I'm trying to decrypt the Debian root with a key file stored in the boot partition (decrypted partition). This will break the security, but it doesn't matter now. I have to conclude this successfully or die trying.
I have created the hooks to the initramfs
and the key file is on the /boot
directory inside the initrd.img-*
file. The path to the key file (/boot/keyfile
) is on the /etc/crypttab
file.
I updated the initramfs
with sudo update-initramfs -u
but I received this message: cryptsetup: WARNING: target sdaX_crypt uses a key file, skipped.
Ignoring the message and rebooting results in a unbootable disk. The message Gave up waiting for root device.
is displayed and drops to initramfs
shell.
In the initramfs
environment the cryptsetup
don't exists. (It should exists?)
Seens that the update-initramfs -u
"thinks" the sdaX_crypt
device will be mounted in another way and don't configure to decrypt with the keyfile.
How can I do that?
Best Answer
You can use the
keyscript
option in your crypttab instead (man crypttab). Just create a script that echos your passphrase and set it as the keyscript argument, then regenerate your ramfs. You don't need any hooks, and you don't need to put the script in /boot/.vg1-root_crypt UUID=94a3b301-123-12-a3-ea0403 none luks,keyscript=/etc/echo-root-luks-pass
I don't know why the initramfs hooks for cryptsetup prohibit you from just having the keyfile listed in crypttab. Probably don't want to condone such behavior.
P.S. I don't think that it breaks the security, it just weakens it more or less depending on how secure your /boot partition is. You could for example /boot off a USB drive, and keep the USB in you socks etc.