Re: [qubes-devel] Extra partitions in /etc/crypttab in initramfs

Fri, 28 Oct 2016 14:32:51 -0700 

On 10/28/2016 12:39 PM, Trammell Hudson wrote:
> On Fri, Oct 28, 2016 at 01:34:09PM +0200, Marek Marczykowski-Górecki wrote:
>> On Fri, Oct 28, 2016 at 05:28:52AM -0600, Trammell Hudson wrote:
>>> I'm not sure if this issue affects anyone else, but the /etc/crypttab in
>>> initramfs does not have entries for extra partitions that were created
>>> during installation.  It only has / and swap. [...]
>> /etc/crypttab in initramfs is generated (not copied) by dracut. See
>> here:
>> /usr/lib/dracut/modules.d/90crypt/module-setup.sh
> It looks like that parses the existing /etc/crypttab on the running
> system, so I wonder if the extra partitions are not listed there
> during the install.  That's difficult for me to verify right now.
>
>> Anyway I think it all should be possible also using kernel command line,
>> see man dracut.cmdline.
> A related issue is that the kernel command line parameter
> rd.luks.key=/secret.key to set the keyfile for all devices does not
> seem to be honored by the initramfs.  The keyfile is only used if it is
> specified in the /etc/crypttab in initramfs.

This is a dracut + systemd bug.  It's somewhere in the red hat
bugzilla.  Briefly said, you must add the keyfile to /etc/crypttab. 
Effectively key files are no longer supported like they used to be
supported prior to systemd.

Key file support works fine after the initramfs is done, the system has
pivoted to the actual root, and the regular boot-from-root process has
started.


>
> There is also discussion online that if the initramfs has a
> /crypto_keyfile.bin that it will be used by default, but this does not
> seem to be the case.  I don't see any references to that file in
> the generated initramfs.
>

That's a false rumor.


-- 
    Rudd-O
    http://rudd-o.com/

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-devel" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to [email protected].
To post to this group, send email to [email protected].
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-devel/ae5f057f-9186-14b1-d67a-5260fb9ad541%40rudd-o.com.
For more options, visit https://groups.google.com/d/optout.

Reply via email to