Problem with encrypted /boot

Diego Zuccato diego.zuccato at unibo.it
Wed Jun 4 12:27:27 CEST 2025 

Update: it now works as expected. Might it be worthy of inclusion with 
other user-contributed scripts?

class/ENCRYPTED.var :
-8<--
FAI_KEEP_CRYPTKEYFILE=1
LUKS_PASS="YourBootPassword"
-8<--

hooks/configure.ENCRYPTED :
-8<--
#!/bin/sh
# Requires ENCRYPTED.var for setup

srctab="${LOGDIR}/crypttab"
tmptab="${LOGDIR}/crypttab.tmp"

mkdir /target/etc/keys
chmod 0700 /target/etc/keys

echo > $tmptab

while read name dev keyfile x; do
     yes "${LUKS_PASS}" | cryptsetup luksAddKey --key-slot=9 
--pbkdf=pbkdf2 --key-file ${keyfile} ${dev}

     newkeyfile="$(echo $keyfile | sed "s:${LOGDIR}:/etc/keys:")"
     mv ${keyfile} /target/${newkeyfile}
     chmod 0600 /target/${newkeyfile}
     echo "${name} ${dev} ${newkeyfile} $x" >> $tmptab
done < $srctab
mv $tmptab $srctab
cp $srctab /target/etc/crypttab

echo "KEYFILE_PATTERN=/etc/keys/*" >> 
/target/etc/cryptsetup-initramfs/conf-hook
echo "UMASK=0077" > /target/etc/initramfs-tools/conf.d/restrictperms.conf

$ROOTCMD update-initramfs -u
-8<--

The early phase of the boot asks for the password, then the GRUB menu 
lets me select what to load. Since the key is now in initrd, there's no 
need to ask the pass again.
CAVEAT: since the key is in the initrd, it remains in memory during 
suspend. Might be a problem for some scenarios.

Diego

Il 04/06/2025 09:21, Diego Zuccato ha scritto:
> Hi.
> 
> I'm getting mad (also) at setting up encrypted boot.
> The problem is that if I setup an encrypted /boot partition (possible 
> I'm the first trying?), the keyfile does not end up in initramfs.
> 
> IIUC, I have to:
> - have FAI_KEEP_CRYPTKEYFILE during install (e.g. via ENCRYPTED.var)
> - create hooks/mountdisks.ENCRYPTED that:
>    - setup a password to unlock GRUB loading (have to use pbkdf2 instead 
> of Argon2) after task_partition
>    - change KEYFILE_PATTERN in /target/etc/cryptsetup-initramfs/conf- 
> hook to match crypttab
>    - set UMASK=0077 in /target/etc/initramfs-tools/conf.d/ 
> restrictperms.conf
> 
> *BUT* /etc/crypttab contains a reference to /tmp/fai/crypt_dev_sda2 that 
> does not exist anymore when the system is booting! (/tmp is emptied at 
> every boot, the keyfile is in /var/log/fai/$(hostname -s)/last/): should 
> I edit it in my mountdisks.ENCRYPTED script or is there a better (or 
> more correct) way?
> 
> TIA
> 

-- 
Diego Zuccato
DIFA - Dip. di Fisica e Astronomia
Servizi Informatici
Alma Mater Studiorum - Università di Bologna
V.le Berti-Pichat 6/2 - 40127 Bologna - Italy
tel.: +39 051 20 95786

More information about the linux-fai mailing list