1 |
Am Donnerstag, 31. Dezember 2015, 00:15:33 schrieb Jeremi Piotrowski: |
2 |
> This will lead to you having to enter the password |
3 |
> twice - once when grub starts and once when the initramfs is setting up /. |
4 |
|
5 |
If, and ONLY if, your /boot is inside your LUKS-encrypted volume, you can also |
6 |
add a keyfile for your LUKS-volume (I used another keyslot for that, but you |
7 |
can also use the password, you use for manual unlocking..) to your crypttab |
8 |
and your dracut-initrd: |
9 |
|
10 |
% cat /etc/crypttab |
11 |
mySSD.crypt UUID=2850e418-f325-47b6-b42b-82a60055a0c6 |
12 |
/root/mySSD.lukskey discard,luks |
13 |
|
14 |
crypttab-format: (Name Path/Spec /path/to/key options) (see man 5 crypttab) |
15 |
|
16 |
% cat /etc/dracut.conf.d/luks.conf |
17 |
install_items+="/etc/crypttab /root/mySSD.lukskey" |
18 |
|
19 |
check if the permissions for your initrd are save, aka only readable for root, |
20 |
dracut automatically sets them to 600 and root:root here, but better save than |
21 |
sorry.. |
22 |
|
23 |
with that setup you do not need to enter the password twice, because your |
24 |
initrd is able to open the luks-device with the keyfile. |