[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Can grub-git be used to decrypt a LUKS2 encrypted partition? Testing
|
From: |
Patrick Steinhardt |
|
Subject: |
Re: Can grub-git be used to decrypt a LUKS2 encrypted partition? Testing Results |
|
Date: |
Sun, 30 Aug 2020 20:08:23 +0200 |
On Sat, Aug 29, 2020 at 09:38:53PM -0400, Eli Schwartz wrote:
> On 8/29/20 1:47 PM, Patrick Steinhardt wrote:
> > This is usually done automatically by GRUB when starting. But as it'll
> > not know to first decrypt the volume, it fails executing both of those
> > commands just to show you the rescue prompt afterwards. So they are left
> > to you now after manually decrypting. I could've added a note up-front
> > to spare you the hours-long research, but it got so natural to me that I
> > completely forgot.
> >
> > You should be able to manually create a bootable image with GRUB with
> > `grub-mkimage`. The upside of this is that you can add your own early
> > configuration to automatically decrypt and do the `normal` dance. I
> > didn't care enought to do that myself yet, though, so I can't provide a
> > working invocation of that.
>
> Is grub-install failing to add the relevant cryptomount invocation in
> the embedded stub, due to not realizing luks2 can be decrypted like that?
Yup. As I said in a previous mail, work to enable this is currently
still under review. We first landed LUKS2 decryption support on its own,
with tooling improvements and Argon2 support being the next step.
> I wonder if you could hack this to work by relying on autodetection with
> grub-install --modules="..." to force luks2 modules to be included, but
> with a luks1 "/" root partition. Then *after*, convert the partition
> from luks1 to luks2. The grubx64.efi image should both support luks2 due
> to manually added modules, AND automatically Do The Right Thing with the
> generic cryptomount command.
That does sound like quite a hack :) Even if it worked, it'd work only a
single time as you cannot re-convert the partition again. My take is
it'd probably be easier to just use grub-mkimage(1) instead with a
custom config , at least if there is a place where it's properly
documented.
In the end, all these are just stop-gap measures anyway until support
for auto-detection lands.
Patrick
signature.asc
Description: PGP signature
- Re: Can grub-git be used to decrypt a LUKS2 encrypted partition? Testing Results, (continued)
- Re: Can grub-git be used to decrypt a LUKS2 encrypted partition? Testing Results, Glenn Washburn, 2020/08/28
- Re: Can grub-git be used to decrypt a LUKS2 encrypted partition? Testing Results, Patrick Steinhardt, 2020/08/29
- Re: Can grub-git be used to decrypt a LUKS2 encrypted partition? Testing Results, HardenedArray, 2020/08/29
- Re: Can grub-git be used to decrypt a LUKS2 encrypted partition? Testing Results, Patrick Steinhardt, 2020/08/29
- Re: Can grub-git be used to decrypt a LUKS2 encrypted partition? Testing Results, Eli Schwartz, 2020/08/29
- Re: Can grub-git be used to decrypt a LUKS2 encrypted partition? Testing Results, HardenedArray, 2020/08/30
- Re: Can grub-git be used to decrypt a LUKS2 encrypted partition? Testing Results, Patrick Steinhardt, 2020/08/30
- Re: Can grub-git be used to decrypt a LUKS2 encrypted partition? Testing Results, Patrick Steinhardt, 2020/08/30
- Re: Can grub-git be used to decrypt a LUKS2 encrypted partition? Testing Results, HardenedArray, 2020/08/30
- Re: Can grub-git be used to decrypt a LUKS2 encrypted partition? Testing Results,
Patrick Steinhardt <=