[opensuse] do you know how to auto-mount the luks crypted root automatially without the passphrase?
Hi Opensuse, Do you know how to auto-mount the luks crypted root automatially without the passphrase? Just like another distributions, I tried: 1. Add the rd.luks.key into the grub, not work 2. Edit the /etc/crypttab add /keyfile:LABEL=KEYDISK, not work Do you know how I can fetch the goal in opensuse? Thanks, Andy -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 01/28/2015 06:23 AM, Andy Liu wrote:
Do you know how I can fetch the goal in opensuse?
First you have to figure out what the goal is. What is the point of having an encrypted root partition for which the encryption key is automatically supplied by the system? -- After all is said and done, more is said than done. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 2015-01-28 20:04, John Andersen wrote:
On 01/28/2015 06:23 AM, Andy Liu wrote:
Do you know how I can fetch the goal in opensuse?
First you have to figure out what the goal is. What is the point of having an encrypted root partition for which the encryption key is automatically supplied by the system?
I think it is on an external memory card of some kind that you plug in when you boot. -- Cheers / Saludos, Carlos E. R. (from 13.1 x86_64 "Bottle" at Telcontar)
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 01/28/2015 12:54 PM, Carlos E. R. wrote:
On 2015-01-28 20:04, John Andersen wrote:
On 01/28/2015 06:23 AM, Andy Liu wrote:
Do you know how I can fetch the goal in opensuse?
First you have to figure out what the goal is. What is the point of having an encrypted root partition for which the encryption key is automatically supplied by the system?
I think it is on an external memory card of some kind that you plug in when you boot.
Well if that wasn't built into the initrd I can't see that working either. Even with /boot on a separate partition, if the system needs / (root partition) for anything, before it has loaded what ever drivers it needs, you will have this problem. I seem to remember some discussion months ago where systemd expects to have significant parts of / available at boot time, which could be part of the problem. Perhaps that's why OS 13.2 doesn't offer to encrypt / (root), too many gotchas. - -- After all is said and done, more is said than done. -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iEYEARECAAYFAlTJUY0ACgkQv7M3G5+2DLKgTACeK7JAFQaqZGW3hyvYHB6rFgs4 PPIAn2qB5jH/i+6H3VtZ0oliLUbi8wqd =LPSC -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 2015-01-28 22:15, John Andersen wrote:
On 01/28/2015 12:54 PM, Carlos E. R. wrote:
Well if that wasn't built into the initrd I can't see that working either. Even with /boot on a separate partition, if the system needs / (root partition) for anything, before it has loaded what ever drivers it needs, you will have this problem.
Well, the boot device itself could be it. External boot via USB. Bios can boot from them, so grub can read them, too. Yes, you need support in initrd for the kernel to read from external media. Grub has some support for encryption, but I heard that it doesn't work right on openSUSE.
I seem to remember some discussion months ago where systemd expects to have significant parts of / available at boot time, which could be part of the problem.
Perhaps that's why OS 13.2 doesn't offer to encrypt / (root), too many gotchas.
No, that's a yast bug. Native encription of a btrfs partition was found unreliable and it was disabled, without enabling instead classical devmapper method. If you use an encrypted LVM device you get full encription of root and home, as on previous releases - or so I understand. -- Cheers / Saludos, Carlos E. R. (from 13.1 x86_64 "Bottle" at Telcontar)
Thanks for your response. The goal I want to get is: when I boot the machine, I need to insert the USB key. When boot up I will remove the usb key. Next time when some body restart the machine, he also need the usb key. Is it possible? The usb key is with LABEL: KEYDISK, and with a passphrase file "keyfile" on it. And it's a FAT file system. Thanks, Andy -----Original Message----- From: Carlos E. R. [mailto:robin.listas@telefonica.net] Sent: Thursday, January 29, 2015 6:29 AM To: oS-en Subject: Re: [opensuse] do you know how to auto-mount the luks crypted root automatially without the passphrase? On 2015-01-28 22:15, John Andersen wrote:
On 01/28/2015 12:54 PM, Carlos E. R. wrote:
Well if that wasn't built into the initrd I can't see that working either. Even with /boot on a separate partition, if the system needs / (root partition) for anything, before it has loaded what ever drivers it needs, you will have this problem.
Well, the boot device itself could be it. External boot via USB. Bios can boot from them, so grub can read them, too. Yes, you need support in initrd for the kernel to read from external media. Grub has some support for encryption, but I heard that it doesn't work right on openSUSE.
I seem to remember some discussion months ago where systemd expects to have significant parts of / available at boot time, which could be part of the problem.
Perhaps that's why OS 13.2 doesn't offer to encrypt / (root), too many gotchas.
No, that's a yast bug. Native encription of a btrfs partition was found unreliable and it was disabled, without enabling instead classical devmapper method. If you use an encrypted LVM device you get full encription of root and home, as on previous releases - or so I understand. -- Cheers / Saludos, Carlos E. R. (from 13.1 x86_64 "Bottle" at Telcontar) -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
В Thu, 29 Jan 2015 03:25:43 +0000 Andy Liu <andliu@microsoft.com> пишет:
Thanks for your response.
The goal I want to get is: when I boot the machine, I need to insert the USB key. When boot up I will remove the usb key. Next time when some body restart the machine, he also need the usb key.
Is it possible?
The usb key is with LABEL: KEYDISK, and with a passphrase file "keyfile" on it. And it's a FAT file system.
See man dracut.kernel crypto LUKS - key on removable device support rd.luks.key=<keypath>:<keydev>:<luksdev> In principle, it just calls "mount $keydev" so LABEL=KEYDISK should work. keypath above refers to path inside mounted removable filesystem. luksdev is optional (it can restrict which key is used for which device). So it would be something like rd.luks.key=/keyfile:LABEL=KEYDISK I did not try it myself.
Thanks, Andy
-----Original Message----- From: Carlos E. R. [mailto:robin.listas@telefonica.net] Sent: Thursday, January 29, 2015 6:29 AM To: oS-en Subject: Re: [opensuse] do you know how to auto-mount the luks crypted root automatially without the passphrase?
On 2015-01-28 22:15, John Andersen wrote:
On 01/28/2015 12:54 PM, Carlos E. R. wrote:
Well if that wasn't built into the initrd I can't see that working either. Even with /boot on a separate partition, if the system needs / (root partition) for anything, before it has loaded what ever drivers it needs, you will have this problem.
Well, the boot device itself could be it. External boot via USB. Bios can boot from them, so grub can read them, too.
Yes, you need support in initrd for the kernel to read from external media. Grub has some support for encryption, but I heard that it doesn't work right on openSUSE.
I seem to remember some discussion months ago where systemd expects to have significant parts of / available at boot time, which could be part of the problem.
Perhaps that's why OS 13.2 doesn't offer to encrypt / (root), too many gotchas.
No, that's a yast bug. Native encription of a btrfs partition was found unreliable and it was disabled, without enabling instead classical devmapper method. If you use an encrypted LVM device you get full encription of root and home, as on previous releases - or so I understand.
-- Cheers / Saludos,
Carlos E. R. (from 13.1 x86_64 "Bottle" at Telcontar)
-- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Yes I already tried this and failed. 1. add the rd.luks.key into /etc/default/grub GRUB_CMDLINE_LINUX="rd.luks.key=/keyfile:LABEL=KEYDISK" 2. add the drivers into the initramfs by editing the /etc/Dracut.conf Add_drivers+=" vfat nls_cp437 nls_iso8859-1" 3. put the file into the KEYDISK with label, a text file with the passphrase. Then reboot, The Plymouth passphrase also prompted. Also I try to turn on the debug shell by adding rd.shell=1 into the GRUB_CMDLINE_LINUX... Also I could not get the shell command. BTW, I tried the methods in the centos and oraclelinux, it all succeed. And I like opensuse, so I need this be done in suse too. Thanks, Andy -----Original Message----- From: Andrei Borzenkov [mailto:arvidjaar@gmail.com] Sent: Thursday, January 29, 2015 11:52 AM To: opensuse@opensuse.org Subject: Re: [opensuse] do you know how to auto-mount the luks crypted root automatially without the passphrase? В Thu, 29 Jan 2015 03:25:43 +0000 Andy Liu <andliu@microsoft.com> пишет:
Thanks for your response.
The goal I want to get is: when I boot the machine, I need to insert the USB key. When boot up I will remove the usb key. Next time when some body restart the machine, he also need the usb key.
Is it possible?
The usb key is with LABEL: KEYDISK, and with a passphrase file "keyfile" on it. And it's a FAT file system.
See man dracut.kernel crypto LUKS - key on removable device support rd.luks.key=<keypath>:<keydev>:<luksdev> In principle, it just calls "mount $keydev" so LABEL=KEYDISK should work. keypath above refers to path inside mounted removable filesystem. luksdev is optional (it can restrict which key is used for which device). So it would be something like rd.luks.key=/keyfile:LABEL=KEYDISK I did not try it myself.
Thanks, Andy
-----Original Message----- From: Carlos E. R. [mailto:robin.listas@telefonica.net] Sent: Thursday, January 29, 2015 6:29 AM To: oS-en Subject: Re: [opensuse] do you know how to auto-mount the luks crypted root automatially without the passphrase?
On 2015-01-28 22:15, John Andersen wrote:
On 01/28/2015 12:54 PM, Carlos E. R. wrote:
Well if that wasn't built into the initrd I can't see that working either. Even with /boot on a separate partition, if the system needs / (root partition) for anything, before it has loaded what ever drivers it needs, you will have this problem.
Well, the boot device itself could be it. External boot via USB. Bios can boot from them, so grub can read them, too.
Yes, you need support in initrd for the kernel to read from external media. Grub has some support for encryption, but I heard that it doesn't work right on openSUSE.
I seem to remember some discussion months ago where systemd expects to have significant parts of / available at boot time, which could be part of the problem.
Perhaps that's why OS 13.2 doesn't offer to encrypt / (root), too many gotchas.
No, that's a yast bug. Native encription of a btrfs partition was found unreliable and it was disabled, without enabling instead classical devmapper method. If you use an encrypted LVM device you get full encription of root and home, as on previous releases - or so I understand.
-- Cheers / Saludos,
Carlos E. R. (from 13.1 x86_64 "Bottle" at Telcontar)
-- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org N�����r��y隊Z)z{.�ﮞ˛���m�)z{.��+�: �{Zr�az�'z��j)h���Ǿ� ޮ�^�ˬz��
On Mon, Feb 2, 2015 at 8:20 AM, Andy Liu <andliu@microsoft.com> wrote:
Yes I already tried this and failed.
1. add the rd.luks.key into /etc/default/grub GRUB_CMDLINE_LINUX="rd.luks.key=/keyfile:LABEL=KEYDISK" 2. add the drivers into the initramfs by editing the /etc/Dracut.conf Add_drivers+=" vfat nls_cp437 nls_iso8859-1" 3. put the file into the KEYDISK with label, a text file with the passphrase.
Then reboot,
You need to recreate grub configuration and initrd before reboot. Changing /etc/default/grub or /etc/dracut.conf does not magically does it. Run mkinitrd now it will do both.
The Plymouth passphrase also prompted.
Also I try to turn on the debug shell by adding rd.shell=1 into the GRUB_CMDLINE_LINUX... Also I could not get the shell command.
BTW, I tried the methods in the centos and oraclelinux, it all succeed. And I like opensuse, so I need this be done in suse too.
Thanks, Andy
-----Original Message----- From: Andrei Borzenkov [mailto:arvidjaar@gmail.com] Sent: Thursday, January 29, 2015 11:52 AM To: opensuse@opensuse.org Subject: Re: [opensuse] do you know how to auto-mount the luks crypted root automatially without the passphrase?
В Thu, 29 Jan 2015 03:25:43 +0000 Andy Liu <andliu@microsoft.com> пишет:
Thanks for your response.
The goal I want to get is: when I boot the machine, I need to insert the USB key. When boot up I will remove the usb key. Next time when some body restart the machine, he also need the usb key.
Is it possible?
The usb key is with LABEL: KEYDISK, and with a passphrase file "keyfile" on it. And it's a FAT file system.
See man dracut.kernel
crypto LUKS - key on removable device support rd.luks.key=<keypath>:<keydev>:<luksdev>
In principle, it just calls "mount $keydev" so LABEL=KEYDISK should work. keypath above refers to path inside mounted removable filesystem. luksdev is optional (it can restrict which key is used for which device). So it would be something like
rd.luks.key=/keyfile:LABEL=KEYDISK
I did not try it myself.
Thanks, Andy
-----Original Message----- From: Carlos E. R. [mailto:robin.listas@telefonica.net] Sent: Thursday, January 29, 2015 6:29 AM To: oS-en Subject: Re: [opensuse] do you know how to auto-mount the luks crypted root automatially without the passphrase?
On 2015-01-28 22:15, John Andersen wrote:
On 01/28/2015 12:54 PM, Carlos E. R. wrote:
Well if that wasn't built into the initrd I can't see that working either. Even with /boot on a separate partition, if the system needs / (root partition) for anything, before it has loaded what ever drivers it needs, you will have this problem.
Well, the boot device itself could be it. External boot via USB. Bios can boot from them, so grub can read them, too.
Yes, you need support in initrd for the kernel to read from external media. Grub has some support for encryption, but I heard that it doesn't work right on openSUSE.
I seem to remember some discussion months ago where systemd expects to have significant parts of / available at boot time, which could be part of the problem.
Perhaps that's why OS 13.2 doesn't offer to encrypt / (root), too many gotchas.
No, that's a yast bug. Native encription of a btrfs partition was found unreliable and it was disabled, without enabling instead classical devmapper method. If you use an encrypted LVM device you get full encription of root and home, as on previous releases - or so I understand.
-- Cheers / Saludos,
Carlos E. R. (from 13.1 x86_64 "Bottle" at Telcontar)
-- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
-- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Of course I did that : ) But not works Thanks, Andy -----Original Message----- From: Andrei Borzenkov [mailto:arvidjaar@gmail.com] Sent: Tuesday, February 3, 2015 12:33 AM To: Andy Liu Cc: opensuse@opensuse.org; Thomas Shao Subject: Re: [opensuse] do you know how to auto-mount the luks crypted root automatially without the passphrase? On Mon, Feb 2, 2015 at 8:20 AM, Andy Liu <andliu@microsoft.com> wrote:
Yes I already tried this and failed.
1. add the rd.luks.key into /etc/default/grub GRUB_CMDLINE_LINUX="rd.luks.key=/keyfile:LABEL=KEYDISK" 2. add the drivers into the initramfs by editing the /etc/Dracut.conf Add_drivers+=" vfat nls_cp437 nls_iso8859-1" 3. put the file into the KEYDISK with label, a text file with the passphrase.
Then reboot,
You need to recreate grub configuration and initrd before reboot. Changing /etc/default/grub or /etc/dracut.conf does not magically does it. Run mkinitrd now it will do both.
The Plymouth passphrase also prompted.
Also I try to turn on the debug shell by adding rd.shell=1 into the GRUB_CMDLINE_LINUX... Also I could not get the shell command.
BTW, I tried the methods in the centos and oraclelinux, it all succeed. And I like opensuse, so I need this be done in suse too.
Thanks, Andy
-----Original Message----- From: Andrei Borzenkov [mailto:arvidjaar@gmail.com] Sent: Thursday, January 29, 2015 11:52 AM To: opensuse@opensuse.org Subject: Re: [opensuse] do you know how to auto-mount the luks crypted root automatially without the passphrase?
В Thu, 29 Jan 2015 03:25:43 +0000 Andy Liu <andliu@microsoft.com> пишет:
Thanks for your response.
The goal I want to get is: when I boot the machine, I need to insert the USB key. When boot up I will remove the usb key. Next time when some body restart the machine, he also need the usb key.
Is it possible?
The usb key is with LABEL: KEYDISK, and with a passphrase file "keyfile" on it. And it's a FAT file system.
See man dracut.kernel
crypto LUKS - key on removable device support rd.luks.key=<keypath>:<keydev>:<luksdev>
In principle, it just calls "mount $keydev" so LABEL=KEYDISK should work. keypath above refers to path inside mounted removable filesystem. luksdev is optional (it can restrict which key is used for which device). So it would be something like
rd.luks.key=/keyfile:LABEL=KEYDISK
I did not try it myself.
Thanks, Andy
-----Original Message----- From: Carlos E. R. [mailto:robin.listas@telefonica.net] Sent: Thursday, January 29, 2015 6:29 AM To: oS-en Subject: Re: [opensuse] do you know how to auto-mount the luks crypted root automatially without the passphrase?
On 2015-01-28 22:15, John Andersen wrote:
On 01/28/2015 12:54 PM, Carlos E. R. wrote:
Well if that wasn't built into the initrd I can't see that working either. Even with /boot on a separate partition, if the system needs / (root partition) for anything, before it has loaded what ever drivers it needs, you will have this problem.
Well, the boot device itself could be it. External boot via USB. Bios can boot from them, so grub can read them, too.
Yes, you need support in initrd for the kernel to read from external media. Grub has some support for encryption, but I heard that it doesn't work right on openSUSE.
I seem to remember some discussion months ago where systemd expects to have significant parts of / available at boot time, which could be part of the problem.
Perhaps that's why OS 13.2 doesn't offer to encrypt / (root), too many gotchas.
No, that's a yast bug. Native encription of a btrfs partition was found unreliable and it was disabled, without enabling instead classical devmapper method. If you use an encrypted LVM device you get full encription of root and home, as on previous releases - or so I understand.
-- Cheers / Saludos,
Carlos E. R. (from 13.1 x86_64 "Bottle" at Telcontar)
-- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
N�����r��y隊Z)z{.�ﮞ˛���m�)z{.��+�: �{Zr�az�'z��j)h���Ǿ� ޮ�^�ˬz��
В Tue, 3 Feb 2015 03:04:38 +0000 Andy Liu <andliu@microsoft.com> пишет:
Of course I did that : ) But not works
In this case you will need to debug it; you can stop in dracut at various steps using rd.break option. Check what's going on. systemd-enabled dracut makes everything differently; you will need to check what units it generated.
Thanks, Andy
-----Original Message----- From: Andrei Borzenkov [mailto:arvidjaar@gmail.com] Sent: Tuesday, February 3, 2015 12:33 AM To: Andy Liu Cc: opensuse@opensuse.org; Thomas Shao Subject: Re: [opensuse] do you know how to auto-mount the luks crypted root automatially without the passphrase?
On Mon, Feb 2, 2015 at 8:20 AM, Andy Liu <andliu@microsoft.com> wrote:
Yes I already tried this and failed.
1. add the rd.luks.key into /etc/default/grub GRUB_CMDLINE_LINUX="rd.luks.key=/keyfile:LABEL=KEYDISK" 2. add the drivers into the initramfs by editing the /etc/Dracut.conf Add_drivers+=" vfat nls_cp437 nls_iso8859-1" 3. put the file into the KEYDISK with label, a text file with the passphrase.
Then reboot,
You need to recreate grub configuration and initrd before reboot. Changing /etc/default/grub or /etc/dracut.conf does not magically does it. Run mkinitrd now it will do both.
The Plymouth passphrase also prompted.
Also I try to turn on the debug shell by adding rd.shell=1 into the GRUB_CMDLINE_LINUX... Also I could not get the shell command.
BTW, I tried the methods in the centos and oraclelinux, it all succeed. And I like opensuse, so I need this be done in suse too.
Thanks, Andy
-----Original Message----- From: Andrei Borzenkov [mailto:arvidjaar@gmail.com] Sent: Thursday, January 29, 2015 11:52 AM To: opensuse@opensuse.org Subject: Re: [opensuse] do you know how to auto-mount the luks crypted root automatially without the passphrase?
В Thu, 29 Jan 2015 03:25:43 +0000 Andy Liu <andliu@microsoft.com> пишет:
Thanks for your response.
The goal I want to get is: when I boot the machine, I need to insert the USB key. When boot up I will remove the usb key. Next time when some body restart the machine, he also need the usb key.
Is it possible?
The usb key is with LABEL: KEYDISK, and with a passphrase file "keyfile" on it. And it's a FAT file system.
See man dracut.kernel
crypto LUKS - key on removable device support rd.luks.key=<keypath>:<keydev>:<luksdev>
In principle, it just calls "mount $keydev" so LABEL=KEYDISK should work. keypath above refers to path inside mounted removable filesystem. luksdev is optional (it can restrict which key is used for which device). So it would be something like
rd.luks.key=/keyfile:LABEL=KEYDISK
I did not try it myself.
Thanks, Andy
-----Original Message----- From: Carlos E. R. [mailto:robin.listas@telefonica.net] Sent: Thursday, January 29, 2015 6:29 AM To: oS-en Subject: Re: [opensuse] do you know how to auto-mount the luks crypted root automatially without the passphrase?
On 2015-01-28 22:15, John Andersen wrote:
On 01/28/2015 12:54 PM, Carlos E. R. wrote:
Well if that wasn't built into the initrd I can't see that working either. Even with /boot on a separate partition, if the system needs / (root partition) for anything, before it has loaded what ever drivers it needs, you will have this problem.
Well, the boot device itself could be it. External boot via USB. Bios can boot from them, so grub can read them, too.
Yes, you need support in initrd for the kernel to read from external media. Grub has some support for encryption, but I heard that it doesn't work right on openSUSE.
I seem to remember some discussion months ago where systemd expects to have significant parts of / available at boot time, which could be part of the problem.
Perhaps that's why OS 13.2 doesn't offer to encrypt / (root), too many gotchas.
No, that's a yast bug. Native encription of a btrfs partition was found unreliable and it was disabled, without enabling instead classical devmapper method. If you use an encrypted LVM device you get full encription of root and home, as on previous releases - or so I understand.
-- Cheers / Saludos,
Carlos E. R. (from 13.1 x86_64 "Bottle" at Telcontar)
-- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
-- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On Sat, Feb 7, 2015 at 7:51 PM, Andrei Borzenkov <arvidjaar@gmail.com> wrote:
В Tue, 3 Feb 2015 03:04:38 +0000 Andy Liu <andliu@microsoft.com> пишет:
Of course I did that : ) But not works
This can be related: http://lists.freedesktop.org/archives/systemd-devel/2015-February/028613.htm...
In this case you will need to debug it; you can stop in dracut at various steps using rd.break option. Check what's going on.
systemd-enabled dracut makes everything differently; you will need to check what units it generated.
Thanks, Andy
-----Original Message----- From: Andrei Borzenkov [mailto:arvidjaar@gmail.com] Sent: Tuesday, February 3, 2015 12:33 AM To: Andy Liu Cc: opensuse@opensuse.org; Thomas Shao Subject: Re: [opensuse] do you know how to auto-mount the luks crypted root automatially without the passphrase?
On Mon, Feb 2, 2015 at 8:20 AM, Andy Liu <andliu@microsoft.com> wrote:
Yes I already tried this and failed.
1. add the rd.luks.key into /etc/default/grub GRUB_CMDLINE_LINUX="rd.luks.key=/keyfile:LABEL=KEYDISK" 2. add the drivers into the initramfs by editing the /etc/Dracut.conf Add_drivers+=" vfat nls_cp437 nls_iso8859-1" 3. put the file into the KEYDISK with label, a text file with the passphrase.
Then reboot,
You need to recreate grub configuration and initrd before reboot. Changing /etc/default/grub or /etc/dracut.conf does not magically does it. Run mkinitrd now it will do both.
The Plymouth passphrase also prompted.
Also I try to turn on the debug shell by adding rd.shell=1 into the GRUB_CMDLINE_LINUX... Also I could not get the shell command.
BTW, I tried the methods in the centos and oraclelinux, it all succeed. And I like opensuse, so I need this be done in suse too.
Thanks, Andy
-----Original Message----- From: Andrei Borzenkov [mailto:arvidjaar@gmail.com] Sent: Thursday, January 29, 2015 11:52 AM To: opensuse@opensuse.org Subject: Re: [opensuse] do you know how to auto-mount the luks crypted root automatially without the passphrase?
В Thu, 29 Jan 2015 03:25:43 +0000 Andy Liu <andliu@microsoft.com> пишет:
Thanks for your response.
The goal I want to get is: when I boot the machine, I need to insert the USB key. When boot up I will remove the usb key. Next time when some body restart the machine, he also need the usb key.
Is it possible?
The usb key is with LABEL: KEYDISK, and with a passphrase file "keyfile" on it. And it's a FAT file system.
See man dracut.kernel
crypto LUKS - key on removable device support rd.luks.key=<keypath>:<keydev>:<luksdev>
In principle, it just calls "mount $keydev" so LABEL=KEYDISK should work. keypath above refers to path inside mounted removable filesystem. luksdev is optional (it can restrict which key is used for which device). So it would be something like
rd.luks.key=/keyfile:LABEL=KEYDISK
I did not try it myself.
Thanks, Andy
-----Original Message----- From: Carlos E. R. [mailto:robin.listas@telefonica.net] Sent: Thursday, January 29, 2015 6:29 AM To: oS-en Subject: Re: [opensuse] do you know how to auto-mount the luks crypted root automatially without the passphrase?
On 2015-01-28 22:15, John Andersen wrote:
On 01/28/2015 12:54 PM, Carlos E. R. wrote:
Well if that wasn't built into the initrd I can't see that working either. Even with /boot on a separate partition, if the system needs / (root partition) for anything, before it has loaded what ever drivers it needs, you will have this problem.
Well, the boot device itself could be it. External boot via USB. Bios can boot from them, so grub can read them, too.
Yes, you need support in initrd for the kernel to read from external media. Grub has some support for encryption, but I heard that it doesn't work right on openSUSE.
I seem to remember some discussion months ago where systemd expects to have significant parts of / available at boot time, which could be part of the problem.
Perhaps that's why OS 13.2 doesn't offer to encrypt / (root), too many gotchas.
No, that's a yast bug. Native encription of a btrfs partition was found unreliable and it was disabled, without enabling instead classical devmapper method. If you use an encrypted LVM device you get full encription of root and home, as on previous releases - or so I understand.
-- Cheers / Saludos,
Carlos E. R. (from 13.1 x86_64 "Bottle" at Telcontar)
-- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
-- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
participants (4)
-
Andrei Borzenkov -
Andy Liu -
Carlos E. R. -
John Andersen