Originally Posted by hutyerah
philanc, I like your style and would like to subscribe to your newsletter.
But I'm confused... if I put the keyfile in the initrd, then I can't use a passphrase as well, right? I guess if I did this I'd effectively have my regular slackware boot partition just on the usb stick as well as my encrypted keyfile partition.
A) An option is to store in the initrd an encrypted keyfile. At boot time, the encrypted keyfile should be decrypted before being used with cryptsetup.
Of course it implies that you have also added a (hopefully small!) file encryption utility program to the initrd, with its dependencies if any.
An reasonably sane and well-kown example could be bcrypt (you will find it at SourceForge). The only dependency that may not be in the regular initrd is zlib which you should also add.
B) Another, simpler option is to use for the keyfile the concatenation of a password and a file stored within the initrd (let's call it 'key.part')
The complete content of the keyfile would be:
<your password> <content of file key.part, stored in the initrd>
The keyfile can be built on the fly, just before calling cryptsetup:
echo "Enter your encrypted partition password:"
read -s PASSWD
echo $PASSWD $(cat key.part) > keyfile
This is obviously a rough skeleton. To make it more practical, you would put all this in a loop to make sure that if you make a typo entering the password, you can try again!
while true ; do
read password, build keyfile
cryptsetup luksOpen, with keyfile
if cryptsetup has succeeded, then
overwrite/delete key.part, keyfile
... continue with initrd processing ...