Radu Radutiu wrote:> On Tue, Nov 27, 2018 at 3:14 PM mark <m.roth at 5-cent.us> wrote: > >> What we do is to have the encryption key of the secondary filesystem in >> /etc/crypttab, which is, of course, 600. As it boots, it decrypts from >> that as it mounts the rest of the system. >> > Thanks, this is working as expected and it gave me the hint needed to > find the actual problem. The problem is that the initramfs image generated > by dracut -f does not include the /etc/crypttab from the OS (it only > contains the entry for the root device). Once I have manually added the > other volumes in the /etc/crypttab file from the initramfs image, clevis > is able to decrypt all volumes. Now the question is why the generated > iniramfs image has a different /etc/crypttab. How can I specify > /etc/crypttab for the initramfs so that > furhter kernel updates will not replace it with the wrong file? >Sorry, I think you misunderstood. The key for root is *not* in /etc/crypttab - that's only for the secondary ones. mark
On Tue, Nov 27, 2018 at 8:06 PM mark <m.roth at 5-cent.us> wrote:> Sorry, I think you misunderstood. The key for root is *not* in > /etc/crypttab - that's only for the secondary ones. > > mark > > I understood correctly, just that you mentioning that one can put the keyin the /etc/crypttab gave me the idea to check if the initramfs image will have the same content for crypttab. So now I have 2 working solutions: 1) /etc/crypttab on OS has a reference to the file that contains the key to decrypt the second volume (the key is on the encrypted root fs). I have checked and the initramfs /etc/crypttab has only the line for the root volume, without any reference to the second volume. The root volume gets decrypted by clevis+tang. The second volume is decrypted after the root volume is decrypted, /etc/crypptab is read and the key is found. 2) the initramfs /etc/crypttab was manually updated to add the line for the second volume. Clevis + tang will decrypt both the root fs and the second volume. I was surprised to find out the the /etc/crypttab in initramfs is different from the one in OS. So now I'm searching for the correct way to force dracut to include /etc/crypttab unchanged in the initramfs image. Radu