

[Solved] Encryption and key file for root partition

I have succesfully installed Arch with LUKS on LVM with /boot located in the root partition. This works by chainloading from my fedora grub which resides in  the primary boot partition.

At first GRUB will, of course, ask for the encryption password twice, when loading grub and then when booting. So I tried setting up luks-keys as described in  Encrypting the boot loader to only ask for the password once.

It looks like this

# dd bs=512 count=4 if=/dev/urandom of=/etc/luks-keys/root
# cryptsetup luksAddKey /dev/mapper/vg-Archroot /etc/luks-keys/root
     (Entered previously created passkey for vg-Archroot upon request )

And then to set up my crypttab:

# <name>       <device>                                           <password>              <options> 
swap            /dev/mapper/vg-swap                             /dev/urandom            swap,cipher=aes-xts-plain64,size=256 
archroot        /dev/mapper/vg-Archroot                         /etc/luks-keys/root 
home            /dev/mapper/vg-Archhome                         /etc/luks-keys/home

and fstab.

# <file system> <dir>   <type>  <options>       <dump>  <pass>
/dev/mapper/archroot            /               ext4            rw,relatime,data=ordered        0 1
/dev/sda1               /boot/efi       vfat            rw,relatime,fmask=0077,dmask=0077,codepage=437,iocharset=ascii,shortname=winnt,errors=remount-ro        0 2
/dev/mapper/swap        none            swap            sw      0 0
/dev/mapper/home /home          ext4            defaults        0 2
/dev/mapper/vg-data     /mnt/share/data ext4    defaults 0 2

But now it asks for the password three times!?

My partitions look like this:

sda1 [EFI]
sda2 [Fedora-grub/boot]
sda3 + sdb1 [LVM]

[vg]
 \
  |--Archroot   (containing /boot for Arch)
  |--Archhome
  |--data                                      
  |--fedora-home                    
  |--fedora-root                             
  |--swap

Last edited by mmFooD (2017-02-16 22:18:02)

Offline

#2 2017-02-13 16:52:15

R00KIE
Forum Fellow
From: Between a computer and a chair
Registered: 2008-09-14
Posts: 4,734

Re: [Solved] Encryption and key file for root partition

If I'm seeing this right you are storing the key inside the encrypted volume, how do you expect to access it without decrypting the volume first?


R00KIE
Tm90aGluZyB0byBzZWUgaGVyZSwgbW92ZSBhbG9uZy4K

Offline

#3 2017-02-13 17:15:55

mmFooD
Member
Registered: 2017-02-12
Posts: 8

Re: [Solved] Encryption and key file for root partition

Yes, the idea is to have grub decrypt the volume and the key. But maybe I have to put the key as a kernel parameter instead? I remember seeing something like that somewhere but I can't find it now. Or maybe I could send the keyfile with mkinitcpio.conf?

Offline

#4 2017-02-13 23:59:09

rdeckard
Wiki Maintainer
Registered: 2015-01-28
Posts: 137

Re: [Solved] Encryption and key file for root partition

Offline

#5 2017-02-14 09:38:52

mmFooD
Member
Registered: 2017-02-12
Posts: 8

Re: [Solved] Encryption and key file for root partition

There it is! Thank you!

I added the keypath to the FILES section in mkinitcpio.conf, removed the crypttab line for root and changed the fstab accordingly. And edited the kernel parameter to include

cryptkey=rootfs:<same path as added in mkinitcpio.conf>

regenerated the initramfs and grub.cfg and it worked perfectly!

Offline

#6 2017-02-14 19:00:39

rdeckard
Wiki Maintainer
Registered: 2015-01-28
Posts: 137

Re: [Solved] Encryption and key file for root partition

Great! Be sure to mark the thread as solved by adding "[Solved]" to the beginning of the title.

Offline

Board footer

Powered by FluxBB