I have a system where all the partitions (/, /home, and swap) are encrypted except for /boot. /boot resides in an external device which also contains a set of encrypted key files used to automatically decrypt all of the partitions. In other words, my desired end result was to have 2-factor authentication using an external device and a password where the password would be entered once during boot and the boot scripts would use the password to decrypt all of the partitions.
I'm a newbie to Ubuntu (and Linux in general), but I did some trial and error modifying the various scripts found in initrd.img using update-initramfs. The cryptroot script seemed to be doing all the work mounting the partitions at first, but after some experimenting, it appears that it is only responsible for decrypting the root file system. I had modified a string in the script changing Enter the passphrase to simply Password, which appeared to work when decrypting the root file system, but used the old prompt again for decrypting the next partition. In other words, this is what I'm getting:
- cryptroot script loads.
- The script asks for a password to decrypt the key partition and mounts it.
- The script calls the setup_mapping function to decrypt the root file system.
- The script tries to read the key file from the key partition to decrypt the root file system.
- The root file system is decrypted and mounted.
- The system prompts to enter a passphrase to decrypt the next partition…
I think Ubuntu might be running another copy of the cryptroot script somewhere to decrypt all the other partitions after root, but I don't know what else to modify.
Best Answer
First, find out where
cryptrootis, what package providescryptroot, and what else (source, documentation, examples, ...) is in the package. Thusly: