Radu Radutiu wrote:
On Tue, Nov 27, 2018 at 3:14 PM mark m.roth@5-cent.us wrote:
What we do is to have the encryption key of the secondary filesystem in /etc/crypttab, which is, of course, 600. As it boots, it decrypts from that as it mounts the rest of the system.
Thanks, this is working as expected and it gave me the hint needed to find the actual problem. The problem is that the initramfs image generated by dracut -f does not include the /etc/crypttab from the OS (it only contains the entry for the root device). Once I have manually added the other volumes in the /etc/crypttab file from the initramfs image, clevis is able to decrypt all volumes. Now the question is why the generated iniramfs image has a different /etc/crypttab. How can I specify /etc/crypttab for the initramfs so that furhter kernel updates will not replace it with the wrong file?
Sorry, I think you misunderstood. The key for root is *not* in /etc/crypttab - that's only for the secondary ones.
mark
On Tue, Nov 27, 2018 at 8:06 PM mark m.roth@5-cent.us wrote:
Sorry, I think you misunderstood. The key for root is *not* in /etc/crypttab - that's only for the secondary ones.
markI understood correctly, just that you mentioning that one can put the key
in the /etc/crypttab gave me the idea to check if the initramfs image will have the same content for crypttab. So now I have 2 working solutions: 1) /etc/crypttab on OS has a reference to the file that contains the key to decrypt the second volume (the key is on the encrypted root fs). I have checked and the initramfs /etc/crypttab has only the line for the root volume, without any reference to the second volume. The root volume gets decrypted by clevis+tang. The second volume is decrypted after the root volume is decrypted, /etc/crypptab is read and the key is found. 2) the initramfs /etc/crypttab was manually updated to add the line for the second volume. Clevis + tang will decrypt both the root fs and the second volume. I was surprised to find out the the /etc/crypttab in initramfs is different from the one in OS. So now I'm searching for the correct way to force dracut to include /etc/crypttab unchanged in the initramfs image.
Radu
-
mark -
Radu Radutiu