F36 Encrypted Root With Automatic Key Unlocking

pedrogfrancisco · May 23, 2022, 9:58am

Hello!
Is anyone else using the guide Fedora Encrypted Root With Automatic Key Unlocking?

I’m using a cleartext partition on the same disk – the intent here is not to prevent Evil Maid attacks but to have encryption at rest.

The instructions have worked so far but for some reason on a clean install of F36 I’ve failed to get them to work. Since I made a clean install, it is possible it is an error on my part.

So: has anyone got working auto-unlocking LUKS on F36, either from an unencrypted USB pen or from an unencrypted partition on an internal disk?

kpfleming · May 23, 2022, 5:59pm

I have it working, with the key on an unencrypted USB drive. In fact this was working on F35 and the upgrade to F36 went smoothly, it just kept on working I’m pretty sure I used that blog post you linked as the starting point as well.

pedrogfrancisco · June 5, 2022, 5:18pm

You’re right. It was PEBCAK.
I had

GRUB_CMDLINE_LINUX="rd.luks.uuid=luks-926ee4d1-4cd8-43d7-97a3-07d41ed2a742  rd.luks.key=**luks**-926ee4d1-4cd8-43d7-97a3-07d41ed2a742=/my.luks.key:LABEL=keys rd.luks.options=**luks**-926ee4d1-4cd8-43d7-97a3-07d41ed2a742=keyfile-timeout=45s rhgb quiet"

instead of

GRUB_CMDLINE_LINUX="rd.luks.uuid=luks-926ee4d1-4cd8-43d7-97a3-07d41ed2a742  rd.luks.key=926ee4d1-4cd8-43d7-97a3-07d41ed2a742=/my.luks.key:LABEL=keys rd.luks.options=926ee4d1-4cd8-43d7-97a3-07d41ed2a742=keyfile-timeout=45s rhgb quiet"

and only now I noticed it.