Hi, I’m attempting to configure Silverblue to unlock LUKS at boot with a USB drive. The keyfile lives on the root of the drive, which is formatted FAT32 and has a UUID of 9CC4-04CD. I’ve added the keyfile to the LUKS partition using cryptsetup. I’ve searched quite a bit and came to the following solution.
/etc/default/grub:
GRUB_CMDLINE_LINUX="rd.luks.uuid=luks-1652b62b-760f-4a49-8a18-dcac880c6635 rd.luks.key=luks-1652b62b-760f-4a49-8a18-dcac880c6635=keyfile:UUID=9CC4-04CD rd.luks.options=keyfile-timeout=5s rhgb quiet"
/etc/crypttab:
luks-1652b62b-760f-4a49-8a18-dcac880c6635 UUID=1652b62b-760f-4a49-8a18-dcac880c6635 keyfile:UUID=9CC4-04CD discard,keyfile-timeout=5s
/etc/dracut.conf.d/add-drivers.conf:
add_drivers+=" fat "
add_drivers+=" vfat "
I was originally having problems with grub2-mkconfig not applying the grub cmdline correctly, but turns out I needed to run rpm-ostree kargs --editor and add the kernel parameters there.
So now I’ve got the right grub cmdline and everything set up, but it’s still not working correctly.
I have a similar set up working on my Arch installation, but it’s using the standard encrypt mkinitcpio module, not sd-encrypt or dracut.
Any help would be great, thanks!