So, looking into the dracut docs, I found that it supports various kernel params, including 'rd.luks.uuid' and 'rd.luks.key'.
As an aside, I find it unfortunate the docs do not explain the relationship, if any, between these two params; are they mutually exclusive? Or perhaps mutually required?
Anyway, 'rd.luks.key' is supposed to support storing a keyfile on a USB disk, with the format '<key path>:<usb uuid>:<luks dev>', to be used to unlock the volume at boot. However, this doesn't seem to be working. At all.
Omitting 'rd.luks.uuid' while supplying 'rd.luks.key' results in basically nothing; boot proceeds with no prompt for the '<luks dev>' password, and the device is not unlocked when booting completes.
Using 'rd.luks.key' with 'rd.luks.uuid' results in a password prompt for the specified volume, even if that volume is passed as the '<luks dev>' device. Expected behavior is that dracut auto-mount the '<usb uuid>', and apply the keyfile found at '<key path>'. Instead, the following error appears in the journal (UUIDs truncated for readability; full values in use otherwise):
Code: Select all
"...systemd-cryptsetup[384]: Failed to activate with key file '/keys/sdsk1.key:UUID=8de74...:UUID=efd79...': Invalid argument"
So what the hell needs to be done to unlock non-root LUKS devices at boot time with a key on usb?!? Does the LUKS device need to be specified in '/etc/crypttab'? Does the usb device need an entry in '/etc/fstab'? Are UUIDs no longer supported (the docs use 'LABEL=', but also specify 'UUID=')? Are there undocumented kernel params also needed?!?
Anyone ever get this to work?
For reference, working from this doc: https://www.kernel.org/pub/linux/utils/ ... racut.html