В Thu, 29 Jan 2015 03:25:43 +0000
Andy Liu
Thanks for your response.
The goal I want to get is: when I boot the machine, I need to insert the USB key. When boot up I will remove the usb key. Next time when some body restart the machine, he also need the usb key.
Is it possible?
The usb key is with LABEL: KEYDISK, and with a passphrase file "keyfile" on it. And it's a FAT file system.
See man dracut.kernel crypto LUKS - key on removable device support rd.luks.key=<keypath>:<keydev>:<luksdev> In principle, it just calls "mount $keydev" so LABEL=KEYDISK should work. keypath above refers to path inside mounted removable filesystem. luksdev is optional (it can restrict which key is used for which device). So it would be something like rd.luks.key=/keyfile:LABEL=KEYDISK I did not try it myself.
Thanks, Andy
-----Original Message----- From: Carlos E. R. [mailto:robin.listas@telefonica.net] Sent: Thursday, January 29, 2015 6:29 AM To: oS-en Subject: Re: [opensuse] do you know how to auto-mount the luks crypted root automatially without the passphrase?
On 2015-01-28 22:15, John Andersen wrote:
On 01/28/2015 12:54 PM, Carlos E. R. wrote:
Well if that wasn't built into the initrd I can't see that working either. Even with /boot on a separate partition, if the system needs / (root partition) for anything, before it has loaded what ever drivers it needs, you will have this problem.
Well, the boot device itself could be it. External boot via USB. Bios can boot from them, so grub can read them, too.
Yes, you need support in initrd for the kernel to read from external media. Grub has some support for encryption, but I heard that it doesn't work right on openSUSE.
I seem to remember some discussion months ago where systemd expects to have significant parts of / available at boot time, which could be part of the problem.
Perhaps that's why OS 13.2 doesn't offer to encrypt / (root), too many gotchas.
No, that's a yast bug. Native encription of a btrfs partition was found unreliable and it was disabled, without enabling instead classical devmapper method. If you use an encrypted LVM device you get full encription of root and home, as on previous releases - or so I understand.
-- Cheers / Saludos,
Carlos E. R. (from 13.1 x86_64 "Bottle" at Telcontar)
-- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org