[SOLVED] Add keyfile to unlock the system

Topic: [SOLVED] Add keyfile to unlock the system (Read 753 times) previous topic - next topic

0 Members and 1 Guest are viewing this topic.

[SOLVED] Add keyfile to unlock the system

04 September 2024, 09:25:47

I have artix installed with full disk encryption and the grub-improved-luks2-git bootloader from AUR. I need to add a keyfile so that I only have to enter the password once instead of twice. Here is a list of what I did:

Code: [Select]

sudo -i
mkdir /root/secrets
dd bs=512 count=4 if=/dev/urandom of=/root/secrets.x230.bin
chmod 000 /root/secrets.x230.bin

# "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx" I replaced it with the value for /dev/sda2 from the command "ls -l /dev/disk/by-uuid"
cryptsetup luksAddKey /dev/disk/by-uuid/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx /root/secrets.x230.bin

# I tried using this command instead of the one above "cryptsetup luksAddKey /dev/sda2 /root/secrets.x230.bin"

# Edit /etc/mkinitcpio.conf
FILES=(/root/secrets.x230.bin)
HOOKS=(base udev autodetect modconf kms encrypt keyboard keymap consolefont block lvm2 filesystems fsck)
mkinitcpio -P
reboot

After that I expect to enter the password only once, but I am greeted with a second prompt to enter the disk password. I don't know if it makes sense, but I regenerated the grub file and reinstalled the bootloader by doing:

Code: [Select]

grub-mkconfig -o /boot/grub/grub.cfg
grub-install --target=x86_64-efi --efi-directory=/boot/efi --bootloader-id=grub /dev/sda --recheck

But the problem remains. I also tried to unlock the disk with the key (/root/secrets.x230.bin) from the LiveCD and it works.

Tell me, what did I miss?

Re: Add keyfile to unlock the system

Reply #1 – 04 September 2024, 11:04:11

Oh god, I forgot to specify the key in the grub file...

Re: [SOLVED] Add keyfile to unlock the system

Reply #2 – 08 September 2024, 22:08:17

Quote from: Worm_Jim – on 04 September 2024, 11:04:11

Oh god, I forgot to specify the key in the grub file...

It would be much more helpful if you posted what you did exactly to fix that instead of being... cryptic (pun intended).

Re: [SOLVED] Add keyfile to unlock the system

Reply #3 – 09 September 2024, 04:21:49

Edited /etc/default/grub and added the path to the key in the GRUB_CMDLINE_LINUX_DEFAULT line, so it looks like this:

Code: [Select]

GRUB_CMDLINE_LINUX_DEFAULT="cryptdevice=UUID=d3412596-7138-4392-b6d9-2d0d3c433900:luks:allow-discards root=UUID=3eabad26-a765-414c-bd79-fc3bf66f58ac cryptkey=rootfs:/root/secrets/128.bin"

After that, regenerate the config:

Code: [Select]

grub-mkconfig -o /boot/grub/grub.cfg

Re: [SOLVED] Add keyfile to unlock the system

Reply #4 – 09 September 2024, 16:14:28

Hmm... That didn't solve it for me. It still asks for password twice.

Re: [SOLVED] Add keyfile to unlock the system

Reply #5 – 09 September 2024, 20:32:48

Hello,

I am not sure what exactly you are doing.
If you have an encrypted root and want to decrypt a second partition or volume, then on Artix it looks like the decryption key is not searched from what is in /etc/crypttab. On my side, I had to add the following lines at the end of /etc/conf.d/dmcrypt:

Code: [Select]

target='[name_of_the_volume]'
source=UUID='[volume_UUID]'
key='[path_to_the_encryption_key]'

If you have an encrypted boot and want to auto-decrypt your root partition or volume after deciphering your boot partition, then it is another procedure which I do not know yet.

Re: [SOLVED] Add keyfile to unlock the system

Reply #6 – 12 September 2024, 11:45:14

Bichon,

what I want is the latter. I already have one partition that does get decrypted automatically after boot, but I haven't been successful setting stuff up so that I don't have to enter root part password twice.