On Thursday, September 15, 2016 at 7:38:03 PM UTC+2, 0mn1...@gmail.com wrote:
> Good evening.
> I'm hoping someone can give me a hand here. What I am trying to do is setup
> my Qubes install so that "/" is unlocked with a keyfile and not a passphrase.
> Preferably an encrypted keyfile that can be decrypted using keyscript in
> Adding a keyfile using cryptsetup and then adding an entry in /etc/crypttab
> doesn't seem to work and I do not think forcing dracut to omit "systemd" is a
> good idea, from my limited know-how.
> Another solution I found is to copy the keyfile to initramfs but if it isn't
> encrypted, another bad idea. I have not yet found a way to get keyscript to
> work in order to encrypt the keyfile copied to initramfs.
> Any information and help on this matter is greatly appreciated.
I am not sure if I can help with Qubes (Fedora), however on Arch I just create
4096 bit key and add the keyfile to LUKS (cryptsetup luksAddKey /dev/sdx
/crypted_keyfile.bin). I also make sure that nobody except Grub can read the
file (chmod 000 / crypted_keyfile.bin).
Then I add the crypted_keyfile for the LUKS partition to initramfs (adding
FILES="/crypted_keyfile.bin" to mkinitcpio.conf and generate initramfs).
Obviously the crypted_keyfile can be located on separate USB flash...
You received this message because you are subscribed to the Google Groups
To unsubscribe from this group and stop receiving emails from it, send an email
To post to this group, send email to email@example.com.
To view this discussion on the web visit
For more options, visit https://groups.google.com/d/optout.