Mouting encypted system LVM during boot with keyfile on external USB drive wrt iot/silverblue

Hi,

I am running the Fedora IOT on a Radxa X4 x86_64 board with an system volume (LVM). The system volume is luks2 encrypted so that I can discard the device without worrying about the data (nothing sensitive, but all encrypted primarily for “good measures”)

I would like to automatically open my LUKS encrypted system lvm. So, I have added a keyfile to one of the luks slots and placed it onto a usb drive with a ext4 fs that I have labeled as usb-fs-key.

Now, I would like to automatically unlock the device during boot with the file on the usb drive fs.

Thus, I have added the to my crypttab the keyfile on the USB drive

luks-12345-67890-systemluks UUID=12345-67890-systemluks /mysystemlvm.keyfile:LABEL=usb-fs-key	luks,keyfile-timeout=10s

where the path s relative to the usb drive fs, i.e., the keyfilemysystemuuid.keyfile is directly in the usb drive fs root. For crypttab etc. to actually pick up the correct device, I have added LABEL=usb-fs-key (UUID of the usb drive fs would probably be nicer but tbh I have no idea, if it would work with UUIDs…)

Thing is, that I am unsure how to automatically unlock the lvm lucks - and then mount all the volumes (/, /var,swap) in the lvm plus make persistent changes to grub/initramfs.

I have tried to update /boot/efi/EFI/fedora/grub.cfg

set kernelopts="root=/dev/mapper/my--lvm--root--volume ro resume=UUID=56789-abcdef-swapinlvm rd.luks.uuid=12345-67890-systemluks rd.lvm.lv=my-lvm/my-lvm-root rd.lvm.lv=my-lvm/my-slvm-swap 

to include the keyfile

set kernelopts="root=/dev/mapper/my--lvm--root--volume ro resume=UUID=56789-abcdef-swapinlvm rd.luks.uuid=12345-67890-systemluks rd.lvm.lv=my-lvm/my-lvm-root rd.lvm.lv=my-lvm/my-slvm-swap rd.luks.key=56789-abced-USBDRIVEUUID=/mysystemlvm.keyfile:LABEL=usb-fs-key

i.e., with rd.luks.key=56789-abced-USBDRIVEUUID=/mysystemlvm.keyfile:LABEL=usb-fs-key refering to the UUID of the usb drive fs and the keyfile again relative to the usb drive fs root.

While grub2-mkconfig -o /boot/efi/EFI/fedora/grub.cfg does no throws any error, the changes seem no to be persistent (despite /boot being on a separate partition mounted as rw)??

Updating the initramfs always runs into an error throwing an exit code 1

> rpm-ostree initramfs --enable
Checking out tree 5bcc013... done
Enabled rpm-md repositories: fedora fedora-cisco-openh264 updates
...
Writing rpmdb... done
Generating initramfs... done
error: bwrap(rpmostree-dracut-wrapper): Child process killed by signal 1

Unfortunately, I am a bit lost how to make grub persistent and to build successful a new initramfs?

You can not edit the GRUB config like that on Silverblue/IoT systems. You should use rpm-ostree kargs to edit the kernel arguments: Modifying Kernel Arguments :: Fedora Docs

ah, thanks - old habits…

I have appened the key file argument

rpm-ostree kargs --append='rd.luks.key=56789-abced-USBDRIVEUUID=/mysystemlvm.keyfile:LABEL=usb-fs-key'

unfortunately, regenerating the initramfs still throws an error

>rpm-ostree initramfs --enable
Checking out tree 5bcc013... done
...
Writing rpmdb... done
Generating initramfs... done
error: bwrap(rpmostree-dracut-wrapper): Child process killed by signal 1

and the keyfile is not picked up and the system still asks for a password.

tbh I am not sure, if it is a grub/initramfs issue or maybe something in my crypttab/fstab setup, that I have not yet understood?

Added atomic-desktops, encryption, grub, initramfs, luks2, lvm

You will have to look at the full systems logs to find why this is failing. Another option is to append to the initramfs instead of regenerating it. You can happen the /etc/crypttab file with your config to it and that should be enough.

Look for options in rpm-ostree initramfs ... or something similar.

unfortunately I have not made any progress and are giving up this approach.

As alternative I am now trying a new installation with /boot{/efi} on teh USB drive and the rest on the system device (with the key file on the usb drive partition in clear)