dm-crypt + keyfile + GRUB + pacman-hook

equalizer876 · 2021-01-13 17:44:29

GRUB makes it possible to also encrypt /boot . In my case /boot is just a part of "/" mount. You need to setup https://wiki.archlinux.org/index.php/Dm … _initramfs to type the passphrase only 1 time instead of 2 times.
Unfortunately after every recreation of the initramfs the permissions fall back to 644. I think we would need to create a pacman-hook to solve this problem. Why isn't there a pacman-hook available on the wiki?

Anyway, would this work? :

[Trigger]
Type = Path
Operation = Install
Operation = Upgrade
Target = usr/lib/modules/*/vmlinuz
Target = usr/lib/initcpio/*

[Action]
Description = Updating initramfs permission...
When = PostTransaction
Exec = chmod 600 /boot/initramfs-linux*
NeedsTargets

Does it matter if the keyfile resides in "/crypto_keyfile.bin" or "/root/crypto_keyfile.bin"?
Why does the guide here https://wiki.archlinux.org/index.php/Dm … ion_(GRUB) even make

chmod 000 /root/cryptlvm.keyfile

? I mean is it even recommended to give 000 permission on a file?

Last edited by equalizer876 (2021-01-13 17:51:06)

qinohe · 2021-01-13 19:43:21

I don't use grub so I'm not going into that, just test it, however, did you read https://wiki.archlinux.org/index.php/mkinitcpio#HOOKS

About the permissions, there's nothing wrong modding that keyfile to '000'
Root has access to everything on the machine, even that modded key, except no one else does.
Simple test, create a file with some text put it in the root's dir chmod it to '000' - now cat that file with your user and than with sudo.

edit: okay that's not fair;), your user shouldn't have access to root's home-dir. in the first place, put it in your own home-dir. and chown the file 'root:root;

Last edited by qinohe (2021-01-13 19:58:42)

Arch Linux

#1 2021-01-13 17:44:29

dm-crypt + keyfile + GRUB + pacman-hook

#2 2021-01-13 19:43:21

Re: dm-crypt + keyfile + GRUB + pacman-hook

Board footer