I'm trying to decrypt the Debian root with a key file stored in the boot partition (decrypted partition). This will break the security, but it doesn't matter now. I have to conclude this successfully or die trying.
I have created the hooks to the initramfs and the key file is on the /boot directory inside the initrd.img-* file. The path to the key file (/boot/keyfile) is on the /etc/crypttab file.
I updated the initramfs with sudo update-initramfs -u but I received this message: cryptsetup: WARNING: target sdaX_crypt uses a key file, skipped.
Ignoring the message and rebooting results in a unbootable disk. The message Gave up waiting for root device. is displayed and drops to initramfs shell.
In the initramfs environment the cryptsetup don't exists. (It should exists?)
Seens that the update-initramfs -u "thinks" the sdaX_crypt device will be mounted in another way and don't configure to decrypt with the keyfile.
How can I do that?
Best Answer
You can use the
keyscriptoption in your crypttab instead (man crypttab). Just create a script that echos your passphrase and set it as the keyscript argument, then regenerate your ramfs. You don't need any hooks, and you don't need to put the script in /boot/.vg1-root_crypt UUID=94a3b301-123-12-a3-ea0403 none luks,keyscript=/etc/echo-root-luks-passI don't know why the initramfs hooks for cryptsetup prohibit you from just having the keyfile listed in crypttab. Probably don't want to condone such behavior.
P.S. I don't think that it breaks the security, it just weakens it more or less depending on how secure your /boot partition is. You could for example /boot off a USB drive, and keep the USB in you socks etc.