fetzerms / cryptboot-ssh

Retrieve cryptsetup keyfiles via ssh automatically at boot.
GNU General Public License v2.0
19 stars 9 forks source link

Fix documentation manual unlock 2 #15

Closed 459below closed 6 years ago

459below commented 6 years ago

Sorry, the cryptsetup is not included in the initramfs by the current versions of the script. With this PR they will. This should now really fix #10 .

459below commented 6 years ago

Seems like Jessie does always include cryptsetup, but Stretch does not. I will revert the commits, which are rendered useless by that fact.

fetzerms commented 6 years ago

Thanks for your contributions! Before merging: Do we need to add CRYPTSETUP=y when using Stretch? Does it hurt, if we add it to Jessie as well?

Or did I get that wrong?

459below commented 6 years ago

In short: Yes, it seems to be needed to add this on Stretch and No, it shouldn't have any adverse effects on Jessie.

[tmasar@thalamus ~]$ head -n 15 /etc/cryptsetup-initramfs/conf-hook 
#
# Configuration file for the cryptroot initramfs hook.
#

#
# CRYPTSETUP: [ y | n ]
#
# Add cryptsetup modules to the initramfs image, regardless of _this_
# machine configuration.  By default, cryptsetup modules are only added
# when there is a device that needs to be unlocked at initramfs stage
# (such as root or resume devices).
#

CRYPTSETUP=y

The CRYPTSETUP parameter determines, whether initramfs should be forced to include the cryptsetup binary. The parameter has been moved around over time and in Stretch it now lives in its own config file.

As far as I know CRYPTSETUP - in theory - should be set automatically, if we have an encrypted system and with Jessie it seems to be working as intended. However in my experience it doesn't always work. I'm not sure what I would've done wrong, but just yesterday when I analyzed compatibility with Stretch, the system didn't produce a initramfs with cryptsetup included on its own, even though it was the very stock encrypted system by the Debian installer. Since it doesn't really add much to the size of the initramfs, I would always set this parameter to be on the safe side.

If we want to add this parameter to Jessie I think we could use a separate hook, which just includes CRYPTSETUP=y. That's what I did to encrypt Raspbian a while back. That hook would be ignored by Stretch.

I have used this to encrypt an existing system. The strategy was: