On Saturday, September 17, 2016 at 1:20:56 PM UTC+3, Jan Betlach wrote:
> On Thursday, September 15, 2016 at 7:38:03 PM UTC+2, 0mn1...@gmail.com wrote:
> > Good evening.
> > I'm hoping someone can give me a hand here. What I am trying to do is setup
> > my Qubes install so that "/" is unlocked with a keyfile and not a
> > passphrase. Preferably an encrypted keyfile that can be decrypted using
> > keyscript in /etc/crypttab.
> > Adding a keyfile using cryptsetup and then adding an entry in /etc/crypttab
> > doesn't seem to work and I do not think forcing dracut to omit "systemd" is
> > a good idea, from my limited know-how.
> > Another solution I found is to copy the keyfile to initramfs but if it
> > isn't encrypted, another bad idea. I have not yet found a way to get
> > keyscript to work in order to encrypt the keyfile copied to initramfs.
> > Any information and help on this matter is greatly appreciated.
> I am not sure if I can help with Qubes (Fedora), however on Arch I just
> create 4096 bit key and add the keyfile to LUKS (cryptsetup luksAddKey
> /dev/sdx /crypted_keyfile.bin). I also make sure that nobody except Grub can
> read the file (chmod 000 / crypted_keyfile.bin).
> Then I add the crypted_keyfile for the LUKS partition to initramfs (adding
> FILES="/crypted_keyfile.bin" to mkinitcpio.conf and generate initramfs).
> Obviously the crypted_keyfile can be located on separate USB flash...
Guess I'll go with copying the keyfile to initramfs and encrypting it with gpg,
to be decrypted at boot via password. On Debian this was straightforward,
adding "keyscript=/lib/cryptsetup/scripts/decrypt_gnupg" in /etc/crypttab but
as of now I haven't found an equivalent for Qubes or Fedora. Suppose I'll have
to keep looking.
Thank you for your reply and have a good one.
You received this message because you are subscribed to the Google Groups
To unsubscribe from this group and stop receiving emails from it, send an email
To post to this group, send email to email@example.com.
To view this discussion on the web visit
For more options, visit https://groups.google.com/d/optout.