From c8693787c5b991a63e5cbd64493e8064850d1e34 Mon Sep 17 00:00:00 2001 From: Thomas Zelch Date: Sat, 28 Feb 2015 23:28:42 -0800 Subject: Add documentation on how to unlock root encrypted fs with key in initramfs in Parabola Linux --- docs/gnulinux/encrypted_parabola.html | 30 ++++++++++++++++++++++++++++++ 1 file changed, 30 insertions(+) (limited to 'docs') diff --git a/docs/gnulinux/encrypted_parabola.html b/docs/gnulinux/encrypted_parabola.html index 85cb6ce2..ae81ad0a 100644 --- a/docs/gnulinux/encrypted_parabola.html +++ b/docs/gnulinux/encrypted_parabola.html @@ -585,6 +585,35 @@ +
+

Optional: Use Keyfile in Initramfs to unlock encrypted root

+

+ Using the above Installation method, you will have to unlock the encrypted Filesystems two times. + Once in Grub and once during the boot of Parabola.
+ In order to circumvent this, it is possible to inlcude a Keyfile into the Initramfs of Parabola and unlock it at boot.
+ As mkinitcpio in Parabola and Archlinux needs patching for this to work, it is currently more of a "dirty hack" until it gets merged.
+ Everytime the mkinitcpio Package gets updated, you need to reapply the patch, or add mkinitcpio to HoldPkg in /etc/pacman.conf, this way it won't get updated.
+
+ Download the encrypt.patch for the hook from the Feature request that is open : FS#31877
+ Patch the encrypt hook:
+ # patch /usr/lib/initcpio/hooks/encrypt /path/to/encrypt.patch
+ Create a Keyfile:
+ # dd bs=512 count=4 if=/dev/urandom of=/etc/mykeyfile iflag=fullblock
+ Add Keyfile to the Luks Device:
+ # cryptsetup luksAddKey /dev/sdX /etc/mykeyfile
+ Add Keyfile to the initramfs by adding it to FILES in /etc/mkinitcpio.conf, for example:
+ # FILES="/etc/mykeyfile"
+ Recreate the initramfs Image, replace linux-libre with whatever flavour of Kernel you are using.
+ # mkinitcpio -p linux-libre
+ Reboot and add the following to the kernel command line in Grub:
+ # cryptkey=initramfs:/etc/mykeyfile
+
+ If everything works as expected you can permanently add the kernel parameter to the grub config inside your image and reflash it. + +

+ +
+

Further security tips

@@ -611,6 +640,7 @@

Copyright © 2014, 2015 Francis Rowe <info@gluglug.org.uk>
+ Copyright © 2015 Thomas Zelch <tze@xenlab.dek>
This document is released under the Creative Commons Attribution-ShareAlike 4.0 International Public License and all future versions. A copy of the license can be found at ../license.txt.

-- cgit v1.2.3-70-g09d2