better-initramfs icon indicating copy to clipboard operation
better-initramfs copied to clipboard

Published 20 hours ago verified publisher icon slashbeast

luks-dmcrypt with (internal) keyfile not documented

Open herriett opened this issue 7 years ago • 2 comments

With grub2 supporting luks-dmcrypt it is nowadays possible to have the linux kernel and initramfs inside the encrypted filesystem using a minimal boot partition without kernel and initramfs. This protects against certain attack vectors.

To prevent having to enter the password twice it then makes sense to include an internal keyfile inside the initramfs (remember: which resides safely on the encrypted volume). There is no documentation of how to do this with better-initramfs or which parameters to use for pointing it to the keyfile.

herriett avatar Apr 08 '17 23:04 herriett

binit never actually got support for key-files. There's a pull request from 2013 but I never decided to merge it. The biggest priority right now is to finally rewrite the build/bootstrap system and switch to Alpine Linux as sysroot, then I will be adding more features. Perhaps for now you may want to just edit the functions.sh file and add --key-file option to cryptsetup arguments.

slashbeast avatar Apr 09 '17 16:04 slashbeast

Thanks, will try just editing functions.sh.

herriett avatar Apr 09 '17 20:04 herriett