While installing gentoo on my laptop, I had to switch over and use initramfs as I want full disk encryption.
Dracut provides a module which can load gpg encrypted keys and open a LUKS encrypted disk. This is nice, but it requires manual setup.
As I always forget about such things, I went on and implemented a small but easy to use auto-detection for LUKS encrypted volumes.
The script checks /boot/.luks for key-files named <VOLUME UUID>[.gpg] for each LUKS Device found in fstab. if found, it adds a entry to /etc/cmdline.
The patch is simple and consistent with how dracut deals with UUIDS (which is rather odd, they use udev to get the UUID instead using blkid. No idea why).

Patch for the crypt-module in /usr/lib/dracut/modules/90crypt (if using gpg-encrypted files, you need add crypt-gpg to the modules list in /etc/dracut.conf or you won’t be able to open your key on boot!)

--- module-setup.sh.orig	2012-02-24 15:38:08.000000000 +0100
+++ module-setup.sh	2012-03-29 00:24:49.997233979 +0200
@@ -22,6 +22,23 @@
         [[ ${ID_FS_UUID} ]] || return 1
         if ! [[ $kernel_only ]]; then
             echo " rd.luks.uuid=luks-${ID_FS_UUID} " >> "${initdir}/etc/cmdline.d/90crypt.conf"
+	    # look for keyfiles in $luks_key_dir (default:/boot/.luks).
+	    # Keys must be named ${ID_FS_UUID} or {ID_FS_UUID}.gpg
+	    # you need add the crypt-gpg modules to the list of additional modules to have gpg keys work.
+	    local keydir=${luks_key_dir-/boot/.luks}
+	    local keyfile=${keydir}/${ID_FS_UUID}
+	    # check for keyfile. if none try add .gpg
+	    [[ -f ${keyfile} ]] || keyfile=${keyfile}.gpg
+	    [[ -f ${keyfile} ]] || return 1
+            ID_KEY_UUID=$(udevadm info --query=property --name=$(readlink -f "/dev/block/$(find_block_device "/boot")") \
+                | while read line; do
+                    [[ ${line#ID_FS_UUID} = $line ]] && continue
+                    eval "$line"
+                    echo $ID_FS_UUID
+                    break
+                    done)
+	    [[ ${ID_KEY_UUID} ]] || return 1
+            echo " rd.luks.key=${keyfile}:UUID=${ID_KEY_UUID}:UUID=${ID_FS_UUID} " >> "${initdir}/etc/cmdline.d/90crypt.conf"
         fi
         return 0
     }
@@ -29,7 +46,7 @@this
     [[ $hostonly ]] || [[ $mount_needs ]] && {
         for_each_host_dev_fs check_crypt || return 1
     }
-
+    ddebug < ${initdir}/etc/cmdline.d/90crypt.conf
     return 0
 }

The path to the key-directory can be configured in /etc/dracut.conf

# location of keys.
# keys must be named {FSUUID} or {FSUUID}.gpg where FSUUID is the luks-device (not the key device!)
# for example "5b1049c3-ae7c-4b4c-99e7-240ba4a76f94" or "5b1049c3-ae7c-4b4c-99e7-240ba4a76f94.gpg".
#luks_key_dir="/boot/.luks"

dracut-crypt-gpg-extension.patch

anyone knows how to disable that stupid file extension filter in wordpress? simply rename .patch to .patch.txt is enough. This is just stupid in a single user setup as mine.

To answer a question in the comments, if one is paranoid and does not trust the boot partition (which has to be world readable), there are 2 ways to solve this:

  1. Use external boot volumes. Just put everything on a USB-Stick or a SD-Card. Just keep this with you all the time (or hide it in a secure location)
  2. use SATA full decryption (requires BIOS support). This allows to encrypt the disk fully without any LUKS and alike. The BIOS/Disk is responsible for doing all the stuff. This is transparent to linux, it does not even know the disk is encrypted. However, this requires HArdware support, and you have to Trust your Harddisk Vendor to implement the encryption correct (and not insert any backdoors).

Flattr this!

One Response to “LUKS key autodetection for dracut”
  1. Hey there! Do you know if they make any plugins to protect against hackers? I’m kinda paranoid about losing everything I’ve worked hard on. Any suggestions?