You are not logged in.

#1 2018-11-01 11:08:14

indianahorst
Member
Registered: 2008-08-23
Posts: 104

Correct use of sd-encrypt hook in Mkinitcpio

Hello everybody,

I have already played around multiple hours to figure out how the sd-encrypt hook in Mkinitcpio works, especially the version with passphrase caching, but it doesn't work.
Using the encrypt hook everything works flawlessly.

Setup:
I use UEFI and systemd-boot as bootloader. I have / and /home on different partitions and want to decrypt both partitions with only one passphrase during booting.


Here my relevant config:

$ lsblk -f
NAME          FSTYPE      LABEL   UUID                                 MOUNTPOINT
sda                                                                    
├─sda1        ntfs                AA88579188575B41                     
├─sda2        vfat        EFIBOOT 85BB-C140                            /boot
├─sda3        crypto_LUKS         ebc12072-19a9-48be-a082-e475dfaf3cf4 
│ └─cryptroot ext4        rootfs  9ae602e9-2ffd-4874-bb76-609ccc791fdb /
└─sda4        crypto_LUKS         a3467dca-44c9-4ab9-ad44-6a475a728815 
  └─crypthome ext4        homefs  a66d3580-6c85-4eff-9097-e344eaf870b4 /home

/etc/mkinitcpio.conf

HOOKS="base systemd autodetect keyboard sd-vconsole modconf block sd-encrypt resume filesystems fsck"

/etc/crypttab

# /dev/sda4
crypthome	UUID=a3467dca-44c9-4ab9-ad44-6a475a728815	/etc/crypto/keyfile.txt		luks,discard

kernel parameters in /boot/loader/entries/arch-encrypted.conf:

options rd.luks.name=ebc12072-19a9-48be-a082-e475dfaf3cf4=cryptroot rd.luks.name=a3467dca-44c9-4ab9-ad44-6a475a728815=crypthome  rd.luks.crypttab=no root=/dev/mapper/cryptroot resume=/dev/mapper/cryptroot resume_offset=1466368 rw

In https://wiki.archlinux.org/index.php/Dm … n#crypttab
is mentioned that there is a way to configure passphrase caching:

Note: When using systemd-boot and the sd-encrypt hook, if a non-root partition's passphrase is the same as root's, there is no need to put that non-root partition in crypttab due to passphrase caching. See this forum thread for more information.

But with the config above, it always fails to decrypt the home partition. So, can somebody tell whats the correct kernel boot line for using passphrase caching?

Thanks!

Offline

#2 2018-11-01 16:39:52

nl6720
Wiki Maintainer
Registered: 2016-07-02
Posts: 97

Re: Correct use of sd-encrypt hook in Mkinitcpio

I've never used passphrase caching, but "rd.luks.crypttab=no" will not disable the parsing of /etc/crypttab on real root. You need to use "luks.crypttab=no".

Offline

Board footer

Powered by FluxBB