[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Typing LUKS passphrase only once and a possible solution
|
From: |
Thomas Albers |
|
Subject: |
Typing LUKS passphrase only once and a possible solution |
|
Date: |
Wed, 07 Jul 2021 18:05:44 +0200 |
|
User-agent: |
mu4e 1.4.15; emacs 27.2 |
Hello everyone,
I recently installed guix on my X200T and through the process I found
some challenges I was not not solve by myself. Its nothing strictly
necessary but I would like to solve them nonetheless.
My current setup consists of libreboot, my main luks partition and a
lvm group inside.
The problem I mentioned is the necessity of typing the passphrase for
the luks device twice. Once for the bootloader and again for the
kernel itself.
In other distributions this is avoided by copying a key file into the
initramfs and passing the kernel parameter "cryptkey" to linux. So
naturally the first I tried after not finding any documentation on
this topic was this, albeit without success.
Reading the relevant files (gnu system linux-initrd) and
(gnu system mapped-devices) I noticed that the kernel parameter is not
really needed, because the one decrypting the luks device is actually
the init script inside the initramfs.
So the question would be: Is it possible to add arguments to the call
to cryptsetup inside the init script without having to redefine the
"luks-device-mapping" variable and without rewriting the definition of
the "open-luks-device" function? - both defined locally inside the
(gnu system mapped-devices) module.
My suggestion would be to add a "extra-options" field to
<mapped-device> structure. This field would be appended to the command
line arguments to the cryptsetup call.
One could also add a "keyfile" parameter but this would be too
specific to the luks device mapper and it would also cause other
problems as well. For example, not everyone would like to store the
keyfile inside the store.
Also, is it possible to modify existing code for such small changes,
without needing to rewrite complete functions? Many of the functions
used are not exposed by the modules and one needs to rewrite the
function one wants to use and also its dependencies.
My last question would be: Why is the file called initrd, when in
reality a initramfs scheme is used?
Thanks for taking the time to read this and for any help you can
provide.
Thomas Albers Raviola
- Typing LUKS passphrase only once and a possible solution,
Thomas Albers <=