On Sunday, September 18, 2016 at 9:50:59 PM UTC+3, Connor Page wrote:
> https://www.kernel.org/pub/linux/utils/boot/dracut/dracut.html#_crypto_luks_key_on_removable_device_support

Thanks for your reply. I am not skilled enough yet to understand the sections 
relating to "gpg", specifically, how to put them to use.

Unfortunately after much experimentation only one "fix" seems to make my below 
setup work. These are the steps I have taken to attempt unlock via keyfile:

- create keyfile of random data and move it to /boot.
- add keyfile to LUKS keychain. 
" sudo cryptsetup luksAddKey /dev/disk/by-UUID/**** /boot/keyfile "
- edit /etc/crypttab to look similar to this:
" luks-**** UUID=**** /boot/keyfile luks "
- checked to make sure dracut config contains the following:
' add_dracutmodules+="lvm crypt" '
- edited /etc/default/grub to add the following to GRUB_CMDLINE_LINUX:
" rd.luks.key=/boot/keyfile:UUID=**** "
- made sure "systemd" is an omitted module in dracut.
- regenerated dracut and grub2 configurations.

This was done in Qubes R3.2. Will attempt in 3.1 as well. Without omitting 
"systemd" module in dracut, the above setup does not work and qubes defaults to 
asking for a passphrase. Why it is this way, I do not know. Any more 
information anyone could provide on how this can be properly done is 
appreciated.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/245f9458-bf4d-480e-a155-b2ab97d71694%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Reply via email to