1

I have an encrypted Debian linux system. I also try to detach the LUKS header from the encrypted container. The whole /boot/ partition will be stored on a separate device. I thought I could place the LUKS header under /boot/header/luks.img , but during the initramfs/initrd phase this path doesn't exists because the /boot/ partition isn't mounted yet.

So the question is how to automatically mount the /boot/ partition before the system tries to open the encrypted device? Or is there any other (or better) way to make it work?

Improve this question
2
  • Does /etc/crypttab get it working right? I think there's a "load first or second" option that might help, but I'm not able to check/search now, if crypttab isn't too "late" already Commented Mar 16, 2018 at 21:55
  • It's a little bit complicated setup when you want to make it work the way I wanted to. I've managed to do it ultimately. See the answer Commented Mar 16, 2018 at 23:34

1 Answer 1

Reset to default
0

Basically, this setup won't work OOTB because you have to mount some partition (in this case /boot/) in the initramfs/initrd phase, and by default there's no partition mounted there. Without the /boot/ partition you can't use the LUKS header. So the only way to make it work is to write some custom scripts that will mount/unmount the partition in the initramfs/initrd phase.

I've manage to write some HowTo on this subject, and the setup works really great.

Improve this answer

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.