Ubuntu – Initramfs + Luks – only one password prompt

bootencryptionlukslvm

What I want to achieve:

  • Being asked for a password, only once during boot time;
  • The other (non-root) partitions to use the keyfile inside the /root/ directory.

What I have achieved so far:

  • (A) The system booting, but asking for password twice (once for /, and once for /usr).
  • Or: (B) the system not booting, asking for password once, but then refusing the mount /usr saying it cannot found the LVM group/volume. I get dropped to shell, and can see that /root/.keyfile is unavailable. / has not been mounted yet.

Configuration

File: /etc/crypttab

Case A

sdc3_crypt /dev/sdc3 none luks
md0_crypt /dev/md0 none luks

Case B

sdc3_crypt /dev/sdc3 none luks
md0_crypt /dev/md0 /root/.keyfile luks

What totally didn't work

  • Creating script files to manually luksOpen the required drive: those in /etc/initramfs-tools/scripts/local-premount are called before / is available, but those in /etc/initramfs-tools/scripts/local-bottom are called after it wants to open /usr (and therefore it is too late).

Best Answer

On this wiki page (in german, I sadly didn't find an equivalent in english) it is suggested that you use the script /lib/cryptsetup/scripts/decrypt_derived to generate a key from the opened root device. I will try to translate the important parts, but I have NOT tried the procedure.

To add the key, you would have to execute (as root)

mkdir /mnt/ram && mount -t ramfs -o size=1m ramfs /mnt/ram && chmod 600 /mnt/ram
/lib/cryptsetup/scripts/decrypt_derived <root_dev> > /mnt/ram/tmp.key && cryptsetup luksAddKey <usr_dev> /mnt/ram/tmp.key && rm /mnt/ram/tmp.key
umount /mnt/ram && rmdir /mnt/ram 

where <root_name> is the name of your root device as displayed in /dev/mapper (probably sdc3_crypt), and <usr_dev> the device where /usr is on (probably /dev/md0).

The line for crypttab is

  <usr_name>         UUID=<UUID>          <root_name>           luks,keyscript=/lib/cryptsetup/scripts/decrypt_derived

remember to run

update-initramfs -u -k all 

after changing crypttab.

You should keep a "normal" password for your usr device, otherwise you won't be able to open it in case your root device is damaged.

Related Question