On Thursday, September 15, 2016 at 7:38:03 PM UTC+2, 0mn1...@gmail.com wrote: > Good evening. > > I'm hoping someone can give me a hand here. What I am trying to do is setup > my Qubes install so that "/" is unlocked with a keyfile and not a passphrase. > Preferably an encrypted keyfile that can be decrypted using keyscript in > /etc/crypttab. > > Adding a keyfile using cryptsetup and then adding an entry in /etc/crypttab > doesn't seem to work and I do not think forcing dracut to omit "systemd" is a > good idea, from my limited know-how. > > Another solution I found is to copy the keyfile to initramfs but if it isn't > encrypted, another bad idea. I have not yet found a way to get keyscript to > work in order to encrypt the keyfile copied to initramfs. > > Any information and help on this matter is greatly appreciated.
I am not sure if I can help with Qubes (Fedora), however on Arch I just create 4096 bit key and add the keyfile to LUKS (cryptsetup luksAddKey /dev/sdx /crypted_keyfile.bin). I also make sure that nobody except Grub can read the file (chmod 000 / crypted_keyfile.bin). Then I add the crypted_keyfile for the LUKS partition to initramfs (adding FILES="/crypted_keyfile.bin" to mkinitcpio.conf and generate initramfs). Obviously the crypted_keyfile can be located on separate USB flash... -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/0e5b8323-ec08-446d-b06c-6b628db037fc%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.