22.05.2018 21:02, Frank Kunz пишет:
Am 18.05.2018 um 23:20 schrieb Werner LEMBERG:
It should be sufficient to type the passphrase only in grub2. After some research I found some Arch Linux specific instruction [1]. But this uses an Arch specific initrd hook to open the encrypted fs by reading a passphrase from a file included in the initrd. I haven't found an equivalent hook in the tumbleweed dracut config. Would this setup also be a possible solution for tumbleweed? How could it be configured?
For me the following works; you have to adapt the harddisk ID and device to your system.
grub2 options:
boot from MBR GRUB_ENABLE_CRYPTODISK=y
Create file `/crypto_keyfile.bin'.
dd bs=512 count=4 if=/dev/urandom of=/crypto_keyfile.bin cryptsetup luksAddKey /dev/sda1 /crypto_keyfile.bin
chmod 000 /crypto_keyfile.bin chmod -R g-rwx,o-rwx /boot
Add the following to `/etc/crypttab' (as a single line).
cr_ata-YOUR_HARDDISK_IDENTIFIER-part1 \ /dev/disk/by-id/ata-YOUR_HARDDISK_IDENTIFIER-part1 \ /crypto_keyfile.bin
Create the file `/etc/dracut.conf.d/99-initcrypt.conf' with the following contents:
install_items="/crypto_keyfile.bin"
Call
»dracut --force«
to activate the above setup.
That works also for Tumbleweed. With two modifications:
- install_items+="/crypto_keyfile.bin" thanks to Andrei for the hint
That's not what I said. Spaces around value *are* significant. Your line will work as long as this is the only install_items across all configuration files.
- "Add the following to `/etc/crypttab' (as a single line)." should be "append /crypto_keyfile.bin to the existing line for the roofs drive".
Werner
-- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org