I'm working on some LUKS setup and I can't make it work. I thought this could be the right place to ask, but if it's not, you can point me in the right direction.
I've created a bootable image out of my system's /boot/ partition (with MBR,
partition table and extlinux installed), and the /boot/ image will be served by
another device via USB -- by my Android phone. When I connect my smartphone to a
USB port in my laptop, the machine should boot directly from the image using a
USB MSD component of Android kernel (additional disk /dev/sdb1 shows up). To
this point everything works well (my laptop is able to boot directly from the
phone).
I also want to move the LUKS header of the encrypted system container to the
/boot/ partition (under /boot/luks/header.img) and use this header instead.
Since the system is encrypted, it requires initrd/initramfs image, at least my
setup needs it. But the detached LUKS header solution doesn't work OOTB.
Basically the system can't see the detached LUKS header, and it's because the
/boot/ partition isn't mounted during the initrd/initramfs phase.
Based on initramfs-tools manual, I tried to write some script that would mount
the /boot/ partition before the system tries to decrypt the LUKS container. I
don't really know how to do it properly, so I probably did it wrong. Anyways,
this is the script:
----------------------------------------------------------------------------------------------------
#!/bin/sh
PREREQ=""
prereqs()
{
echo "$PREREQ"
}
case $1 in
prereqs)
prereqs
exit 0
;;
esac
. /scripts/functions
export PATH=/sbin:/usr/sbin:/bin:/usr/bin
[ -d /boot ] || mkdir -m 0755 /boot
mount -t ext4 /dev/disk/by-uuid/6f3b0020-0491-4a12-98ca-c97a7a80f5b7 /boot
exit 0
----------------------------------------------------------------------------------------------------
And I tried to put this script into any dir that was in
/etc/initramfs-tools/scripts/ , which was:
init-bottom/ init-premount/ init-top/ local-bottom/ local-premount/
local-top/ .
The initramfs/initrd image was generated each time and it was copied to the
right /boot/ partition (in case someone would wonder). But nothing worked.
The manual also mentioned the local-block/ dir, but it was missing, so I created
it and placed my script there. This time, the system finally was able to see the
detached LUKS header file, but there are couple of things to reconsider.
1. The USB device isn't detected right away, and I see some messages concerning
the missing LUKS header file. After less than 5s the USB disk is detected, and
everything is fine after that -- I'm able to type the password and unlock the
encrypted system container using the detached LUKS header. So is there a way to
delay the decryption of the root file system, or make it wait till the /dev/sdb1
shows up?
2. Mounting /boot/ partition in the initramfs/initrd phase makes some problems
when the main system boots. It says something about "resources busy" when it
comes to mounting of the /boot/ partition. So how to unmount the /boot/
partition in the initramfs/initrd phase before the root filesystem is mounted
but after it was decrypted?
--
Morfik
signature.asc
Description: OpenPGP digital signature
