About Manjaro's Luks keyfile

I came across this (dm-crypt/Device encryption - ArchWiki – “With a keyfile embedded in the initramfs”) section about initramfs embedded keyfiles when reading about manually setting up an encrypted system with swap partition.
Manjaro seems to do this setup choosing “Swap (with hibernate)” during install.
The Warning states

  • Using some form of authentication earlier in the boot process. Otherwise auto-decryption will occur, defeating completely the purpose of block device encryption.
  • /boot is encrypted. Otherwise root on a different installation (including the live environment) can extract your key from the initramfs, and unlock the device without any other authentication.

What confuses me is the part about /boot being encrypted. On the wiki it states that mkinitcpio embedds the keyfile.

The Manjaro installer set up the disk like this:

sda         disk                                                       
 ├─sda1      part  /boot/efi
 ├─sda2      part                                                       
 │ └─luks-1  crypt /
 └─sda3      part                                                       
   └─luks-2  crypt [SWAP]

That means if mkinitcpio puts the keyfile in /boot it should be safe and if it puts it in /boot/efi it isn’t. But where does mkinitcpio put it ?

Normally on /boot which would be on /dev/sda2 in your case.

1 Like

This topic was automatically closed 2 days after the last reply. New replies are no longer allowed.