[SOLVED] Uefi and full disk encryption with lvm on luks with luks keyfile

lancsuk · 03-31-2021, 06:16 PM

Hiya guys,

just for interest I have installed Slackware current on a vm with full disk encryption with lvm on luks.

Code:

sda1:      ef02    Bios   5MB
sda2:      ef00    EFI    160M
sda3:      8309    LUKS   100%FREE

Code:

cryptsetup luksFormat --type luks1 /dev/sda3
cryptsetup luksOpen /dev/sda3 slackpv0

pvcreate /dev/mapper/slackpv0
vgcreate slack /dev/mapper/slackpv0
lvcreate -C y -L 4GB -n swap slack
lvcreate -C n -L 20GB -n root slack
lvcreate -C n -l 100%FREE -n home slack

continue the installation with setup

Code:

cd /mnt
chroot /mnt /bin/bash -l

Code:

dd bs=512 count=4 if=/dev/random of=/root/slackpv.keyfile iflag=fullblock
chmod 000 /root/slackpv.keyfile
cryptsetup -v luksAddKey /dev/sda3 /root/slackpv.keyfile

Code:

cd /boot

rm initrd.gz

mkinitrd -c -k 5.10.27 -m ext4 -f ext4 -r /dev/slack/root -C /dev/sda3 -L -K /root/slackpv.keyfile -l gb

/etc/default/grub

Code:

GRUB_CMDLINE_LINUX="cryptdevice=UUID=xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxx:slackpv0 root=/dev/slack/root cryptkey=rootfs:/root/slackpv.keyfile resume=/dev/slack/swap"
GRUB_ENABLE_CRYPTODISK=y

Code:

grub-install --target=x86_64-efi --efi-directory=/boot/efi --bootloader-id=grub --recheck
grub-mkconfig -o /boot/grub/grub.cfg

It acutally works but I still have to enter the passphrase twice.

I guess mkinitrd -K works just with vfat as a filesystem?

I know It makes no sense to install lvm on luks without passphrase on the root-filesystem, but I just would like to know how it works.

thanks

DaBrze · 04-01-2021, 10:53 PM

I had the same problem some time ago. In short: you have to patch init file in the mkinitrd, and then put the crypto_kyefile.bin in the init ramdisk. I did it in this way:

# mkdir /tmp/initrd-tree
# tar xpzf /usr/share/mkinitrd/initrd-tree.tar.gz -C /tmp/initrd-tree
# cd /tmp/initrd-tree
# patch init < key_file_in_the_initrd_and_drive_unlocked_by_grub.diff
# mv /crypto_keyfile.bin ./
# tar cpzf /usr/share/mkinitrd/initrd-tree.tar.gz *

Create the initial ramdisk environment as you have done before (mkinitrd ...).

Modify in the /etc/default/grub the line accordingly:

GRUB_CMDLINE_LINUX="... cryptkey=/crypto_kyefile.bin ..."
GRUB_ENABLE_CRYPTODISK=y

Then you will have enter the passphrase once, just before grub menu, and then during the boot the crypto_kyefile.bin from initram disk will be used to unlock the whole disk .

Look here for patch: https://www.linuxquestions.org/quest...ml#post6235351

There is also another very usefull tutorial here https://unixsheikh.com/tutorials/rea...-and-uefi.html

lancsuk · 04-02-2021, 02:43 PM

Quote:

Originally Posted by DaBrze

I had the same problem some time ago. In short: you have to patch init file in the mkinitrd, and then put the crypto_kyefile.bin in the init ramdisk. I did it in this way:

# mkdir /tmp/initrd-tree
# tar xpzf /usr/share/mkinitrd/initrd-tree.tar.gz -C /tmp/initrd-tree
# cd /tmp/initrd-tree
# patch init < key_file_in_the_initrd_and_drive_unlocked_by_grub.diff
# mv /crypto_keyfile.bin ./
# tar cpzf /usr/share/mkinitrd/initrd-tree.tar.gz *

Create the initial ramdisk environment as you have done before (mkinitrd ...).

Modify in the /etc/default/grub the line accordingly:

GRUB_CMDLINE_LINUX="... cryptkey=/crypto_kyefile.bin ..."
GRUB_ENABLE_CRYPTODISK=y

Then you will have enter the passphrase once, just before grub menu, and then during the boot the crypto_kyefile.bin from initram disk will be used to unlock the whole disk .

Look here for patch: https://www.linuxquestions.org/quest...ml#post6235351

There is also another very usefull tutorial here https://unixsheikh.com/tutorials/rea...-and-uefi.html

...brilliant, I will check it out.