| 1 |
Am Donnerstag, 31. Dezember 2015, 00:15:33 schrieb Jeremi Piotrowski: |
| 2 |
> This will lead to you having to enter the password |
| 3 |
> twice - once when grub starts and once when the initramfs is setting up /. |
| 4 |
|
| 5 |
If, and ONLY if, your /boot is inside your LUKS-encrypted volume, you can also |
| 6 |
add a keyfile for your LUKS-volume (I used another keyslot for that, but you |
| 7 |
can also use the password, you use for manual unlocking..) to your crypttab |
| 8 |
and your dracut-initrd: |
| 9 |
|
| 10 |
% cat /etc/crypttab |
| 11 |
mySSD.crypt UUID=2850e418-f325-47b6-b42b-82a60055a0c6 |
| 12 |
/root/mySSD.lukskey discard,luks |
| 13 |
|
| 14 |
crypttab-format: (Name Path/Spec /path/to/key options) (see man 5 crypttab) |
| 15 |
|
| 16 |
% cat /etc/dracut.conf.d/luks.conf |
| 17 |
install_items+="/etc/crypttab /root/mySSD.lukskey" |
| 18 |
|
| 19 |
check if the permissions for your initrd are save, aka only readable for root, |
| 20 |
dracut automatically sets them to 600 and root:root here, but better save than |
| 21 |
sorry.. |
| 22 |
|
| 23 |
with that setup you do not need to enter the password twice, because your |
| 24 |
initrd is able to open the luks-device with the keyfile. |
Archives