Re: Detached LUKS header

help-guix

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Detached LUKS header

From:	elaexuotee
Subject:	Re: Detached LUKS header
Date:	Wed, 13 Nov 2019 05:08:21 +0900
User-agent:	Heirloom mailx 12.5 7/5/10

Nerd away!

It is indeed a nifty setup. Unfortunately, I can't point you at a manual, as
it's a self-baked solution. I actually ended up patching dracut to get the
whole thing working. Happily, upstream merged the patch, so in principle anyone
should be able to recreate my current setup. Unfortunately, however, I believe
the only documentation is the code itself, as is common with dracut.

Anyway, just in case you are insterested, here is an overview of the salient
moving pieces in my current setup:

0) Create LUKS volume with detached header;

This is easiest when setting up a new volume; just read about the --header
option in the cryptsetup(8) manpage. You can actually convert a traditional
LUKS volume to a headerless one by copying the header to a file and then
erasing the 512 bytes at the offset on your drive where it resides, using dd or
whatever.

1) Install GRUB on your USB;

This is probably self-explanatory.

2) Make sure your grub.cfg and every path it references is on said USB;

In my particular setup, just keeping /boot on the drive is enough.

3) Setup your initrd.

This is the trickiest part. There are two parts:

  a) Get your LUKS header (and key) file into the initrd; and
  b) Configure cryptsetup in initrd to use the detached header (and key.

My current distro (Void Linux) uses dracut, so the above boil down to editing
/etc/dracut.conf for a) and /etc/crypttab for b).

That said, in retrospect, I believe a better way might be to use GRUB's native
ability to decrypt LUKS volumes. This would let us keep /boot in the encrypted
drive, so the USB only contains GRUB, grub.cfg, the LUKS headers, and possibly
a LUKS key.

Anyway, if any of the above was unclear, certainly don't hesitate to ask.

Cheers!

Joshua Branson <address@hidden> wrote:

>
> I hope you don't mind my nerdy awe, but dang bro!  That sounds like an
> awesome setup!  What manual did you follow on your other distro to set
> up your computer like this?  I've never thought about having my grub and
> /boot on an external usb or drive...but that is pretty interesting!
>
> -- 
> Joshua Branson
> Sent from Emacs and Gnus

signature.asc
Description: application/pgp-encrypted

[Prev in Thread]

Current Thread

[Next in Thread]

Detached LUKS header, elaexuotee, 2019/11/09
- Re: Detached LUKS header, Chris Marusich, 2019/11/11
  - Re: Detached LUKS header, elaexuotee, 2019/11/12
- Message not available
  - Re: Detached LUKS header, elaexuotee <=

Prev by Date: Re: Build error in guix/scripts/pack.scm: no binding 'zip' to hide
Next by Date: Re: ntpd: kernel reports TIME_ERROR: 0x41: Clock Unsynchronized
Previous by thread: Re: Detached LUKS header
Next by thread: Build error in guix/scripts/pack.scm: no binding 'zip' to hide
Index(es):
- Date
- Thread