| View previous topic :: View next topic |
| Author |
Message |
aztec1855
n00b
Joined: 07 Apr 2021
Posts: 4
|
 Posted: Wed Apr 07, 2021 7:00 pm Post subject: Dual Cryptsetup with Genkernel Initramfs |
 |
|
With mkinitcpio, I was able to have a prompt for both of my luks partitions on boot - it would ask be to decrypt root, and then ask me to decrypt my home partition. I was just wondering if this is possible with genkernel? Currently I have my /home on the same drive as my root, but I prefer using another drive and having a separate encryption key. I haven't been able to find much info on it at all.
Any advice or insight would be greatly appreciated, I decided to bite the bullet and install gentoo last night and my experience so far has been awesome! |
|
| Back to top |
|
 |
halcon
Guru
Joined: 15 Dec 2019
Posts: 543
|
| Posted: Thu Apr 08, 2021 1:52 am Post subject: |
|
|
Hi aztec1855,
Good luck with your Gentoo installation!
AFAIK, in certain circumstances, genkernel may not work with LUKS... Link.
_________________
A wife asks her husband, a programmer:
- Could you please go shopping for me and buy one carton of milk, and if they have eggs, get 6?
He comes back with 6 cartons of milk.
- Why did you buy 6 cartons of milk?
- They had eggs. |
|
| Back to top |
|
|
aztec1855
n00b
Joined: 07 Apr 2021
Posts: 4
|
| Posted: Thu Apr 08, 2021 4:11 pm Post subject: |
|
|
| halcon wrote: | Hi aztec1855,
Good luck with your Gentoo installation!
AFAIK, in certain circumstances, genkernel may not work with LUKS... Link. |
Thank you! Things have been going smoothly so far, aside from a minor KDE bug (it's not seeing that I'm in the wheel group or prompting me for a password, so to change things I have to use config files).
I don't mind not being able to have hibernation work in all honesty - I don't remember the last time I used it :)
I'm still looking for dual encryption though, I used to do it on Arch as you could copy the encrypt hook (to a name such as encrypt2) and add that to mkinitcpio and grub manually. I'm not too familiar with genkernel yet, but I feel as though I'm just missing something really obvious. |
|
| Back to top |
|
|
Whissi
Developer
Joined: 12 Jan 2011
Posts: 211
|
| Posted: Thu Apr 08, 2021 7:33 pm Post subject: |
|
|
genkernel will only do the absolute necessary work until it can hand-over control to the real system. So genkernel can open your rootfs but cannot prompt for any additional volumes.
When you have additional volumes the recommended way is adding a key file to that volume which you will store in /etc (NOTE: This isn't a problem because your rootfs is encrypted). Now configure your service, i.e. dm-crypt when using OpenRC, to unlock that additional volume using the key file. Add dm-crypt service to desired runlevel and you are done:
When you will now boot your system, you will get prompted for root device by genkernel initramfs. Once genkernel initramfs will switch root to real system, init from your real system will start dm-crypt service which is now able to mount the additional volume using the now accessible key file from /etc...
_________________
Regards,
Whissi |
|
| Back to top |
|
|
aztec1855
n00b
Joined: 07 Apr 2021
Posts: 4
|
| Posted: Thu Apr 08, 2021 7:47 pm Post subject: |
|
|
| Whissi wrote: | genkernel will only do the absolute necessary work until it can hand-over control to the real system. So genkernel can open your rootfs but cannot prompt for any additional volumes.
When you have additional volumes the recommended way is adding a key file to that volume which you will store in /etc (NOTE: This isn't a problem because your rootfs is encrypted). Now configure your service, i.e. dm-crypt when using OpenRC, to unlock that additional volume using the key file. Add dm-crypt service to desired runlevel and you are done:
When you will now boot your system, you will get prompted for root device by genkernel initramfs. Once genkernel initramfs will switch root to real system, init from your real system will start dm-crypt service which is now able to mount the additional volume using the now accessible key file from /etc... |
Thank you so much! I was just in the process of editing the dmcrypt configuration files for OpenRC (I have never used it before, only systemd). I have now added dmcrypt to the boot with rc-update (I had set it to default originally and it was causing the drive to decrypt after fstab was loaded) and it asks for my password on boot! I just need to relocate my current home directory to my secondary drive and I should be set.
For anyone wondering, this is what I added to /etc/conf.d/dmcrypt
| Code: | target=luks-home
source='/dev/sda1'
|
I should probably use UUIDs but the file doesn't give instructions on how to format them correctly, so for now I'm just happy that I have it working. Also, I thank you for the description here. I wasn't too sure on the load order or how things functioned properly (Arch really walks you through a lot so this is new to me). Thanks again! :) |
|
| Back to top |
|
|
Whissi
Developer
Joined: 12 Jan 2011
Posts: 211
|
| Posted: Thu Apr 08, 2021 7:51 pm Post subject: |
|
|
| aztec1855 wrote: | For anyone wondering, this is what I added to /etc/conf.d/dmcrypt
| Code: | target=luks-home
source='/dev/sda1'
|
I should probably use UUIDs but the file doesn't give instructions on how to format them correctly, so for now I'm just happy that I have it working. Also, I thank you for the description here. I wasn't too sure on the load order or how things functioned properly (Arch really walks you through a lot so this is new to me). Thanks again!  |
Just
| Code: | ## /dev/md/myBigDataArray
target=dataVault
source='UUID=81310e58-a0c8-48d6-7f1f-f5fda32d8896'
key='/etc/dataStorage.key'
|
_________________
Regards,
Whissi |
|
| Back to top |
|
|
aztec1855
n00b
Joined: 07 Apr 2021
Posts: 4
|
| Posted: Thu Apr 08, 2021 8:01 pm Post subject: |
|
|
| Whissi wrote: | | aztec1855 wrote: | For anyone wondering, this is what I added to /etc/conf.d/dmcrypt
| Code: | target=luks-home
source='/dev/sda1'
|
I should probably use UUIDs but the file doesn't give instructions on how to format them correctly, so for now I'm just happy that I have it working. Also, I thank you for the description here. I wasn't too sure on the load order or how things functioned properly (Arch really walks you through a lot so this is new to me). Thanks again! :) |
Just
| Code: | ## /dev/md/myBigDataArray
target=dataVault
source='UUID=81310e58-a0c8-48d6-7f1f-f5fda32d8896'
key='/etc/dataStorage.key'
|
|
Thank you once again! UUIDs often confuse me due to correct syntax so this was super helpful. I hope this thread is able to help someone like myself, and I'd love to contribute more in the future. I couldn't be happier with my install - I am grateful for the help :) |
|
| Back to top |
|
|
Whissi
Developer
Joined: 12 Jan 2011
Posts: 211
|
| Posted: Thu Apr 08, 2021 8:05 pm Post subject: |
|
|
Glad to see a new happy Gentoo user! 
Welcome to Gentoo!
_________________
Regards,
Whissi |
|
| Back to top |
|
|
|
Kernel & Hardware
