Re: [qubes-users] Dracut and a detached LUKS header
On Thu, Aug 23, 2018 at 09:52:23AM -0700, tierl...@gmail.com wrote: > On Tuesday, August 21, 2018 at 12:31:26 PM UTC+1, Unman wrote: > > On Tue, Aug 21, 2018 at 02:23:56AM -0700, tierl...@gmail.com wrote: > > > Is this possible? Can dracut be configured to decrypt a LUKS volume with > > > a detached header? > > > > > > > I think that dracut generally wants to have a UUID, and with a detached > > header you won't have one. You could use the serial number. > > You'll also need to add a udev attribute for crypto_LUKS, I think. > > I recall reading someone who did have dracut working in this setup, but > > it needed some changes to the crypt module. > > You could always specify the header file and key file in the kernel > > command line using cryptdevice and cryptkey options. > > > --> "You could always specify the header file and key file in the kernel > command line using cryptdevice and cryptkey options." > > Interesting, what would that look like? Something like this? (lifted from > Gentoo forums): > > root=/dev/ram0 real_root=/dev/mapper/vg-root cryptdevice=/dev/sda4:crypt > > But doesn't that just specify the LUKS volume? How can explicitly specify the > location of the header file? > > Is it possible to build a custom initramfs with mkinitcpio (or another) > without having to recompile the kernel? I'm assuming yes. > You've missed the crucial : > > it needed some changes to the crypt module. which allows you to add the header specification in to the cryptdevice call. Yes, you can certainly rebuild initramfs without recompiling the kernel by leveraging the mkinitcpio hooks to implement the header option. Can you set out exactly what it is you want to do? Do you want /boot on the device that holds the detached header? -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/20180825115534.h2gvxrijg7rxhouz%40thirdeyesecurity.org. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Dracut and a detached LUKS header
On Tuesday, August 21, 2018 at 12:31:26 PM UTC+1, Unman wrote: > On Tue, Aug 21, 2018 at 02:23:56AM -0700, tierl...@gmail.com wrote: > > Is this possible? Can dracut be configured to decrypt a LUKS volume with a > > detached header? > > > > I think that dracut generally wants to have a UUID, and with a detached > header you won't have one. You could use the serial number. > You'll also need to add a udev attribute for crypto_LUKS, I think. > I recall reading someone who did have dracut working in this setup, but > it needed some changes to the crypt module. > You could always specify the header file and key file in the kernel > command line using cryptdevice and cryptkey options. --> "You could always specify the header file and key file in the kernel command line using cryptdevice and cryptkey options." Interesting, what would that look like? Something like this? (lifted from Gentoo forums): root=/dev/ram0 real_root=/dev/mapper/vg-root cryptdevice=/dev/sda4:crypt But doesn't that just specify the LUKS volume? How can explicitly specify the location of the header file? Is it possible to build a custom initramfs with mkinitcpio (or another) without having to recompile the kernel? I'm assuming yes. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/16899c5a-0dd9-4a59-a651-d646ca398cb2%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Dracut and a detached LUKS header
On Tue, Aug 21, 2018 at 02:23:56AM -0700, tierl...@gmail.com wrote: > Is this possible? Can dracut be configured to decrypt a LUKS volume with a > detached header? > I think that dracut generally wants to have a UUID, and with a detached header you won't have one. You could use the serial number. You'll also need to add a udev attribute for crypto_LUKS, I think. I recall reading someone who did have dracut working in this setup, but it needed some changes to the crypt module. You could always specify the header file and key file in the kernel command line using cryptdevice and cryptkey options. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/20180821113121.55cmmptjgr4tntqs%40thirdeyesecurity.org. For more options, visit https://groups.google.com/d/optout.
[qubes-users] Dracut and a detached LUKS header
Is this possible? Can dracut be configured to decrypt a LUKS volume with a detached header? -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/07646dfa-30bd-426d-87c7-6adaa212962a%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
