[dm-crypt] Open a LUKS container storing the operating system, with a header file in another location

21naown at gmail.com 21naown at gmail.com
Sun Feb 4 14:32:03 CET 2018

Le 04/02/2018 à 13:06, Michael Kjörling a écrit :
> On 4 Feb 2018 02:39 +0100, from 21naown at gmail.com:
>> I would like to open a LUKS container (which is the OS Debian)
>> through GRUB, but with the header stored in a USB key for example.
>> Through the file crypttab
>> (https://manpages.debian.org/stretch/cryptsetup/crypttab.5.en.html),
>> it seems possible to specify the path of the header, but I have
>> different failures and I do not know where the problem is.
> /etc/crypttab is a Debian-ism, not something understood or used
> natively by LUKS. The system startup scripts then parse that file and
> translate it into various LUKS-related commands. And of course, if
> you're storing your crypttab in the encrypted container, you can't
> read it before you have unlocked the container and mounted the file
> system therein, but you'd need to read the crypttab to unlock the
> container; an obvious catch-22 situation.
> The normal approach for using an encrypted root partition is to have a
> small, unencrypted /boot which stores the kernel, an initrd, the boot
> loader, and a few other odds and ends to get the system booted far
> enough that it can unlock the LUKS container and proceed from there.
> Is there some particular reason why you don't want to do it that way?
> If you tell us _why_ you're going down this route, we might be able to
> suggest a solution that would actually _work_...
I have an unencrypted boot partition with GRUB. My final goal is to have 
this partition in a USB key, in the same partition or in another one 
than the one where the header file will be stored, obviously unencrypted.

I assume crypttab is embedded in initrd when I do “update-initramfs -u”, 
because, among the errors I got, it showed me just after selecting the 
OS to launch in GRUB “LUKS header “/boot/headerFile” missing”, which is 
the path I put in crypttab.

More information about the dm-crypt mailing list