So I've got a home server with Alpine installed operating as a
hypervisor for various VM's. I've got full disk encryption set up, and
I've added a key to a vfat USB drive that will sometimes be used to
boot when I'm traveling. I've also added the key via cryptsetup
luksAddKey /mnt/usb etc. I've added some stuff to mkinitfs.conf in the
hopes that it'll aid in mounting the USB prior/early on in the boot
process, which now looks like this:
features="ata base ide scsi fat vfat usb virtio ext4 lvm cryptsetup"
It boots fine with a passphrase but I'm not sure how I would go about
getting cryptsetup to use the key on /mnt/boot or /dev/sdb1 before the
OS even boots. I've read about people using initramfs (slackware has
their mkinitrd command with a flag -K to do this assuming you have the
right kernel modules set up). I did find this:
# mkinitfs -L | grep cryptkey
cryptkey
I have no idea how to use that or if it's what I'm looking for,
however. I'm also open to editing crypttab, but I can't figure out
what the syntax would be for the key field on a USB drive... Current
crypttab looks like this:
lvmcrypt UUI=*my UUID* none luks
Not sure what I'd put in the "none" slot to somehow denote the USB and
a file on that USB. Any help or resources would be appreciated!
Hi James,
On 2020-01-08 17:13:56, James Chase wrote:
> I have no idea how to use that or if it's what I'm looking for,> however. I'm also open to editing crypttab, but I can't figure out> what the syntax would be for the key field on a USB drive... Current> crypttab looks like this:> lvmcrypt UUI=*my UUID* none luks> > Not sure what I'd put in the "none" slot to somehow denote the USB and> a file on that USB. Any help or resources would be appreciated!
I don't use a crypted setup, but found this [1] page which describes
what you want to achieve, at least as far as I understand. This may
help you.
[1] https://wiki.archlinux.org/index.php/Dm-crypt/System_configuration#Boot_loader
--
Marco Dickert
marco@misterunknown.dehttps://misterunknown.de
> I don't use a crypted setup, but found this [1] page which describes> what you want to achieve, at least as far as I understand. This may> help you.
Thanks! This was definitely a step in the right direction. It looks like
there may be some differences in the kernel parameters from Arch to
Alpine, although I'm not sure. I tried:
/etc/update-extlinux.conf
default_kernel_opts="nomodeset rootfstype=ext4
cryptdevice=UUID=*uuid*:lvmcrypt cryptkey=/dev/sdd1:vfat:/secretkey
cryptroot=UUID
=*uuid* cryptdm=lvmcrypt"
And several variations. Nothing appears to be working or really even
changing at all. I can see /dev/sdd1 gets recognized before it asks
for a PW to log in, so at least the USB modules appear to be loading
correctly. Arch docs have no mention of "cryptroot" or "cryptdm" as
far as I can tell, whereas Alpine docs do. Alpine docs make no mention
of "cryptdevice" either. Either I'm screwing up the config or there
may be different params for the two OS's. I guess another possibility
is going to be to put a key on a raw block device then put a shell
script in initramfs, but I'd rather avoid that if possible. Thanks for
the help, I'll keep trying stuff.