on JDMac
I had the same issue on CentOS 6.6 and I solved it modifying:
$ /usr/share/dracut/modules.d/90crypt/install
adding:
$ inst $PATH_TO_KEY
then ran:
$ dracut --force
rebooted and worked!
but ofc the downside is that you will have the key in the initramfs file.
dm-crypt/luks - Full disk encryption using keyfile
Re: dm-crypt/luks - Full disk encryption using keyfile
Hi,
this is what I did and it works for my CentOS 7:
Hope this helps you
this is what I did and it works for my CentOS 7:
- installed dracut-fips via This is essential - it adds the fips dracut module. You don't have to specify the module manually, it will be added automatically - use
Code: Select all
yum install dracut-fips
orCode: Select all
dracut -v
to make sure.Code: Select all
dracut --show-modules
- modified /etc/dracut.conf and added:
(the list must contain the filesystem your keyfile is on; systemd must be omited)
Code: Select all
omit_dracutmodules+="systemd" filesystems="xfs vfat ext4"
- modified /etc/default/grub and added
to the "GRUB_CMDLINE_LINUX" line
Code: Select all
rd.luks.key=/path/to/my/keyfile:LABEL=MyUSBfsLabel
- generated grub2 config file
Code: Select all
grub2-mkconfig > /boot/grub2/grub.conf
- generated new initramfs
Code: Select all
dracut -fv
Hope this helps you
Re: dm-crypt/luks - Full disk encryption using keyfile
This thread is a little old, but I wanted to add that the path in 'rd.luks.key' is relative to the device you're using. For a USB key, if you mount it under '/mnt/myusb', and the keyfile is '/mnt/myusb/keyfile', the path for 'rd.luks.key' should look like: rd.luks.key=/keyfile:LABEL=myusb.
Note that this path does NOT contain '/mnt/myusb'. At the time dracut is looking for the key file, none of those partitions are mounted yet, so they would not be under the full path you see when the system is running.
Note that this path does NOT contain '/mnt/myusb'. At the time dracut is looking for the key file, none of those partitions are mounted yet, so they would not be under the full path you see when the system is running.
Re: dm-crypt/luks - Full disk encryption using keyfile
Thank's it's work well after all but just to clarify...
like @orever said:
because we use LABEL option to specify the path of the keyfile is start from the root of the usbkey
such as rd.luks.key=/keyfile:LABEL=myusb
if I mount myusbkey in /mnt/usbkey my file is /mnt/usbkey/keyfile
1' install dracut-fip
2' add the rd.luks.key in your grub
3' edit dracut/conf
4' recompile your grub
5' recompile your dracut
like @orever said:
because we use LABEL option to specify the path of the keyfile is start from the root of the usbkey
such as rd.luks.key=/keyfile:LABEL=myusb
if I mount myusbkey in /mnt/usbkey my file is /mnt/usbkey/keyfile
1' install dracut-fip
Code: Select all
yum install dracut-fips
Code: Select all
vi /etc/default/grub
GRUB_CMDLINE_LINUX="crashkernel=auto rd.luks.uuid=luks-xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx rd.luks.key=/keyfile:LABEL=YourUSBKey rd.lvm.lv=vg/root rd.lvm.lv=vg/swap rhgb quiet"
Code: Select all
vi /etc/dracut.conf
omit_dracutmodules+="systemd"
add_dracutmodules+="crypt lvm"
filesystems="xfs vfat" [i]# depend on which filesystem you use you might have to add ext4 or btrfs instead of xfs[/i]
Code: Select all
grub2-mkconfig > /boot/grub2/grub.conf
Code: Select all
dracut -fv