On Thursday, September 15, 2016 at 7:38:03 PM UTC+2, 0mn1...@gmail.com wrote:
> Good evening.
> I'm hoping someone can give me a hand here. What I am trying to do is setup 
> my Qubes install so that "/" is unlocked with a keyfile and not a passphrase. 
> Preferably an encrypted keyfile that can be decrypted using keyscript in 
> /etc/crypttab. 
> Adding a keyfile using cryptsetup and then adding an entry in /etc/crypttab 
> doesn't seem to work and I do not think forcing dracut to omit "systemd" is a 
> good idea, from my limited know-how.
> Another solution I found is to copy the keyfile to initramfs but if it isn't 
> encrypted, another bad idea. I have not yet found a way to get keyscript to 
> work in order to encrypt the keyfile copied to initramfs.
> Any information and help on this matter is greatly appreciated.

I am not sure if I can help with Qubes (Fedora), however on Arch I just create 
4096 bit key and add the keyfile to LUKS (cryptsetup luksAddKey /dev/sdx 
/crypted_keyfile.bin). I also make sure that nobody except Grub can read the 
file (chmod 000 / crypted_keyfile.bin). 
Then I add the crypted_keyfile for the LUKS partition to initramfs (adding 
FILES="/crypted_keyfile.bin" to mkinitcpio.conf and generate initramfs).
Obviously the crypted_keyfile can be located on separate USB flash...

You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
For more options, visit https://groups.google.com/d/optout.

Reply via email to