Unlock LUKS encrypted Debian root with key file on boot partitionEncrypt Debian-based systemEncrypted...
"I am [the / an] owner of a bookstore"?
Missing root certificates on Windows Server 2016 (fresh install)
Cooking a nice pan seared steak for picky eaters
Could you fall off a planet if it was being accelerated by engines?
Robots in a spaceship
Having to constantly redo everything because I don't know how to do it?
How can I open this door latch with the knobs removed?
Transactional Email API: TriggeredSend definition not enabled for this route
Should 私の be omitted?
Sentence editor
Checkmate in 1 on a Tangled Board
Is it okay to fade a human face just to create some space to place important content over it?
How did Lefschetz do mathematics without hands?
How can I deal with extreme temperatures in a hotel room?
What do you call a notepad used to keep a record?
/etc/hosts not working
Calculus, Water Poured into a Cone: Why is Derivative Non-linear?
By RAW, how can Prestidigitation create sound?
Can I use Alchemist's fire to turn my sword into a virtual Flame Blade?
Making a wall made from glass bricks
Can European countries bypass the EU and make their own individual trade deal with the U.S.?
Quantum jump/leap, exist or not, and instantaneous or not (for electrons)?
Why were the first airplanes "backwards"?
if a USA citizen marries a foreign citizen who has kid from previous marriage
Unlock LUKS encrypted Debian root with key file on boot partition
Encrypt Debian-based systemEncrypted filesystems with swap partitionsAutomatic unlock LVM partitions with a Key LUKS dm-cryptInstalling Debian with encrypted root: installer does not see EFI /boot partitionBooting to an encrypted Debian install, which has /boot on LVM-on-LUKSHow to mount and de-encrypt a LUKS encrypted partition to recover filescryptsetup open for luks : improper handling of --key-file argumentFail to decrypt LUKS partitionDecrypt root device at boot with keyfile on usb - Debian StretchFailed to open root LUKS device on LVM during bootAutomounting LUKS encrypted volume at boot time using USB memory as key
.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty{ margin-bottom:0;
}
I'm trying to decrypt the Debian root with a key file stored in the boot partition (decrypted partition). This will break the security, but it doesn't matter now. I have to conclude this successfully or die trying.
I have created the hooks to the initramfs and the key file is on the /boot directory inside the initrd.img-* file. The path to the key file (/boot/keyfile) is on the /etc/crypttab file.
I updated the initramfs with sudo update-initramfs -u but I received this message: cryptsetup: WARNING: target sdaX_crypt uses a key file, skipped.
Ignoring the message and rebooting results in a unbootable disk. The message Gave up waiting for root device. is displayed and drops to initramfs shell.
In the initramfs environment the cryptsetup don't exists. (It should exists?)
Seens that the update-initramfs -u "thinks" the sdaX_crypt device will be mounted in another way and don't configure to decrypt with the keyfile.
How can I do that?
debian luks initramfs cryptsetup
asked Oct 27 '14 at 7:29
FusgyusFusgyus
311 silver badge3 bronze badges
add a comment |
I'm trying to decrypt the Debian root with a key file stored in the boot partition (decrypted partition). This will break the security, but it doesn't matter now. I have to conclude this successfully or die trying.
I have created the hooks to the initramfs and the key file is on the /boot directory inside the initrd.img-* file. The path to the key file (/boot/keyfile) is on the /etc/crypttab file.
I updated the initramfs with sudo update-initramfs -u but I received this message: cryptsetup: WARNING: target sdaX_crypt uses a key file, skipped.
Ignoring the message and rebooting results in a unbootable disk. The message Gave up waiting for root device. is displayed and drops to initramfs shell.
In the initramfs environment the cryptsetup don't exists. (It should exists?)
Seens that the update-initramfs -u "thinks" the sdaX_crypt device will be mounted in another way and don't configure to decrypt with the keyfile.
How can I do that?
debian luks initramfs cryptsetup
asked Oct 27 '14 at 7:29
FusgyusFusgyus
311 silver badge3 bronze badges
"In the initramfs environment the cryptsetup don't exists." Not sure what that means.
– spinkus
Nov 16 '14 at 9:57
add a comment |
I'm trying to decrypt the Debian root with a key file stored in the boot partition (decrypted partition). This will break the security, but it doesn't matter now. I have to conclude this successfully or die trying.
I have created the hooks to the initramfs and the key file is on the /boot directory inside the initrd.img-* file. The path to the key file (/boot/keyfile) is on the /etc/crypttab file.
I updated the initramfs with sudo update-initramfs -u but I received this message: cryptsetup: WARNING: target sdaX_crypt uses a key file, skipped.
Ignoring the message and rebooting results in a unbootable disk. The message Gave up waiting for root device. is displayed and drops to initramfs shell.
In the initramfs environment the cryptsetup don't exists. (It should exists?)
Seens that the update-initramfs -u "thinks" the sdaX_crypt device will be mounted in another way and don't configure to decrypt with the keyfile.
How can I do that?
debian luks initramfs cryptsetup
asked Oct 27 '14 at 7:29
FusgyusFusgyus
311 silver badge3 bronze badges
I'm trying to decrypt the Debian root with a key file stored in the boot partition (decrypted partition). This will break the security, but it doesn't matter now. I have to conclude this successfully or die trying.
I have created the hooks to the initramfs and the key file is on the /boot directory inside the initrd.img-* file. The path to the key file (/boot/keyfile) is on the /etc/crypttab file.
I updated the initramfs with sudo update-initramfs -u but I received this message: cryptsetup: WARNING: target sdaX_crypt uses a key file, skipped.
Ignoring the message and rebooting results in a unbootable disk. The message Gave up waiting for root device. is displayed and drops to initramfs shell.
In the initramfs environment the cryptsetup don't exists. (It should exists?)
Seens that the update-initramfs -u "thinks" the sdaX_crypt device will be mounted in another way and don't configure to decrypt with the keyfile.
How can I do that?
debian luks initramfs cryptsetup
debian luks initramfs cryptsetup
asked Oct 27 '14 at 7:29
FusgyusFusgyus
311 silver badge3 bronze badges
asked Oct 27 '14 at 7:29
FusgyusFusgyus
311 silver badge3 bronze badges
asked Oct 27 '14 at 7:29
FusgyusFusgyus
311 silver badge3 bronze badges
asked Oct 27 '14 at 7:29
FusgyusFusgyus
311 silver badge3 bronze badges
asked Oct 27 '14 at 7:29
FusgyusFusgyus
311 silver badge3 bronze badges
311 silver badge3 bronze badges
"In the initramfs environment the cryptsetup don't exists." Not sure what that means.
– spinkus
Nov 16 '14 at 9:57
add a comment |
"In the initramfs environment the cryptsetup don't exists." Not sure what that means.
– spinkus
Nov 16 '14 at 9:57
"In the initramfs environment the cryptsetup don't exists." Not sure what that means.
– spinkus
Nov 16 '14 at 9:57
"In the initramfs environment the cryptsetup don't exists." Not sure what that means.
– spinkus
Nov 16 '14 at 9:57
add a comment |
4 Answers
4
active
oldest
votes
You can use the keyscript option in your crypttab instead (man crypttab). Just create a script that echos your passphrase and set it as the keyscript argument, then regenerate your ramfs. You don't need any hooks, and you don't need to put the script in /boot/.
vg1-root_crypt UUID=94a3b301-123-12-a3-ea0403 none luks,keyscript=/etc/echo-root-luks-pass
I don't know why the initramfs hooks for cryptsetup prohibit you from just having the keyfile listed in crypttab. Probably don't want to condone such behavior.
P.S. I don't think that it breaks the security, it just weakens it more or less depending on how secure your /boot partition is. You could for example /boot off a USB drive, and keep the USB in you socks etc.
answered Nov 16 '14 at 9:55
spinkusspinkus
1721 silver badge7 bronze badges
1
This should be the preferred answer. It's the easiest to implement, and it works flawlessly (at least on Debian,update-initramfsskips both thekeyfileoption for the root partition, and keyfiles not located on encrypted partitions).
– MoonSweep
Oct 28 '18 at 12:49
add a comment |
To really ignore the message and do not skip the partition, you need (at least) comment out/delete the return 1 in /usr/share/initramfs-tools/hooks/cryptroot after the line where the error message
is written (around line 274 - depening on the used cryptsetup version). Beware that this file is by default managed by the package manager,
and therefore is overwritten at any update of the cryptsetup package.
Please read also https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=776409
for more information about the issue.
I have not tested it, there could be other reasons than the mentioned why the case of a keyfile is
not considered.
answered Jun 26 '15 at 12:03
jofeljofel
21.2k3 gold badges49 silver badges80 bronze badges
add a comment |
If my memory serves me well, your problem is that your fstab is modified to point to the encrypted partition, since you have booted from an unencrypted partition your fstab (while you are executing update-initrd) should point to your unencrypted volume. AFTER you have created the initrd image you can modify your fstab to point to the encrypted partition.
answered Sep 1 '15 at 6:55
YoMismoYoMismo
3,1791 gold badge10 silver badges26 bronze badges
add a comment |
Keyfiles matching the shell-style (globbing) pattern KEYFILE_PATTERN defined in /etc/cryptsetup-initramfs/conf-hook will be included in the initramfs, but the other keyfiles will not, according to Debian's cryptsetup docs:
- For Debian 9:
/usr/share/doc/cryptsetup/README.{initramfs,Debian}.gz
- For Debian 10:
/usr/share/doc/cryptsetup{-initramfs/README.initramfs,-run/README.Debian}.gz.
I am not sure about previous versions of Debian.
These files are readable with zless filename.gz, but here it is the relevant part, for convenience and future reference.
12. Storing keyfiles directly in the initrd
Normally devices using a keyfile are ignored (with a loud warning), and the key file itself is
not included in the initrd, because the initramfs image typically
lives on an unencrypted /boot partition. However in some cases it is
desirable to include the key file in the initrd; for instance recent
versions of GRUB support booting from encrypted block devices,
allowing an encrypted /boot partition.
Among the key files listed in the crypttab(5), those matching the
value of the environment variable KEYFILE_PATTERN (interpreted as a
shell pattern) will be included in the initramfs image. For instance
if /etc/crypttab lists two key files /etc/keys/{root,swap}.key, you
can add the following to /etc/cryptsetup-initramfs/conf-hook to add
them to the initrd.
KEYFILE_PATTERN="/etc/keys/*.key"
Furthermore if the initramfs image is to include private key material,
you'll want to create it with a restrictive umask in order to keep
non-privileged users at bay. This can be achieved by adding the
following to /etc/initramfs-tools/initramfs.conf.
UMASK=0077
answered 2 hours ago
ignisignis
1449 bronze badges
add a comment |
Your Answer
StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "106"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});
function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: false,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});
}
});
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f164403%2funlock-luks-encrypted-debian-root-with-key-file-on-boot-partition%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
4 Answers
4
active
oldest
votes
4 Answers
4
active
oldest
votes
active
oldest
votes
active
oldest
votes
You can use the keyscript option in your crypttab instead (man crypttab). Just create a script that echos your passphrase and set it as the keyscript argument, then regenerate your ramfs. You don't need any hooks, and you don't need to put the script in /boot/.
vg1-root_crypt UUID=94a3b301-123-12-a3-ea0403 none luks,keyscript=/etc/echo-root-luks-pass
I don't know why the initramfs hooks for cryptsetup prohibit you from just having the keyfile listed in crypttab. Probably don't want to condone such behavior.
P.S. I don't think that it breaks the security, it just weakens it more or less depending on how secure your /boot partition is. You could for example /boot off a USB drive, and keep the USB in you socks etc.
answered Nov 16 '14 at 9:55
spinkusspinkus
1721 silver badge7 bronze badges
1
This should be the preferred answer. It's the easiest to implement, and it works flawlessly (at least on Debian,update-initramfsskips both thekeyfileoption for the root partition, and keyfiles not located on encrypted partitions).
– MoonSweep
Oct 28 '18 at 12:49
add a comment |
You can use the keyscript option in your crypttab instead (man crypttab). Just create a script that echos your passphrase and set it as the keyscript argument, then regenerate your ramfs. You don't need any hooks, and you don't need to put the script in /boot/.
vg1-root_crypt UUID=94a3b301-123-12-a3-ea0403 none luks,keyscript=/etc/echo-root-luks-pass
I don't know why the initramfs hooks for cryptsetup prohibit you from just having the keyfile listed in crypttab. Probably don't want to condone such behavior.
P.S. I don't think that it breaks the security, it just weakens it more or less depending on how secure your /boot partition is. You could for example /boot off a USB drive, and keep the USB in you socks etc.
answered Nov 16 '14 at 9:55
spinkusspinkus
1721 silver badge7 bronze badges
1
This should be the preferred answer. It's the easiest to implement, and it works flawlessly (at least on Debian,update-initramfsskips both thekeyfileoption for the root partition, and keyfiles not located on encrypted partitions).
– MoonSweep
Oct 28 '18 at 12:49
add a comment |
You can use the keyscript option in your crypttab instead (man crypttab). Just create a script that echos your passphrase and set it as the keyscript argument, then regenerate your ramfs. You don't need any hooks, and you don't need to put the script in /boot/.
vg1-root_crypt UUID=94a3b301-123-12-a3-ea0403 none luks,keyscript=/etc/echo-root-luks-pass
I don't know why the initramfs hooks for cryptsetup prohibit you from just having the keyfile listed in crypttab. Probably don't want to condone such behavior.
P.S. I don't think that it breaks the security, it just weakens it more or less depending on how secure your /boot partition is. You could for example /boot off a USB drive, and keep the USB in you socks etc.
answered Nov 16 '14 at 9:55
spinkusspinkus
1721 silver badge7 bronze badges
You can use the keyscript option in your crypttab instead (man crypttab). Just create a script that echos your passphrase and set it as the keyscript argument, then regenerate your ramfs. You don't need any hooks, and you don't need to put the script in /boot/.
vg1-root_crypt UUID=94a3b301-123-12-a3-ea0403 none luks,keyscript=/etc/echo-root-luks-pass
I don't know why the initramfs hooks for cryptsetup prohibit you from just having the keyfile listed in crypttab. Probably don't want to condone such behavior.
P.S. I don't think that it breaks the security, it just weakens it more or less depending on how secure your /boot partition is. You could for example /boot off a USB drive, and keep the USB in you socks etc.
answered Nov 16 '14 at 9:55
spinkusspinkus
1721 silver badge7 bronze badges
answered Nov 16 '14 at 9:55
spinkusspinkus
1721 silver badge7 bronze badges
answered Nov 16 '14 at 9:55
spinkusspinkus
1721 silver badge7 bronze badges
answered Nov 16 '14 at 9:55
spinkusspinkus
1721 silver badge7 bronze badges
1721 silver badge7 bronze badges
1
This should be the preferred answer. It's the easiest to implement, and it works flawlessly (at least on Debian,update-initramfsskips both thekeyfileoption for the root partition, and keyfiles not located on encrypted partitions).
– MoonSweep
Oct 28 '18 at 12:49
add a comment |
1
This should be the preferred answer. It's the easiest to implement, and it works flawlessly (at least on Debian,update-initramfsskips both thekeyfileoption for the root partition, and keyfiles not located on encrypted partitions).
– MoonSweep
Oct 28 '18 at 12:49
1
1
This should be the preferred answer. It's the easiest to implement, and it works flawlessly (at least on Debian,
update-initramfs skips both the keyfile option for the root partition, and keyfiles not located on encrypted partitions).– MoonSweep
Oct 28 '18 at 12:49
This should be the preferred answer. It's the easiest to implement, and it works flawlessly (at least on Debian,
update-initramfs skips both the keyfile option for the root partition, and keyfiles not located on encrypted partitions).– MoonSweep
Oct 28 '18 at 12:49
add a comment |
To really ignore the message and do not skip the partition, you need (at least) comment out/delete the return 1 in /usr/share/initramfs-tools/hooks/cryptroot after the line where the error message
is written (around line 274 - depening on the used cryptsetup version). Beware that this file is by default managed by the package manager,
and therefore is overwritten at any update of the cryptsetup package.
Please read also https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=776409
for more information about the issue.
I have not tested it, there could be other reasons than the mentioned why the case of a keyfile is
not considered.
answered Jun 26 '15 at 12:03
jofeljofel
21.2k3 gold badges49 silver badges80 bronze badges
add a comment |
To really ignore the message and do not skip the partition, you need (at least) comment out/delete the return 1 in /usr/share/initramfs-tools/hooks/cryptroot after the line where the error message
is written (around line 274 - depening on the used cryptsetup version). Beware that this file is by default managed by the package manager,
and therefore is overwritten at any update of the cryptsetup package.
Please read also https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=776409
for more information about the issue.
I have not tested it, there could be other reasons than the mentioned why the case of a keyfile is
not considered.
answered Jun 26 '15 at 12:03
jofeljofel
21.2k3 gold badges49 silver badges80 bronze badges
add a comment |
To really ignore the message and do not skip the partition, you need (at least) comment out/delete the return 1 in /usr/share/initramfs-tools/hooks/cryptroot after the line where the error message
is written (around line 274 - depening on the used cryptsetup version). Beware that this file is by default managed by the package manager,
and therefore is overwritten at any update of the cryptsetup package.
Please read also https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=776409
for more information about the issue.
I have not tested it, there could be other reasons than the mentioned why the case of a keyfile is
not considered.
answered Jun 26 '15 at 12:03
jofeljofel
21.2k3 gold badges49 silver badges80 bronze badges
To really ignore the message and do not skip the partition, you need (at least) comment out/delete the return 1 in /usr/share/initramfs-tools/hooks/cryptroot after the line where the error message
is written (around line 274 - depening on the used cryptsetup version). Beware that this file is by default managed by the package manager,
and therefore is overwritten at any update of the cryptsetup package.
Please read also https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=776409
for more information about the issue.
I have not tested it, there could be other reasons than the mentioned why the case of a keyfile is
not considered.
answered Jun 26 '15 at 12:03
jofeljofel
21.2k3 gold badges49 silver badges80 bronze badges
edited Jun 26 '15 at 12:08
answered Jun 26 '15 at 12:03
jofeljofel
21.2k3 gold badges49 silver badges80 bronze badges
answered Jun 26 '15 at 12:03
jofeljofel
21.2k3 gold badges49 silver badges80 bronze badges
answered Jun 26 '15 at 12:03
jofeljofel
21.2k3 gold badges49 silver badges80 bronze badges
21.2k3 gold badges49 silver badges80 bronze badges
add a comment |
add a comment |
If my memory serves me well, your problem is that your fstab is modified to point to the encrypted partition, since you have booted from an unencrypted partition your fstab (while you are executing update-initrd) should point to your unencrypted volume. AFTER you have created the initrd image you can modify your fstab to point to the encrypted partition.
answered Sep 1 '15 at 6:55
YoMismoYoMismo
3,1791 gold badge10 silver badges26 bronze badges
add a comment |
If my memory serves me well, your problem is that your fstab is modified to point to the encrypted partition, since you have booted from an unencrypted partition your fstab (while you are executing update-initrd) should point to your unencrypted volume. AFTER you have created the initrd image you can modify your fstab to point to the encrypted partition.
answered Sep 1 '15 at 6:55
YoMismoYoMismo
3,1791 gold badge10 silver badges26 bronze badges
add a comment |
If my memory serves me well, your problem is that your fstab is modified to point to the encrypted partition, since you have booted from an unencrypted partition your fstab (while you are executing update-initrd) should point to your unencrypted volume. AFTER you have created the initrd image you can modify your fstab to point to the encrypted partition.
answered Sep 1 '15 at 6:55
YoMismoYoMismo
3,1791 gold badge10 silver badges26 bronze badges
If my memory serves me well, your problem is that your fstab is modified to point to the encrypted partition, since you have booted from an unencrypted partition your fstab (while you are executing update-initrd) should point to your unencrypted volume. AFTER you have created the initrd image you can modify your fstab to point to the encrypted partition.
answered Sep 1 '15 at 6:55
YoMismoYoMismo
3,1791 gold badge10 silver badges26 bronze badges
answered Sep 1 '15 at 6:55
YoMismoYoMismo
3,1791 gold badge10 silver badges26 bronze badges
answered Sep 1 '15 at 6:55
YoMismoYoMismo
3,1791 gold badge10 silver badges26 bronze badges
answered Sep 1 '15 at 6:55
YoMismoYoMismo
3,1791 gold badge10 silver badges26 bronze badges
3,1791 gold badge10 silver badges26 bronze badges
add a comment |
add a comment |
Keyfiles matching the shell-style (globbing) pattern KEYFILE_PATTERN defined in /etc/cryptsetup-initramfs/conf-hook will be included in the initramfs, but the other keyfiles will not, according to Debian's cryptsetup docs:
- For Debian 9:
/usr/share/doc/cryptsetup/README.{initramfs,Debian}.gz
- For Debian 10:
/usr/share/doc/cryptsetup{-initramfs/README.initramfs,-run/README.Debian}.gz.
I am not sure about previous versions of Debian.
These files are readable with zless filename.gz, but here it is the relevant part, for convenience and future reference.
12. Storing keyfiles directly in the initrd
Normally devices using a keyfile are ignored (with a loud warning), and the key file itself is
not included in the initrd, because the initramfs image typically
lives on an unencrypted /boot partition. However in some cases it is
desirable to include the key file in the initrd; for instance recent
versions of GRUB support booting from encrypted block devices,
allowing an encrypted /boot partition.
Among the key files listed in the crypttab(5), those matching the
value of the environment variable KEYFILE_PATTERN (interpreted as a
shell pattern) will be included in the initramfs image. For instance
if /etc/crypttab lists two key files /etc/keys/{root,swap}.key, you
can add the following to /etc/cryptsetup-initramfs/conf-hook to add
them to the initrd.
KEYFILE_PATTERN="/etc/keys/*.key"
Furthermore if the initramfs image is to include private key material,
you'll want to create it with a restrictive umask in order to keep
non-privileged users at bay. This can be achieved by adding the
following to /etc/initramfs-tools/initramfs.conf.
UMASK=0077
answered 2 hours ago
ignisignis
1449 bronze badges
add a comment |
Keyfiles matching the shell-style (globbing) pattern KEYFILE_PATTERN defined in /etc/cryptsetup-initramfs/conf-hook will be included in the initramfs, but the other keyfiles will not, according to Debian's cryptsetup docs:
- For Debian 9:
/usr/share/doc/cryptsetup/README.{initramfs,Debian}.gz
- For Debian 10:
/usr/share/doc/cryptsetup{-initramfs/README.initramfs,-run/README.Debian}.gz.
I am not sure about previous versions of Debian.
These files are readable with zless filename.gz, but here it is the relevant part, for convenience and future reference.
12. Storing keyfiles directly in the initrd
Normally devices using a keyfile are ignored (with a loud warning), and the key file itself is
not included in the initrd, because the initramfs image typically
lives on an unencrypted /boot partition. However in some cases it is
desirable to include the key file in the initrd; for instance recent
versions of GRUB support booting from encrypted block devices,
allowing an encrypted /boot partition.
Among the key files listed in the crypttab(5), those matching the
value of the environment variable KEYFILE_PATTERN (interpreted as a
shell pattern) will be included in the initramfs image. For instance
if /etc/crypttab lists two key files /etc/keys/{root,swap}.key, you
can add the following to /etc/cryptsetup-initramfs/conf-hook to add
them to the initrd.
KEYFILE_PATTERN="/etc/keys/*.key"
Furthermore if the initramfs image is to include private key material,
you'll want to create it with a restrictive umask in order to keep
non-privileged users at bay. This can be achieved by adding the
following to /etc/initramfs-tools/initramfs.conf.
UMASK=0077
answered 2 hours ago
ignisignis
1449 bronze badges
add a comment |
Keyfiles matching the shell-style (globbing) pattern KEYFILE_PATTERN defined in /etc/cryptsetup-initramfs/conf-hook will be included in the initramfs, but the other keyfiles will not, according to Debian's cryptsetup docs:
- For Debian 9:
/usr/share/doc/cryptsetup/README.{initramfs,Debian}.gz
- For Debian 10:
/usr/share/doc/cryptsetup{-initramfs/README.initramfs,-run/README.Debian}.gz.
I am not sure about previous versions of Debian.
These files are readable with zless filename.gz, but here it is the relevant part, for convenience and future reference.
12. Storing keyfiles directly in the initrd
Normally devices using a keyfile are ignored (with a loud warning), and the key file itself is
not included in the initrd, because the initramfs image typically
lives on an unencrypted /boot partition. However in some cases it is
desirable to include the key file in the initrd; for instance recent
versions of GRUB support booting from encrypted block devices,
allowing an encrypted /boot partition.
Among the key files listed in the crypttab(5), those matching the
value of the environment variable KEYFILE_PATTERN (interpreted as a
shell pattern) will be included in the initramfs image. For instance
if /etc/crypttab lists two key files /etc/keys/{root,swap}.key, you
can add the following to /etc/cryptsetup-initramfs/conf-hook to add
them to the initrd.
KEYFILE_PATTERN="/etc/keys/*.key"
Furthermore if the initramfs image is to include private key material,
you'll want to create it with a restrictive umask in order to keep
non-privileged users at bay. This can be achieved by adding the
following to /etc/initramfs-tools/initramfs.conf.
UMASK=0077
answered 2 hours ago
ignisignis
1449 bronze badges
Keyfiles matching the shell-style (globbing) pattern KEYFILE_PATTERN defined in /etc/cryptsetup-initramfs/conf-hook will be included in the initramfs, but the other keyfiles will not, according to Debian's cryptsetup docs:
- For Debian 9:
/usr/share/doc/cryptsetup/README.{initramfs,Debian}.gz
- For Debian 10:
/usr/share/doc/cryptsetup{-initramfs/README.initramfs,-run/README.Debian}.gz.
I am not sure about previous versions of Debian.
These files are readable with zless filename.gz, but here it is the relevant part, for convenience and future reference.
12. Storing keyfiles directly in the initrd
Normally devices using a keyfile are ignored (with a loud warning), and the key file itself is
not included in the initrd, because the initramfs image typically
lives on an unencrypted /boot partition. However in some cases it is
desirable to include the key file in the initrd; for instance recent
versions of GRUB support booting from encrypted block devices,
allowing an encrypted /boot partition.
Among the key files listed in the crypttab(5), those matching the
value of the environment variable KEYFILE_PATTERN (interpreted as a
shell pattern) will be included in the initramfs image. For instance
if /etc/crypttab lists two key files /etc/keys/{root,swap}.key, you
can add the following to /etc/cryptsetup-initramfs/conf-hook to add
them to the initrd.
KEYFILE_PATTERN="/etc/keys/*.key"
Furthermore if the initramfs image is to include private key material,
you'll want to create it with a restrictive umask in order to keep
non-privileged users at bay. This can be achieved by adding the
following to /etc/initramfs-tools/initramfs.conf.
UMASK=0077
answered 2 hours ago
ignisignis
1449 bronze badges
answered 2 hours ago
ignisignis
1449 bronze badges
answered 2 hours ago
ignisignis
1449 bronze badges
answered 2 hours ago
ignisignis
1449 bronze badges
1449 bronze badges
add a comment |
add a comment |
Thanks for contributing an answer to Unix & Linux Stack Exchange!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f164403%2funlock-luks-encrypted-debian-root-with-key-file-on-boot-partition%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
"In the initramfs environment the cryptsetup don't exists." Not sure what that means.
– spinkus
Nov 16 '14 at 9:57