diff options
| author | Thomas Zelch <tze@xenlab.de> | 2015-02-28 23:28:42 -0800 |
|---|---|---|
| committer | Francis Rowe <info@gluglug.org.uk> | 2015-03-01 08:13:47 +0000 |
| commit | c8693787c5b991a63e5cbd64493e8064850d1e34 (patch) | |
| tree | ddaa89ead4621e4ececdc4664b7edcbba71142c3 /docs/gnulinux/encrypted_parabola.html | |
| parent | 41fd328e802d06275462a9bcc2ad1a58406fd290 (diff) | |
| download | librebootfr-c8693787c5b991a63e5cbd64493e8064850d1e34.tar.gz librebootfr-c8693787c5b991a63e5cbd64493e8064850d1e34.zip | |
Add documentation on how to unlock root encrypted fs with key in initramfs in Parabola Linux
Diffstat (limited to 'docs/gnulinux/encrypted_parabola.html')
| -rw-r--r-- | docs/gnulinux/encrypted_parabola.html | 30 |
1 files changed, 30 insertions, 0 deletions
diff --git a/docs/gnulinux/encrypted_parabola.html b/docs/gnulinux/encrypted_parabola.html index 85cb6ce2..ae81ad0a 100644 --- a/docs/gnulinux/encrypted_parabola.html +++ b/docs/gnulinux/encrypted_parabola.html @@ -586,6 +586,35 @@ </div> <div class="section"> + <h2>Optional: Use Keyfile in Initramfs to unlock encrypted root</h2> + <p> + Using the above Installation method, you will have to unlock the encrypted Filesystems two times. + Once in Grub and once during the boot of Parabola. <br/> + In order to circumvent this, it is possible to inlcude a Keyfile into the Initramfs of Parabola and unlock it at boot.<br/> + As mkinitcpio in Parabola and Archlinux needs patching for this to work, it is currently more of a "dirty hack" until it gets merged.<br/> + Everytime the mkinitcpio Package gets updated, you need to reapply the patch, or add mkinitcpio to HoldPkg in /etc/pacman.conf, this way it won't get updated.<br/> + <br/> + Download the encrypt.patch for the hook from the Feature request that is open : <a href=https://bugs.archlinux.org/index.php?do=details&action=details.addvote&task_id=31877>FS#31877</a><br/> + Patch the encrypt hook:<br/> + # <b>patch /usr/lib/initcpio/hooks/encrypt /path/to/encrypt.patch</b><br/> + Create a Keyfile:<br/> + # <b>dd bs=512 count=4 if=/dev/urandom of=/etc/mykeyfile iflag=fullblock</b><br/> + Add Keyfile to the Luks Device:<br/> + # <b>cryptsetup luksAddKey /dev/sdX /etc/mykeyfile</b><br/> + Add Keyfile to the initramfs by adding it to FILES in /etc/mkinitcpio.conf, for example:<br/> + # <b>FILES="/etc/mykeyfile"</b><br/> + Recreate the initramfs Image, replace linux-libre with whatever flavour of Kernel you are using.<br/> + # <b>mkinitcpio -p linux-libre</b><br/> + Reboot and add the following to the kernel command line in Grub:<br/> + # <b>cryptkey=initramfs:/etc/mykeyfile</b><br/> + <br/> + If everything works as expected you can permanently add the kernel parameter to the grub config inside your image and reflash it. + + </p> + + </div> + + <div class="section"> <h2>Further security tips</h2> <p> @@ -611,6 +640,7 @@ <p> Copyright © 2014, 2015 Francis Rowe <info@gluglug.org.uk><br/> + Copyright © 2015 Thomas Zelch <tze@xenlab.dek><br/> This document is released under the Creative Commons Attribution-ShareAlike 4.0 International Public License and all future versions. A copy of the license can be found at <a href="../license.txt">../license.txt</a>. </p> |