FS#15738 - [cryptsetup] initcpio-hook enhancement
Attached to Project:
Arch Linux
Opened by Jim Pryor (Profjim) - Friday, 31 July 2009, 08:05 GMT
Last edited by Tom Gundersen (tomegun) - Tuesday, 13 November 2012, 12:43 GMT
Opened by Jim Pryor (Profjim) - Friday, 31 July 2009, 08:05 GMT
Last edited by Tom Gundersen (tomegun) - Tuesday, 13 November 2012, 12:43 GMT
|
Details
My current disk setup requires my laptop root and swap
drives to be on different LUKS partitions. That makes it
impossible to use the resume hook in mkinitcpio, since I
won't have any /dev/unencrypted_device to point resume to on
the grub kernel line. It looks like the existing encrypt
hook can be used to decrypt root or (undocumented, but
should work) the swap/resume volume, but not both.
I've seen this discussed before, e.g.: http://bbs.archlinux.org/viewtopic.php?id=63011. Based on those discussions, what seems to me to be the most robust solution is decrypting + mounting one partition, which contains the keyfiles for your root and/or swap/suspend volume, then umounting the partition with the keyfiles. It works best if this partition is unjournaled and/or never mounted when one hibernates the machine. Though you may be able to work around that; see the above forum post. In my case, I just shrunk my boot partition a bit and made a tiny small new partition to hold the keyfiles for root and swap. This partition is only ever decrypted and mounted during the bootup sequence. I wrote and am successfully using the attached initcpio hook. From its help(): This hook allows for multiple encrypted root devices (for example, root and swap) to be opened at init time. It uses a kernel argument cryptkey= in same way as the encrypt hook (it can be left empty, or supplied as dev:fstype:path, or supplied as dev:raw_numeric_offset:length). Instead of the encrypt hook's required cryptdevice= argument, it instead uses a cryptdevices= argument, whose format must be: cryptdevices=dev_holding_keyfiles:fstype[:path],\\ dev1_to_decrypt:alias_for_it,\\ dev2_to_decrypt:alias_for_it,... The code is based on the encrypt hook code. I just removed the handling of legacy encryption, parsed the more complex cryptdevices instead of cryptdevice, and used a cascade of calls to cryptSetup luksOpen... |
This task depends upon
Closed by Tom Gundersen (tomegun)
Tuesday, 13 November 2012, 12:43 GMT
Reason for closing: Deferred
Additional comments about closing: see last comment
Tuesday, 13 November 2012, 12:43 GMT
Reason for closing: Deferred
Additional comments about closing: see last comment
Generally, I can support such a solution if we leave it in a separate hook. Let's see when I get time to verify the code. If you have improvements, don't hesitate to post them too.
I found that the small partition holding the keys to unlock your root and swap partitions wasn't getting unmounted + luksClosed properly, because I was using some switches on umount which weren't available in the pared-down version of umount on the initrd. I don't know where I had seen those switches recommended; but in any case, now they're gone and this version seems to work cleanly.
e.g. cryptdevice=/dev/sda4:volgroup,/dev/sdb1:volgroupextend
I looked at the multicrypt script but I can't understand how it's "supposed" to loop through multiple LUKS volumes/partitions
in particular...
set -- $(/bin/replace "${cryptdevices}" ',')
How does this work. The normal "replace" takes input from standard input. Even if there was some standard input it would effectively do...
set -- ,
...how is that even helpful? replace also doesn't seem to be available in my initramfs image (added break=y parameter at boot to see what programs were available)
I'm also not sure what the purpose of this is...
if [ ! -e "/dev/mapper/control" ]; then
/bin/mknod "/dev/mapper/control" c $(cat /sys/class/misc/device-mapper/dev | sed 's|:| |')
fi
multicrypt (4 KiB)