Skip to content
/ decrypt-initcpio Public

A hook to unlock LUKS-encrypted devices at boot. With keyfiles.

License

GPL-3.0 license
1 star 0 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

ajs124/decrypt-initcpio

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

1 Commit
LICENSE
LICENSE
 
 
Readme.md
Readme.md
 
 
config
config
 
 
hook
hook
 
 
install
install
 
 

Repository files navigation

decrypt-initcpio

This is a hook for mkinitcpio allowing to decrypt devices with keyfiles. It was built for myself and I am not sure if this is useful for anyone else on earth. It was built for mkinitcpio on arch linux and is not tested anywhere else.

Decrypting with keyfiles is something you can already do with /etc/mtab. But you still have to unlock each device on it's own. This hooks does something different: You can have all keyfiles stored in an encrypted partition. You must enter the password of this encrpytion and then the hook decrypts all other partitions.

Installation

  1. Install the package by moving the hook file into you hooks directory and the install file into you install directory. Rename both as decrypt. Now move the configuration to /etc/initcpio and call it decryot as well. Or if you are lazy, check out my PKGBUILDs.
  2. Create a partition (unencrypted) on your MBR/GPT with a common filesystem (I use ext4, but FAT should also be okay). Now note the UUID of this filesystem, as you will need it later. From now on, this will be called the keystore.
  3. You need to create a keyfile for each partition/disk/... that should be unlocked and add it to this LUKS container. Put the keyfile into the keystore with the same name it will use later when you have it decrypted.
  4. Modify the config at /etc/initcpio/decrypt. First, add the keystore UUID into the variable and then fill the volumes-variable. It is a colon-separated list with the volumes to be unlocked. Each volume consists of the UUID and the name it will have after it's unlocked (which is the same as the keyfile, remember?). Those two values are pipe-separated.
  5. Add the hook to your mkinitcpio hooks at the right location (maybe between block and filesystems). Use the keyboard hook before this hook to have the correct keyboard layout if yours is not the american.
  6. Rebuild your initial ramdisk.
  7. Reboot and pray.

Disclaimer

I wrote this during my free time. You can feel free to use this in a production environment, if you know what you are doing. I do not take any responsibility if something goes bad.

decrypt-initcpio may be broken, have security issues, or not work at all. Feel free to open github issues/prs without the guaratee of a quick answer :)

About

A hook to unlock LUKS-encrypted devices at boot. With keyfiles.

Resources

Readme

License

GPL-3.0 license
Activity

Stars

1 star

Watchers

3 watching

Forks

0 forks
Report repository

Releases

1 tags

Packages

No packages published

Languages