|
Uefi and full disk encryption with lvm on luks with luks keyfile
Hiya guys,
just for interest I have installed Slackware current on a vm with full disk encryption with lvm on luks. Code:
sda1: ef02 Bios 5MBCode:
cryptsetup luksFormat --type luks1 /dev/sda3Code:
cd /mntCode:
dd bs=512 count=4 if=/dev/random of=/root/slackpv.keyfile iflag=fullblockCode:
cd /bootCode:
GRUB_CMDLINE_LINUX="cryptdevice=UUID=xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxx:slackpv0 root=/dev/slack/root cryptkey=rootfs:/root/slackpv.keyfile resume=/dev/slack/swap"Code:
grub-install --target=x86_64-efi --efi-directory=/boot/efi --bootloader-id=grub --recheckI guess mkinitrd -K works just with vfat as a filesystem? I know It makes no sense to install lvm on luks without passphrase on the root-filesystem, but I just would like to know how it works. thanks |
I had the same problem some time ago. In short: you have to patch init file in the mkinitrd, and then put the crypto_kyefile.bin in the init ramdisk. I did it in this way:
# mkdir /tmp/initrd-tree # tar xpzf /usr/share/mkinitrd/initrd-tree.tar.gz -C /tmp/initrd-tree # cd /tmp/initrd-tree # patch init < key_file_in_the_initrd_and_drive_unlocked_by_grub.diff # mv /crypto_keyfile.bin ./ # tar cpzf /usr/share/mkinitrd/initrd-tree.tar.gz * Create the initial ramdisk environment as you have done before (mkinitrd ...). Modify in the /etc/default/grub the line accordingly: GRUB_CMDLINE_LINUX="... cryptkey=/crypto_kyefile.bin ..." GRUB_ENABLE_CRYPTODISK=y Then you will have enter the passphrase once, just before grub menu, and then during the boot the crypto_kyefile.bin from initram disk will be used to unlock the whole disk . Look here for patch: https://www.linuxquestions.org/quest...ml#post6235351 There is also another very usefull tutorial here https://unixsheikh.com/tutorials/rea...-and-uefi.html |
Quote:
|
| All times are GMT -5. The time now is 04:27 PM. |