[artix-general] [s6] system not decrypting/mounting (lvm on luks) a non root volume at boot

Dudemanguy dudemanguy at artixlinux.org
Wed Jul 15 00:45:22 CEST 2020


I'm not sure what your exact setup is, but one thing you could do is 
(assuming the boot partition is unencrypted which it sounds like it is) 
create a keyfile for the encrypted root and then bake it into the 
initramfs. You can does this with mkinitcpio by using the FILES option 
in the conf file and then make a new initramfs. This way, the root is 
unencrypted when the initramfs loads and before the init actually 
starts. So your root would be totally protected if someone tried to 
access it with a live iso/usb. An attacker with physical access could, 
of course, turn on the computer but they would just get to your login 
screen where presumably they couldn't do anything and not have any file 
access.

With that setup, you could create more keyfiles for your other encrypted 
partitons and store them in the root. There, you could set them in 
/etc/crypttab and those would unlock on boot and then mount if defined 
in /etc/fstab.


On 7/14/20 4:06 PM, Javier via artix-general wrote:
> Hi Dudemanguy, thanks a lot for the update.
> 
> I've never tried decrypting luks with keyfiles.  I'll have to explore it, since for some daemons (I haven't launched them since I migrated the boxes to s6), I really need all disks/partitions (even external disks) up and running after boot.
> 
> Perhaps the keyfile is even a more secure model, I don't know.  But so far, any key I host on the boxes is encrypted with some sort of passphrase (like the gpg and ssh ones).  I originally was concerned (when I 1st encrypted the disks) I'd have to keep a non encrypted key somewhere, in order to decrypt the disk.  Then I realized with grub one could encrypt boot with the key, and somehow, have a way for grub to decrypt boot...  I never got the time to experiment with that, :), but it seems it's time to...  I do keep boot as a separate partition from the root one and the uefi one.
> 
> Another thing for me to investigate is, how to generate a key for an already encrypted partition with password, since that might pose another challenge.
> 
> At any rate, thanks a lot for the research and trials.  I had hope I didn't have to got the hard way just yet, but it'll be interesting for sure...
> 
> Thanks again !



More information about the artix-general mailing list