Hi.
I'm getting mad (also) at setting up encrypted boot.
The problem is that if I setup an encrypted /boot partition (possible
I'm the first trying?), the keyfile does not end up in initramfs.
IIUC, I have to:
- have FAI_KEEP_CRYPTKEYFILE during install (e.g. via ENCRYPTED.var)
- create hooks/mountdisks.ENCRYPTED that:
- setup a password to unlock GRUB loading (have to use pbkdf2 instead
of Argon2) after task_partition
- change KEYFILE_PATTERN in
/target/etc/cryptsetup-initramfs/conf-hook to match crypttab
- set UMASK=0077 in
/target/etc/initramfs-tools/conf.d/restrictperms.conf
*BUT* /etc/crypttab contains a reference to /tmp/fai/crypt_dev_sda2 that
does not exist anymore when the system is booting! (/tmp is emptied at
every boot, the keyfile is in /var/log/fai/$(hostname -s)/last/): should
I edit it in my mountdisks.ENCRYPTED script or is there a better (or
more correct) way?
TIA
--
Diego Zuccato
DIFA - Dip. di Fisica e Astronomia
Servizi Informatici
Alma Mater Studiorum - Università di Bologna
V.le Berti-Pichat 6/2 - 40127 Bologna - Italy
tel.: +39 051 20 95786
