Hello everyone,
I have a fairly standard/default LUKS encrypted volume with swap and btrfs root filesystem residing in it. The subvolumes are in their standard layout too.
Only change I’ve made is to add an ext4 partition to store kdump.
pavin@suse-pc:~> lsblk -f /dev/nvme0n1
NAME FSTYPE FSVER LABEL UUID FSAVAIL FSUSE% MOUNTPOINTS
nvme0n1
├─nvme0n1p1 vfat FAT32 C60E-0951 505M 1% /boot/efi
├─nvme0n1p2 ext4 1.0 382ca7d7-f466-41b5-a80b-7e76ff624862 3.6G 0% /var/crash
└─nvme0n1p3 crypto_LUKS 1 cdf45ca8-1579-43a2-aa5f-fa42baa3763a
└─cr_nvme-eui.002538dc210238c2-part3 LVM2_member LVM2 001 ofkZRF-zc06-CXa8-y2YF-SKAR-YeWS-jVd5VJ
├─suse-system btrfs 0f3fbdb1-e3c5-460e-aef7-f939d3e4af73 427.8G 7% /var
│ /usr/local
│ /srv
│ /root
│ /opt
│ /home
│ /boot/grub2/x86_64-efi
│ /boot/grub2/i386-pc
│ /.snapshots
│ /
└─suse-swap swap 1 7df71639-d7c6-4cd2-8bf2-b9c5fe57a1df [SWAP]
As /boot is encrypted in this config, grub always asks me for the LUKS password on cold boot. This is generally sufficient and I’m not asked for the LUKS password again when the initramfs remounts the root fs during boot.
But this behavior breaks when dracut creates a new initramfs image or I do a kexec reboot. I’m asked for a password in both cases. The former is quite annoying in that I have to type in password twice on a cold boot and the latter is less annoying but a constant PITA as kexec reboots are common enough with rolling release distros.
So I decided to set up automatic unlock of the root fs using a key file stored in initramfs. As the initramfs itself is encrypted, there is no additional security risk, or so I believe.
Corrections and improvements are welcome. All commands to be run as root:
# Setup auto unlock of root fs using LUKS key file
# create and secure key file
mkdir -p /etc/crypt_keys
dd if=/dev/urandom of=/etc/crypt_keys/rootfs bs=1024 count=1
chmod 600 /etc/crypt_keys/rootfs
# add keyfile to existing LUKS device
cryptsetup luksAddKey /dev/nvme0n1p3 /etc/crypt_keys/rootfs
# update /etc/crypttab entry with keyfile:
cr_nvme-eui.002538dc210238c2-part3 UUID=90661237-038b-4f3f-a77a-2226c0d20336 /etc/crypt_keys/rootfs x-initrd.attach
# add keyfile to initramfs
nano /etc/dracut.conf.d/00-crypt_unlock.conf
install_items+=" /etc/crypt_keys/rootfs "
# regenerate initramfs
dracut --regenerate-all --force
# verify initrd contents contain our key file
lsinitrd