On Tue 2020-02-25 17:31, Steve McIntyre wrote:
> Grub needs the passphrase for /boot, and then Linux needs it
> separately. Unfortunately there isn't a way for Grub to pass the
> passphrase to Linux so it has to ask you again. People are looking at
> ways to make this work better...
One way to do this is to use both a passphrase and a keyfile. You use the
passphrase with grub to decrypt things, then configure the initramfs to hold the
keyfile (both located on the drive) and use it for mounting grub. The net effect
is to only have the password prompt once. Here's what to do:
* Generate the keyfile (call it /keyfile) and add it to you device.
* Add this to /etc/crypttab:
-- /etc/crypttab ---------------------------------------------------------------
root UUID=<your uuid> /keyfile luks
--------------------------------------------------------------------------------
* Install cryptsetup-initramfs and add/edit this line:
-- /etc/cryptsetup-initramfs/conf-hook -----------------------------------------
KEYFILE_PATTERN=/keyfile
--------------------------------------------------------------------------------
* The keyfile should be protected and is stored, so give it a more restrictive
umask by adding/editing the line
-- /etc/initramfs-tools/initramfs.conf -----------------------------------------
UMASK=0077
--------------------------------------------------------------------------------
* Update /etc/default/grub.
-- /etc/default/grub
-----------------------------------------------------------{{{}}}
GRUB_ENABLE_CRYPTODISK=y
GRUB_CMDLINE_LINUX="cryptdevice=/dev/<your partition>"
--------------------------------------------------------------------------------
* Rebuild the initramfs, update grub:
$ update-initramfs -k all -u
$ update-grub
BTW, grub's verification of the passphrase is *slow*. You can speed things up at
the cost of some security by adjusting the --iter-time parameter. I have found
that --iter-time=1000 is fast enough on newer machines.
Hope this helps,
MM
