FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > ArchLinux > ArchLinux General Discussion

 
 
LinkBack Thread Tools
 
Old 08-20-2012, 11:47 PM
Adrian Pop
 
Default grub2 + luks + keyfile

Hello,

I'm trying to configure grub2 to read a keyfile from a usb flash drive
in order to decrypt the root partition. The grub2 wiki page specifies
that in order to decrypt the root partition, the following should be
added in /etc/default/grub:

GRUB_CMDLINE_LINUX="cryptdevice=/dev/sda2:root"


Also an earlier version of the luks wiki page, that was intended for
grub-legacy, mentioned that to decrypt the root partition using a
keyfile, the following kernel parameter has to be added:

cryptkey=/dev/disk/by-uuid/<uuid>:vfat:/keyfile


So I've attempted to add both of these parameters in /etc/default/grub:

GRUB_CMDLINE_LINUX="cryptdevice=/dev/sda2:root
cryptkey=/dev/disk/by-uuid/3848-EFD5:vfat:/keyfile"


I've also added the encrypt hook and vfat module in
/etc/mkinitcpio.conf.

This is displayed while booting up:

:: running early hook [udev]
:: running hook [udev]
:: Triggering uevents...
:: running hook [encrypt]
Waiting 10 seconds for device /dev/disk/by-uuid/3848-EFD5 ...
Keyfile could not be opened. Reverting to passphrase.


The usb flash drive is formated with mkfs.vfat and contains just the
keyfile. I would greatly appreciate any advice.
 
Old 08-21-2012, 12:19 AM
Matthew Monaco
 
Default grub2 + luks + keyfile

On 08/20/2012 04:47 PM, Adrian Pop wrote:
> Hello,
>
> I'm trying to configure grub2 to read a keyfile from a usb flash drive
> in order to decrypt the root partition. The grub2 wiki page specifies
> that in order to decrypt the root partition, the following should be
> added in /etc/default/grub:
>

Just to be clear, it's the mkinitcpio encrypt hook that's reading the keyfile,
grub2 seems to be configure just fine (so far).

> GRUB_CMDLINE_LINUX="cryptdevice=/dev/sda2:root"
>
>
> Also an earlier version of the luks wiki page, that was intended for
> grub-legacy, mentioned that to decrypt the root partition using a
> keyfile, the following kernel parameter has to be added:
>
> cryptkey=/dev/disk/by-uuid/<uuid>:vfat:/keyfile
>
>
> So I've attempted to add both of these parameters in /etc/default/grub:
>
> GRUB_CMDLINE_LINUX="cryptdevice=/dev/sda2:root
> cryptkey=/dev/disk/by-uuid/3848-EFD5:vfat:/keyfile"
>
>
> I've also added the encrypt hook and vfat module in
> /etc/mkinitcpio.conf.
>

I don't remember if these are exempt from autodetect. You can try

lsinitcpio /boot/initramfs-linux.img | grep fat

to verify that it's on there. I think there's also a "fat" module which is
needed by vfat, I don't know if mkinitcpio pulls in module deps as well.

You can also try the fallback image.

> This is displayed while booting up:
>
> :: running early hook [udev]
> :: running hook [udev]
> :: Triggering uevents...
> :: running hook [encrypt]
> Waiting 10 seconds for device /dev/disk/by-uuid/3848-EFD5 ...
> Keyfile could not be opened. Reverting to passphrase.
>

I know that message kind of looks like the device is not found, but it's likely
a problem with mounting the filesystem.

>
> The usb flash drive is formated with mkfs.vfat and contains just the
> keyfile. I would greatly appreciate any advice.
>
 
Old 08-21-2012, 06:58 AM
Adrian Pop
 
Default grub2 + luks + keyfile

Seems I forgot to add the usb hook. It works now. Thank you for replying and directing my attention towards mkinitcpio.
 
Old 08-21-2012, 07:22 AM
Adrian Pop
 
Default grub2 + luks + keyfile

Seems I forgot to add the usb hook. It works now. Thank you for
replying and directing my attention towards mkinitcpio.
 

Thread Tools




All times are GMT. The time now is 09:53 PM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org