[dm-crypt] Open a LUKS container storing the operating system, with a header file in another location

Michael Kjörling michael at kjorling.se
Sun Feb 4 13:06:30 CET 2018


On 4 Feb 2018 02:39 +0100, from 21naown at gmail.com:
> I would like to open a LUKS container (which is the OS Debian)
> through GRUB, but with the header stored in a USB key for example.
> Through the file crypttab
> (https://manpages.debian.org/stretch/cryptsetup/crypttab.5.en.html),
> it seems possible to specify the path of the header, but I have
> different failures and I do not know where the problem is.

/etc/crypttab is a Debian-ism, not something understood or used
natively by LUKS. The system startup scripts then parse that file and
translate it into various LUKS-related commands. And of course, if
you're storing your crypttab in the encrypted container, you can't
read it before you have unlocked the container and mounted the file
system therein, but you'd need to read the crypttab to unlock the
container; an obvious catch-22 situation.

The normal approach for using an encrypted root partition is to have a
small, unencrypted /boot which stores the kernel, an initrd, the boot
loader, and a few other odds and ends to get the system booted far
enough that it can unlock the LUKS container and proceed from there.
Is there some particular reason why you don't want to do it that way?
If you tell us _why_ you're going down this route, we might be able to
suggest a solution that would actually _work_...

-- 
Michael Kjörling • https://michael.kjorling.semichael at kjorling.se
  “The most dangerous thought that you can have as a creative person
              is to think you know what you’re doing.” (Bret Victor)


More information about the dm-crypt mailing list