Encrypted boot on LUKS with detached header.
Closed this issue · 1 comments
When playing around with the following setup:
[usb key]
└─[regular volume holding header file]
[hard disk]
└─[headerless LUKS volume]
└─[LVM]
├─[swap partition]
├─[root partition]
└─[home partition]
With /boot, including the grub folder and the initramfs images inside the root partition, and grub installed to the hard disk.
I encountered the catch-22 that trying to cryptomount from grub commandline doesnt work if the grub modules are on an encrypted partition. Rather than being able to grub-install, I've had to call grub-mkimage with the correct modules (including the individual gcry_* modules used in my LUKS setup) and grub-bios-setup individually. I ended up writing my own load.cfg (embedded config file) containing the following:
search.fs_uuid [UUID of usb key partition] usb
cryptomount -H ($usb)/[header filename] hd0,1
search.fs_uuid [UUID of root partition] root
set prefix=($root)'/boot/grub/'
Is there any way of configuring grub in such a way that grub-probe understands the detached-header setup? If not, is it possible to add support for this?
P.S. the reason I prefer this setup over anything involving unencrypted usb boot partition shenanigans is about how much more sane it makes my key policy; I do not have to update any copies of the keystick whenever I update my kernel (e.g. copy for my partner in the case of a shared machine/backup copies locked away safely). It makes the usb key an at-boot thing only; stick it in to boot up, take it out immediately afterwards. No clunky usb stick sticking out the side of my laptop that is at risk of being bumped into and broken by inattentive people, no nano-size usb stick that I will forget to take out when I shut my machine down (and therefore entirely defeats the point of the endeavour), no need to remember to put the usb stick back in when I decide to update.
Your setup sounds very similar to mine. First off, let me say that these extensions make no changes to the parts of Grub that autogenerate things. I am not sure that I understand your problem but I'll describe what I do and perhaps you can come back with thoughts or more information...
My USB stick contains a plaintext ext4 partition containing some Grub config, including all the modules and suchlike that Grub needs. it contains a very simple grub.cfg that has an option to unlock a second ext4 partition that is LUKS encrypted. This has a second grub.cfg, plus the keys and headers needed to unlock and boot the system which, like yours, is LVM on LUKS.
The root partition contains a /boot from where Grub loads the kernel, ramdisk. The ramdisk also contains the required headers and keys so that it can also unlock them (because Grub's unlocking does not transfer into the kernel).
Once the initramfs switches root, I can pull out the USB key.
The only prep that I do on the USB key is:
$ mount /dev/sdX1 /mnt
$ grub-install --no-floppy -boot-directory=/mnt /dev/sdX
where X is the device letter of the USB stick and 1 is the first (plaintext) partition.
FWIW I use GPT on the USB but I don't think it matters.
I am happy to accept pull requests into this codebase, but I am not actively working on it because (a) it does what I need and (b) upstream have shown little interest in adopting it.