Simple script for generating initramfs for the encrypted root disks.
- Create encrypted disk or partition using cryptsetup
Create
~/.config/mkinitramfs/disks.jsonfile with similar content to:{ "name": { "uuid": "disk-uuid", "key": "key-filename" }, ... }where every entry have disk name (name in this case), which have two attributes - disk/partition UUID and key filename.
Provide a key file for the disk/partition. Assumption is, that it is an encrypted file using ccrypt instead of plain file or password protected luks. Keys will be looked using provided path, i.e.
{ "laptop": { "uuid": "88b99002-028f-4744-94e7-45e4580e2ddd", "key": "/full/path/to/the/laptop.key" }, "desktop": { "uuid": "23e31327-1411-491c-ab00-c36f74c441f1", "key": "desktop.key" }, "pendrive": { "uuid": "1453a45e-ca3f-4d39-8fd7-a6a96873c25c", "key": "../pendrive.key" } }so yes - it is possible to use key file in absolute or relative paths. If no key will be found, it's been looking for in path specified by
--key-path | -kparameter, which by default is in$XDG_CONFIG_HOME/mkinitramfs/keys(usually in~/.config/mkinitramfs/keys.- Move
mkinitramfs.pyscript to some location in your$PATH(like~/bin) Invoke
mkinitramfs.pyscript:# mkinitramfs.py laptopthat command will generate initramfs, copy key, and make appropriate change in
initscript and compress it withcpio.Using
--install | -iparameter, initramfs will be automatically installed on/bootwith appropriate links. Note, that old images (they have.oldsuffix in the filename) will be removed in that case.
It is possible to use an SD card (if computer does have reader built-in) or old plain USB pendrive. Currently support for the keys is limited to 4096 bytes, and assumption that key is unencrypted - it helps with booting system non-interactively.
There is possibility for using key which is encrypted using response from challenge response using ykchalresp command. The challenge here could be any string, so the name of the device from config is used.