Mailinglist Archive: opensuse-factory (536 mails)

< Previous Next >
Re: [opensuse-factory] Tumbleweed full disk encryption passphrase
Am 18.05.2018 um 23:20 schrieb Werner LEMBERG:

It should be sufficient to type the passphrase only in grub2. After
some research I found some Arch Linux specific instruction [1]. But
this uses an Arch specific initrd hook to open the encrypted fs by
reading a passphrase from a file included in the initrd. I haven't
found an equivalent hook in the tumbleweed dracut config. Would
this setup also be a possible solution for tumbleweed? How could it
be configured?

For me the following works; you have to adapt the harddisk ID and
device to your system.

* grub2 options:

boot from MBR

* Create file `/crypto_keyfile.bin'.

dd bs=512 count=4 if=/dev/urandom of=/crypto_keyfile.bin
cryptsetup luksAddKey /dev/sda1 /crypto_keyfile.bin

chmod 000 /crypto_keyfile.bin
chmod -R g-rwx,o-rwx /boot

* Add the following to `/etc/crypttab' (as a single line).

/dev/disk/by-id/ata-YOUR_HARDDISK_IDENTIFIER-part1 \

* Create the file `/etc/dracut.conf.d/99-initcrypt.conf' with the
following contents:


* Call

Ā»dracut --forceĀ«

to activate the above setup.

That works also for Tumbleweed. With two modifications:
- install_items+="/crypto_keyfile.bin" thanks to Andrei for the hint
- "Add the following to `/etc/crypttab' (as a single line)." should be
"append /crypto_keyfile.bin to the existing line for the roofs drive".


To unsubscribe, e-mail: opensuse-factory+unsubscribe@xxxxxxxxxxxx
To contact the owner, e-mail: opensuse-factory+owner@xxxxxxxxxxxx

< Previous Next >
Follow Ups