There is variability in disk naming for crypttab. How do I know what kind of name to use? Thanks for your help!
one version has nvme0n1p3_crypt UUID=xxx
another version has @w4tsn
I have uuddev/sda3 /dev/disk/by-uuid/xxx
for line start in crypttab
[I do not write down “Centuries” “4” passwords or passphrases down. They did not “just guess.” Somehow Fire Departments have a way to bypass passwords and attack people’s computers physically when they are away from home and their computers are physically vulnerable.]
It doesn’t really matter. This is the name for the unlocked LUKS container, you can put anything you want there. In Fedora, we use luks-<UUID>.
The only reason to pay attention to this is if you use the name anywhere else to refer to the unlocked device, for example in /etc/fstab, but you should be using UUIDs in fstab as well.
@vtrefny@w4tsn There are several things going on with this topic. I changed crypttab to luks-<machineID> like suggested but when I restart, the edit is reverted back to /dev/disk/by- does not exist. vi might take some getting used to. But I think I got it. Thing is, there is no way to regenerate dracut -f from emergency shell # “dracut: command not found.” Cant systemctl restart dev-sda-service. And how should I check fstab if I need to? Dont think I do since I am using GRUB not EFI.
It looks like you didn’t run dracut -f after changing the crypttab, because the change didn’t propagate to the initramfs. You need to do this from the running system, it cannot be done from the emergency console, at that point you are in the initramfs so you can’t update it.
Your /etc/crypttab looks wrong, the syntax is <container name> <luks device> ... so it should be luks-2f29c8... /dev/sda3 none ... not the other way around.
That is what I was saying. So do I have to “unenroll” the FIDO USB key to get the system past boot to make the changes? Can I just remove the options at the end of crypttab? If so, couldnt an attacker just do the same thing defeating the purpose of USB key crypt?
