* Erik van Konijnenburg <[EMAIL PROTECTED]> [2005-10-31 22:19]:
> If I read initrd-tools correctly, it will run /keyscripts/*
> (not sure where it gets them, not sure where its documented)
You can put scripts in /etc/mkinitrd/scripts and they will be executed
(this is also documented in the man page). I have a file
/etc/mkinitrd/scripts/root-key-from-boot which I use. It prompts me
for a password with which it unlocks the keys, but you could also read
it from a USB stick...
I've attached my script as an example. http://bugs.debian.org/247054
contains more information.
--
Martin Michlmayr
http://www.cyrius.com/
#! /bin/bash
# Read the root key from an encrypted loop-back ext2fs and mount root
modules="loop"
mkdir -p $INITRDDIR/keys
cp /boot/keys/* $INITRDDIR/keys
for mod in $modules; do
for ko in `modprobe --set-version $VERSION --show-depends $mod | cut -b8-`; do
install -d $INITRDDIR/${ko%/*}
install $ko $INITRDDIR/$ko
done
done
cp /sbin/losetup $INITRDDIR/bin
cp /bin/cat $INITRDDIR/bin
cat <<EOF >$INITRDDIR/keyscripts/boot-keys
modprobe loop
echo
echo "The root disk is encrypted and a passphrase is required."
losetup /devfs/loop/2 /keys/boot-keys
cryptsetup create boot-keys /devfs/loop/2
# cryptsetup will now prompt for the passphrase
mount -o ro /dev/mapper/boot-keys /mnt
cat /mnt/deprecation-root > /dev2/root-key
umount /mnt
cryptsetup remove boot-keys
losetup -d /devfs/loop/2
if [ -f /dev2/root-key ]; then
/sbin/cryptsetup -v -d /dev2/root-key -c \$cipher_mode create \$dmname
\$device
else
echo "No key for the root partition found."
fi
EOF
chmod +x $INITRDDIR/keyscripts/boot-keys
