Package: cryptsetup
Version: 2:1.6.6-5
Severity: wishlist
Dear Maintainer,
I suppose this is still in the works as other distros there are guides
on having /boot included within the encrypted volume. The procedure, if
this is something of interest to debian, is relatively simple. I believe
this might be a wishful feature but it might even be a bug -- I'm still
new to using luks but I know using a keyfile with luks works perfectly
-- however with /boot in a luks container a keyfile won't be picked up
even if it were on removable media (as it were tested)
Afaict this also wasn't reported, so here is... the report! :p
A manual partitioning was done with debian's installer using just a
removable device (for the crypt key), and one drive containing a luks
partition.
I'm using virtualbox so it's more convenient for me to use this -- but
it could be another removable device to hold the cryptkey.
The drive partitioned:
/dev/sda1 luks
and /dev/sda2 for /boot (can set it 50-300 mb -- smallest possible as it
will be deleted later. technically I really used another drive for this
since it is difficult to resize the luks container if possible.)
sda1 luks is mapped to /dev/mapper/cryptroot (cryptroot contains one
ext2 partition which itself gets mounted to "/" (there is no sdb as it
eventually takes sda's place)
On post-install I attempted to use the keyfile while having /boot inside
the luks volume (passphrase and floppy containing the keyfile both
tested to work perfectly).
Here the things done after install:
- created a keyfile, stored it to floppy(or usb storage), and added the
key to the luks container
- moved /boot partition files to the encrypted volume (removed /boot
from /etc/fstab)
- updated /etc/default/grub and /etc/crypttab and carried out the update
commands (update-initramfs, update-grub2, grub-install -- basically
these three)
The changes needed for /etc/default/grub:
GRUB_ENABLE_CRYPTODISK="y"
GRUB_CMDLINE_LINUX="cryptdevice=/dev/disk/by-uuid/05a7ec49-f4b3-4d58-b906-932b7bec8457:sdb1_crypt
cryptkey=/dev/fd0:ext2:/mykeyfile"
The file /etc/crypttab needs to be done before update-initramfs, and I
made sure to remove the default line which defines only using a passphrase.
I know there is some referencing towards the floppy as I'm seeing the
delay error message(reported bug #786559) and I have also set the floppy
module in /etc/modules and /etc/initramfs-tools/modules. I tried seeing
if this made a difference but still no success.
I have made attachments where there's "sdb1_crypt" referenced instead of
"cryptroot" -- a second drive was used to hold /boot but this drive was
permanently removed.
thanks
--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
