wiki:dracut
Last modified 7 years ago Last modified on 03/24/12 13:55:02

Dracut supports LUKS encrypted root files.
Additionally those keys can be encrypted using gpg (symetric encryption).
Using gpg requires to add the crypt-gpg module manually to dracut using -a crypt-gpg or add it to /etc/dracut.conf.
I am considering write a detection to crypt-gpg which adds it if a gpg key is found.

setup

The setup is straight forward from http://en.gentoo-wiki.com/wiki/DM-Crypt_with_LUKS.
WARNING: there is aincompatibility with dracut there. dracut uses cryptsetup -d - to parse keyfile data from input. Using the command in the Wiki does NOT use that and fails.
You need add -d - to the cryptsetup luksFormat command to make it work. you too need to add that option consequently each time you luksOpen the device.

If you fail to do so, you have to remove the -d - option from the crypt-lib.sh in /usr/lib/dracut/modules.d/90crypt/cryptroot-ask

        info "Using '$keypath' on '$keydev'"
        readkey "$keypath" "$keydev" "$device" \
            | cryptsetup -d - luksOpen "$device" "$luksname"
        unset keypath keydev
        ask_passphrase=0
        break

auto key detection

To use keys, one has to specify them in "rd.luks.key" inside the initramfs at /etc/cmdline/something.conf
As I wont remember this, I added some auto-detection of keys to the crypt module.
It will search for keys names UUID-of-crypt-volume (optionaly having a .gpg suffix) inside $luks_key_dir (default if not set in /etc/dracut.conf: /boot/.luks) and adds the correct options to the initramfs (eg, in /etc/cmdline.d/90crypt.conf).

replace the attachment module-setup.sh inside /usr/lib/dracut/modules.d/90crypt/module-setup.sh)

Attachments