TL;DR
I have Debian 11 with 2 LUKS encrypted partitions (root and swap), and an unencrypted boot partition. Swap is encrypted with a key file, located on the root partition, because I want to type the decryption passphrase only once.
My /etc/crypttab is empty. In grub.cfg, I have :
Code:
GRUB_CMDLINE_LINUX="resume=/dev/nvme0n1p6_crypt cryptopts=source=/dev/disk/by-partlabel/DEBIAN,target=nvme0n1p7_crypt cryptopts=source=/dev/disk/by-partlabel/SWAP,target=nvme0n1p6_crypt,key=/root/.keys/swap.key"
But GRUB can't access the key file :
Code:
Please unlock disk nvme0n1p7_crypt: (passphrase)
cryptsetup: nvme0n1p7_crypt: set up successfully
cryptsetup: ERROR: Skipping target nvme0n1p6_crypt: non-existing key file /root/.keys/swap.key
(...)
Given that the root partition has been successfully decrypted, I suppose there is a way to retrieve the key file from it and decrypt the swap partition. Can it be done ? How ? Is there a syntax like
Code:
... cryptopts=source=/dev/disk/by-partlabel/SWAP,target=nvme0n1p6_crypt,key=/path/to/keyfile/on/decrypted/nvme0n1p7"
PLEASE NOTE : this question is GRUB specific, I am NOT looking for other solutions to achieve my goals, I already successfully tested a few of them (read below THE FULL STORY for more details). I'd specifically like to know if what I try to do in GRUB can be done or not.
THE FULL STORY :
With a key file encrypted swap, resuming from hibernation doesn't work. From what I understand it's because systemd opens the swap partition too late, after the kernel has already given up looking for hibernation data in swap. In fact # update-initramfs -u even triggers a warning when encrypting swap with a keyfile :
Code:
# update-initramfs -u
(...)
WARNING: Resume target nvme0n1p6_crypt uses a key file
There are several ways to solve this problem. I successfully tested 2 of them : ditching the keyfile and using Debian's decrypt_keyctl script to cache the passphrase, or baking the keyfile into initramfs and encrypt the boot partition to ensure its security. Both work fine, so I am not looking for a solution to solve this hibernation problem, which I already solved.
I am specifically trying to know if that third solution I tried could work or not, and if yes, how. That third solution consists of decrypting the partitions through GRUB's GRUB_CMDLINE_LINUX options.