mkinitrd missing luks_keyfile feature

I’m testing the possibility to decrypt root partition on boot with an external key file (not on usb-stickt).
Everything is ok for fstab and crypttab (not necessary for root) and the system (OpenSuse 12.1) ask for passprase on boot.
I think that rebuild initrd with

-K luks_keyfile

options give that possibility but mkinitrd released on opensuse 12.1 distro seems to missing this feature.
Any ideas?

Welcome luigiaversa,

I just skimmed the files /lib/mkinitrd/scripts/luks, and I also think that the keyfile-option alone is not supported. Maybe you have to use the keyscript option together with the keyfile option. Look at line 116 of boot-luks.sh:

$keyscript "$keyfile" | luksopen "$luks"

This is the only place in boot-luks.sh where the keyfile is used at all, and it is used as an argument to keyscript. You might try “/bin/cat” as your keyscript.

However,

May I ask where your keyfile is stored? It must be some place where boot-luks.sh can find it, and I guess no filesystems are mounted (besides the initrd) when boot-luks.sh is executed.

My mkinitrd manpage does not know about this option.
– Yarny

Hi Yarni,

thanks for your reply. Sure you can. Well my first thought was to rebuild init by using mkinitrd with -K luks_keyfile to store the key inside it.
Look at this link: Manpage of MKINITRD

And you find the problem! At boot time there is no filesystem mounted that can provide (in any folder) the external key because boot-luks.sh is executed when / is already mounted. I’ve tried to modify it without results.

I was thinking about the possibility to edit the initrd-kernelversion file (a gzip cpio binary file) in /boot to add the key file manually but i don’t think is enough to let init “to know” where is the file to unlock the root partition.

Maybe with this release of mkinitrd an external pen-drive is necessary…

Thanks again

OK, but I fear openSUSE’s mkinitrd implementation does not support this -K switch (at least, my mkinitrd just told me -K is an illegal option).

You can try to modify the boot-luks.sh script such that it 1. mounts the device holding the keyfile, 2. uses the keyfile to unlock your luks volume and 3. unmounts the device. However you have to take care that required kernel modules (filesystem) are included in the initrd. See both mkinitrd manpages for detailed information about this.

I’m sure you have a good reason to put your luks key inside the initrd, but just for the record: If the keyfile is stored, unencrypted, on the same harddisk which contains the encrypted volume (e.g. in an unencrypted initrd which resides in /boot on /dev/sda1), you do not gain any security. Whoever has access to the harddisk will find your keyfile and decrypt your volume.

When I look at the code I quoted above I think it is, but you will have to try yourself. Sadly your changes to the initrd will be overwritten as soon as some system update calls mkinitrd.
– Yarny