On Tue, Nov 27, 2018 at 3:14 PM mark m.roth@5-cent.us wrote:
What we do is to have the encryption key of the secondary filesystem in /etc/crypttab, which is, of course, 600. As it boots, it decrypts from that as it mounts the rest of the system.
mark
Thanks, this is working as expected and it gave me the hint needed to find the actual problem. The problem is that the initramfs image generated by dracut -f does not include the /etc/crypttab from the OS (it only contains the entry for the root device). Once I have manually added the other volumes in the /etc/crypttab file from the initramfs image, clevis is able to decrypt all volumes. Now the question is why the generated iniramfs image has a different /etc/crypttab. How can I specify /etc/crypttab for the initramfs so that furhter kernel updates will not replace it with the wrong file?
Radu
-
Radu Radutiu