Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
Dual Cryptsetup with Genkernel Initramfs
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Kernel & Hardware
View previous topic :: View next topic  
Author Message
aztec1855
n00b
n00b


Joined: 07 Apr 2021
Posts: 4

PostPosted: Wed Apr 07, 2021 7:00 pm    Post subject: Dual Cryptsetup with Genkernel Initramfs Reply with quote

With mkinitcpio, I was able to have a prompt for both of my luks partitions on boot - it would ask be to decrypt root, and then ask me to decrypt my home partition. I was just wondering if this is possible with genkernel? Currently I have my /home on the same drive as my root, but I prefer using another drive and having a separate encryption key. I haven't been able to find much info on it at all.

Any advice or insight would be greatly appreciated, I decided to bite the bullet and install gentoo last night and my experience so far has been awesome!
Back to top
View user's profile Send private message
halcon
Guru
Guru


Joined: 15 Dec 2019
Posts: 543

PostPosted: Thu Apr 08, 2021 1:52 am    Post subject: Reply with quote

Hi aztec1855,

Good luck with your Gentoo installation!

AFAIK, in certain circumstances, genkernel may not work with LUKS... Link.
_________________
A wife asks her husband, a programmer:
- Could you please go shopping for me and buy one carton of milk, and if they have eggs, get 6?
He comes back with 6 cartons of milk.
- Why did you buy 6 cartons of milk?
- They had eggs.
Back to top
View user's profile Send private message
aztec1855
n00b
n00b


Joined: 07 Apr 2021
Posts: 4

PostPosted: Thu Apr 08, 2021 4:11 pm    Post subject: Reply with quote

halcon wrote:
Hi aztec1855,

Good luck with your Gentoo installation!

AFAIK, in certain circumstances, genkernel may not work with LUKS... Link.


Thank you! Things have been going smoothly so far, aside from a minor KDE bug (it's not seeing that I'm in the wheel group or prompting me for a password, so to change things I have to use config files).

I don't mind not being able to have hibernation work in all honesty - I don't remember the last time I used it :)

I'm still looking for dual encryption though, I used to do it on Arch as you could copy the encrypt hook (to a name such as encrypt2) and add that to mkinitcpio and grub manually. I'm not too familiar with genkernel yet, but I feel as though I'm just missing something really obvious.
Back to top
View user's profile Send private message
Whissi
Developer
Developer


Joined: 12 Jan 2011
Posts: 211

PostPosted: Thu Apr 08, 2021 7:33 pm    Post subject: Reply with quote

genkernel will only do the absolute necessary work until it can hand-over control to the real system. So genkernel can open your rootfs but cannot prompt for any additional volumes.

When you have additional volumes the recommended way is adding a key file to that volume which you will store in /etc (NOTE: This isn't a problem because your rootfs is encrypted). Now configure your service, i.e. dm-crypt when using OpenRC, to unlock that additional volume using the key file. Add dm-crypt service to desired runlevel and you are done:

When you will now boot your system, you will get prompted for root device by genkernel initramfs. Once genkernel initramfs will switch root to real system, init from your real system will start dm-crypt service which is now able to mount the additional volume using the now accessible key file from /etc...
_________________
Regards,
Whissi
Back to top
View user's profile Send private message
aztec1855
n00b
n00b


Joined: 07 Apr 2021
Posts: 4

PostPosted: Thu Apr 08, 2021 7:47 pm    Post subject: Reply with quote

Whissi wrote:
genkernel will only do the absolute necessary work until it can hand-over control to the real system. So genkernel can open your rootfs but cannot prompt for any additional volumes.

When you have additional volumes the recommended way is adding a key file to that volume which you will store in /etc (NOTE: This isn't a problem because your rootfs is encrypted). Now configure your service, i.e. dm-crypt when using OpenRC, to unlock that additional volume using the key file. Add dm-crypt service to desired runlevel and you are done:

When you will now boot your system, you will get prompted for root device by genkernel initramfs. Once genkernel initramfs will switch root to real system, init from your real system will start dm-crypt service which is now able to mount the additional volume using the now accessible key file from /etc...


Thank you so much! I was just in the process of editing the dmcrypt configuration files for OpenRC (I have never used it before, only systemd). I have now added dmcrypt to the boot with rc-update (I had set it to default originally and it was causing the drive to decrypt after fstab was loaded) and it asks for my password on boot! I just need to relocate my current home directory to my secondary drive and I should be set.

For anyone wondering, this is what I added to /etc/conf.d/dmcrypt
Code:
target=luks-home
source='/dev/sda1'

I should probably use UUIDs but the file doesn't give instructions on how to format them correctly, so for now I'm just happy that I have it working. Also, I thank you for the description here. I wasn't too sure on the load order or how things functioned properly (Arch really walks you through a lot so this is new to me). Thanks again! :)
Back to top
View user's profile Send private message
Whissi
Developer
Developer


Joined: 12 Jan 2011
Posts: 211

PostPosted: Thu Apr 08, 2021 7:51 pm    Post subject: Reply with quote

aztec1855 wrote:
For anyone wondering, this is what I added to /etc/conf.d/dmcrypt
Code:
target=luks-home
source='/dev/sda1'

I should probably use UUIDs but the file doesn't give instructions on how to format them correctly, so for now I'm just happy that I have it working. Also, I thank you for the description here. I wasn't too sure on the load order or how things functioned properly (Arch really walks you through a lot so this is new to me). Thanks again! :)
Just
Code:
## /dev/md/myBigDataArray
target=dataVault
source='UUID=81310e58-a0c8-48d6-7f1f-f5fda32d8896'
key='/etc/dataStorage.key'

_________________
Regards,
Whissi
Back to top
View user's profile Send private message
aztec1855
n00b
n00b


Joined: 07 Apr 2021
Posts: 4

PostPosted: Thu Apr 08, 2021 8:01 pm    Post subject: Reply with quote

Whissi wrote:
aztec1855 wrote:
For anyone wondering, this is what I added to /etc/conf.d/dmcrypt
Code:
target=luks-home
source='/dev/sda1'

I should probably use UUIDs but the file doesn't give instructions on how to format them correctly, so for now I'm just happy that I have it working. Also, I thank you for the description here. I wasn't too sure on the load order or how things functioned properly (Arch really walks you through a lot so this is new to me). Thanks again! :)
Just
Code:
## /dev/md/myBigDataArray
target=dataVault
source='UUID=81310e58-a0c8-48d6-7f1f-f5fda32d8896'
key='/etc/dataStorage.key'


Thank you once again! UUIDs often confuse me due to correct syntax so this was super helpful. I hope this thread is able to help someone like myself, and I'd love to contribute more in the future. I couldn't be happier with my install - I am grateful for the help :)
Back to top
View user's profile Send private message
Whissi
Developer
Developer


Joined: 12 Jan 2011
Posts: 211

PostPosted: Thu Apr 08, 2021 8:05 pm    Post subject: Reply with quote

Glad to see a new happy Gentoo user! :D

Welcome to Gentoo!
_________________
Regards,
Whissi
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Kernel & Hardware All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum