LUKS by passphrase

Is it possoble to configure ignition for LUKS and passphrase?

1 Like

Yes, you can use the key_file field in your FCC (or keyFile if using Ignition directly). The former supports inline: which allows you to type in your passphrase directly in the FCC.

1 Like

Ignition’s storage.luks section doesn’t natively provide a way to encrypt a volume with a passphrase that must be typed in during boot. key_file / keyFile automatically stores the specified passphrase in the root filesystem. As a workaround, you could have the config write a systemd unit that deletes the passphrase again.