Received: from mail-il1-f171.google.com (mail-il1-f171.google.com [209.85.166.171]) by nld3-dev1.alpinelinux.org (Postfix) with ESMTPS id 8F13E7819A7 for <~alpine/users@lists.alpinelinux.org>; Wed, 8 Jan 2020 22:14:11 +0000 (UTC) Received: by mail-il1-f171.google.com with SMTP id g12so4039784ild.2 for <~alpine/users@lists.alpinelinux.org>; Wed, 08 Jan 2020 14:14:11 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:from:date:message-id:subject:to; bh=fPqw369P0/GZ3udQt9ogYmfVSkOGy75YT57CgneaWXk=; b=D8GEVwVCok1+iQgYZXl5BONGIRwhvV5YRn6CE2DZPkTyHpvAgOCHVsGev2Kyty1GeJ 2trOiuQOkI7ZhgN6jb5X1LZaIIObZJgWgjGrdeuHJYXRlS8/DmUQ5oRuIeCYwsyKrJVt KoH55fuv3Igdj7xr9Dob9ra5Rm5Pz4MoT4+iAjtvRNCHS+kixadTabjr70l4oxhFRXO3 VgHajCmpSrODkK44SMfnu0zKXpsU5WZNPVkOh4rnzAcN8bY1WcsnFGqiYLdiU093BwEC tu6p5VgKLRJADFmD+jJWPXlF6sT0RQAFexanwIZy8IAmR8iMYNCS16gusxdj9hw1Vjgf zWaA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to; bh=fPqw369P0/GZ3udQt9ogYmfVSkOGy75YT57CgneaWXk=; b=Wcuo0mm4KnIPzdYxYHbcvSuQiFkLF3vL+PRBdDbgjDj/axi6HjWGcIU8jiSJQrcocB TDzdghUBHKsJkHymbOqCKT8yrUgEh1zARfpJJLol1Y4pnqNIP/crvJ7rHwwsatf3QmBs eD21upJTmMNnWNKkYaHyKnpJlU0yL5CbEF+ux0H70mFzNLehO0I0XNnMoBhnkgwJd7yE gXCXYBisd2Sw6VsIcxS2gxLsPD/A86BUnKzm/+Qh+NkvhGuv1vKlRVRKvXw7EIc9o1ln 45xkcRQXXzkUnRGBbFh5xcVrTquIlXL491syHYSG+W7unmM5yifv33jKg+IIR1LYNwLR WLwQ== X-Gm-Message-State: APjAAAVJSSlfXaPR89O0xshuVjdfPqeiGNpHaCLLTuBR3PbP/WC4583b jUsz/i/5BIY6WfAwevhm3WqlPMQD5wisQR5hDG0/m0oP X-Google-Smtp-Source: APXvYqzf8K4DM3cqVpA+OvgGolfS/K1ArKvINexBoEnWkad4lcOkcVVd94GTNE8ypdwKF6AKYCXUa/WBVp6f9q88Uh8= X-Received: by 2002:a92:5f9c:: with SMTP id i28mr6230921ill.112.1578521648985; Wed, 08 Jan 2020 14:14:08 -0800 (PST) MIME-Version: 1.0 From: James Chase Date: Wed, 8 Jan 2020 17:13:56 -0500 Message-ID: Subject: Decrypt LVM containing primary OS from USB on boot To: ~alpine/users@lists.alpinelinux.org Content-Type: text/plain; charset="UTF-8" So I've got a home server with Alpine installed operating as a hypervisor for various VM's. I've got full disk encryption set up, and I've added a key to a vfat USB drive that will sometimes be used to boot when I'm traveling. I've also added the key via cryptsetup luksAddKey /mnt/usb etc. I've added some stuff to mkinitfs.conf in the hopes that it'll aid in mounting the USB prior/early on in the boot process, which now looks like this: features="ata base ide scsi fat vfat usb virtio ext4 lvm cryptsetup" It boots fine with a passphrase but I'm not sure how I would go about getting cryptsetup to use the key on /mnt/boot or /dev/sdb1 before the OS even boots. I've read about people using initramfs (slackware has their mkinitrd command with a flag -K to do this assuming you have the right kernel modules set up). I did find this: # mkinitfs -L | grep cryptkey cryptkey I have no idea how to use that or if it's what I'm looking for, however. I'm also open to editing crypttab, but I can't figure out what the syntax would be for the key field on a USB drive... Current crypttab looks like this: lvmcrypt UUI=*my UUID* none luks Not sure what I'd put in the "none" slot to somehow denote the USB and a file on that USB. Any help or resources would be appreciated!