grub2 + luks + keyfile
On 08/20/2012 04:47 PM, Adrian Pop wrote:
> I'm trying to configure grub2 to read a keyfile from a usb flash drive
> in order to decrypt the root partition. The grub2 wiki page specifies
> that in order to decrypt the root partition, the following should be
> added in /etc/default/grub:
Just to be clear, it's the mkinitcpio encrypt hook that's reading the keyfile,
grub2 seems to be configure just fine (so far).
> Also an earlier version of the luks wiki page, that was intended for
> grub-legacy, mentioned that to decrypt the root partition using a
> keyfile, the following kernel parameter has to be added:
> So I've attempted to add both of these parameters in /etc/default/grub:
> I've also added the encrypt hook and vfat module in
I don't remember if these are exempt from autodetect. You can try
lsinitcpio /boot/initramfs-linux.img | grep fat
to verify that it's on there. I think there's also a "fat" module which is
needed by vfat, I don't know if mkinitcpio pulls in module deps as well.
You can also try the fallback image.
> This is displayed while booting up:
> :: running early hook [udev]
> :: running hook [udev]
> :: Triggering uevents...
> :: running hook [encrypt]
> Waiting 10 seconds for device /dev/disk/by-uuid/3848-EFD5 ...
> Keyfile could not be opened. Reverting to passphrase.
I know that message kind of looks like the device is not found, but it's likely
a problem with mounting the filesystem.
> The usb flash drive is formated with mkfs.vfat and contains just the
> keyfile. I would greatly appreciate any advice.