Dm-crypt configuration with cryptkey

tachyon · 12 July 2021 11:06

My partition table is as follows:

NAME                      MAJ:MIN RM   SIZE RO TYPE  MOUNTPOINTS
nvme0n1                   259:0    0 931.5G  0 disk  
├─nvme0n1p1               259:1    0     1M  0 part  
├─nvme0n1p2               259:2    0   640M  0 part  /boot/efi
├─nvme0n1p3               259:3    0     1G  0 part  
│ └─CryptBoot             254:4    0  1022M  0 crypt /boot
└─nvme0n1p4               259:4    0 929.9G  0 part  
  └─CryptLVM              254:0    0 929.9G  0 crypt 
    ├─CryptContainer-SWAP 254:1    0    16G  0 lvm   [SWAP]
    ├─CryptContainer-ROOT 254:2    0   160G  0 lvm   /
    └─CryptContainer-HOME 254:3    0 753.9G  0 lvm   /home

I am trying to avoid having to enter LUKS passphrase twice. I have embedded the luks key for /dev/nvme0n1p4 inside initramfs ( /etc/initcpio/keys/) and added a custom mkinitcpio hook named decryption-keys as shown below:

#!/bin/bash
# This is /etc/initcpio/install/decryption-keys
function build {
  for file in /etc/initcpio/keys/*; do
    add_file "$file" "/$(basename $file)" 0400
  done
}

Since I am using sd-encrypt I need to add rd.luks.key to /etc/default/grub, accordinfg to Archwiki : dm-crypt configuration. I tried rd.luks.key=rootfs:/CryptLVM.key but that did not work and I still needed to enter the passphrase for CryptLVM manually on boot. What am I doing wrong?

dmt · 12 July 2021 11:39

I don’t have any experience of using dmcrypt this way, however your post and the links you provided don’t seem to match up. Perhaps I’ve missed something.

So you’ve added the path to the keyfile like in the first link?

Add the keyfile to the initramfs image:

/etc/mkinitcpio.conf
FILES=(/root/cryptlvm.keyfile)

Where does this custom hook come from? I don’t see it mentioned in the links you posted. They say you need the encrypt or sd-encrypt hook.

Again from the first link:

Or, using the sd-encrypt hook:

GRUB_CMDLINE_LINUX="… rd.luks.key=device-UUID=/root/cryptlvm.keyfile"

tachyon · 12 July 2021 12:20

decryption-keys is a custom hook in order to add files to the root of the initramfs without keeping the files in our root filesystem. This is borrowed from the Github Gist following the blog.stigok.com tutorial.

Perhaps rootfs:/ part in rd.luks.key=rootfs:/CryptLVM.key is unnecessary here. I will try and report.

dmt · 12 July 2021 12:26

You need the device UUID for sd-encrypt, and “rootfs” for encrypt, according to the wiki, no idea when it comes to the custom hook.

tachyon · 12 July 2021 12:35

According to Archwiki : dm-crypt

So these two are equivalent. I tried the rd.luks.key=/CryptLVM.key and it works. @dmt Thanks for the help

system · 27 July 2021 12:35

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.