Mailinglist Archive: opensuse-factory (914 mails)

< Previous Next >
Re: [opensuse-factory] out of curiosity - / grow from 10 to 12GB

The downside of having "/boot" part of the encrypted LVM, is that I
have to give the encryption key twice -- first time for grub2, and
second time for the kernel.

This is not necessary. Following

http://www.pavelkogan.com/2014/05/23/luks-full-disk-encryption/
http://www.pavelkogan.com/2015/01/25/linux-mint-encryption/ ,

I created a file keyfile `/crypto_keyfile.bin'.

$ dd bs=512 count=4 if=/dev/urandom of=/crypto_keyfile.bin
$ cryptsetup luksAddKey /dev/sda1 /crypto_keyfile.bin

$ chmod 000 /crypto_keyfile.bin
$ chmod -R g-rwx,o-rwx /boot

Then I created a file `/etc/crypttab', which contains

<dev mapper ID> UUID=<...> /crypto_keyfile.bin

Dracut needs the additional file
`/etc/dracut.conf.d/99-initcrypt.conf', containing

install_items="/crypto_keyfile.bin"

Then call `dracut' to regenerate the initramfs image.

At least for me, this works like a charm.


Werner
--
To unsubscribe, e-mail: opensuse-factory+unsubscribe@xxxxxxxxxxxx
To contact the owner, e-mail: opensuse-factory+owner@xxxxxxxxxxxx

< Previous Next >