[arch-general] grub2 + luks + keyfile

[Matthew Monaco]

On 08/20/2012 04:47 PM, Adrian Pop wrote:
> Hello,
> 
> I'm trying to configure grub2 to read a keyfile from a usb flash drive
> in order to decrypt the root partition.  The grub2 wiki page specifies
> that in order to decrypt the root partition, the following should be
> added in /etc/default/grub:
> 

Just to be clear, it's the mkinitcpio encrypt hook that's reading the keyfile,
grub2 seems to be configure just fine (so far).

>   GRUB_CMDLINE_LINUX="cryptdevice=/dev/sda2:root"
> 
> 
> Also an earlier version of the luks wiki page, that was intended for
> grub-legacy, mentioned that to decrypt the root partition using a
> keyfile, the following kernel parameter has to be added:
> 
>   cryptkey=/dev/disk/by-uuid/<uuid>:vfat:/keyfile
> 
> 
> So I've attempted to add both of these parameters in /etc/default/grub:
> 
>   GRUB_CMDLINE_LINUX="cryptdevice=/dev/sda2:root
>   cryptkey=/dev/disk/by-uuid/3848-EFD5:vfat:/keyfile"
> 
> 
> I've also added the encrypt hook and vfat module in
> /etc/mkinitcpio.conf.
> 

I don't remember if these are exempt from autodetect. You can try

lsinitcpio /boot/initramfs-linux.img | grep fat

to verify that it's on there. I think there's also a "fat" module which is
needed by vfat, I don't know if mkinitcpio pulls in module deps as well.

You can also try the fallback image.

> This is displayed while booting up:
> 
>   :: running early hook [udev]
>   :: running hook [udev]
>   :: Triggering uevents...
>   :: running hook [encrypt]
>   Waiting 10 seconds for device /dev/disk/by-uuid/3848-EFD5 ...
>   Keyfile could not be opened. Reverting to passphrase.
> 

I know that message kind of looks like the device is not found, but it's likely
a problem with mounting the filesystem.

> 
> The usb flash drive is formated with mkfs.vfat and contains just the
> keyfile.  I would greatly appreciate any advice.
>