Re: [RFC] Passing luks passphrase from grub to systemd
From: Hansjoerg Lipp
Date: Sun Apr 15 2018 - 20:11:34 EST
Hello Oleksandr.
Am 16.04.2018 um 00:25 schrieb Oleksandr Natalenko:
>> as I'm stuck with a (non-EFI x86_64) system with encrypted root
>> partition, I have to enter the passphrase twice (grub needs it for
>> getting the kernel etc., systemd needs it for mounting the root
>> partition). This can be quite inconvenient, especially if the passphrase
>> is long and contains special characters, and grub assumes a different
>> keyboard layout.
>
> Just fill another LUKS slot with a randomly generated key file and add that
> file to your initramfs (which already resides on encrypted /boot, right?). If
> your distro cannot do that, you should probably fixing things there, not
> adding ugly hacks to the kernel.
Yes, I never considered this proof of concept code as a good solution (I
don't want to get it into the kernel!), it was meant as a starting point
for discussing whether there is need for some mechanism to get data like
this from the boot loader to the init process, and if so, how to do it
right (and it was actually fun to learn a bit about all this).
I'm thankful for your hint how I could solve my personal luks problem in
a clean way (although it somehow does not feel right to have a key file
accessible to probable malware while the machine is running; of course a
paranoid thought of me...).
Kind regards and thanks again
Hansjoerg