diff options
| author | Michal Sekletar <msekleta@redhat.com> | 2018-08-30 10:45:11 +0200 |
|---|---|---|
| committer | Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> | 2018-09-04 16:54:53 +0200 |
| commit | 70f5f48eb891b12e969577b464de61e15a2593da (patch) | |
| tree | b7a3192f39c093e9b7f7899c8659a642e6b511b0 /man/systemd-cryptsetup-generator.xml | |
| parent | Merge pull request #10007 from keszybz/fix-no-logind (diff) | |
| download | systemd-70f5f48eb891b12e969577b464de61e15a2593da.tar.xz systemd-70f5f48eb891b12e969577b464de61e15a2593da.zip | |
cryptsetup-generator: introduce basic keydev support
Dracut has a support for unlocking encrypted drives with keyfile stored
on the external drive. This support is included in the generated initrd
only if systemd module is not included.
When systemd is used in initrd then attachment of encrypted drives is
handled by systemd-cryptsetup tools. Our generator has support for
keyfile, however, it didn't support keyfile on the external block
device (keydev).
This commit introduces basic keydev support. Keydev can be specified per
luks.uuid on the kernel command line. Keydev is automatically mounted
during boot and we look for keyfile in the keydev
mountpoint (i.e. keyfile path is prefixed with the keydev mount point
path). After crypt device is attached we automatically unmount
where keyfile resides.
Example:
rd.luks.key=70bc876b-f627-4038-9049-3080d79d2165=/key:LABEL=KEYDEV
Diffstat (limited to 'man/systemd-cryptsetup-generator.xml')
| -rw-r--r-- | man/systemd-cryptsetup-generator.xml | 14 |
1 files changed, 14 insertions, 0 deletions
diff --git a/man/systemd-cryptsetup-generator.xml b/man/systemd-cryptsetup-generator.xml index c37ee76b87..e30d69bfe7 100644 --- a/man/systemd-cryptsetup-generator.xml +++ b/man/systemd-cryptsetup-generator.xml @@ -144,6 +144,20 @@ to the one specified by <varname>rd.luks.key=</varname> or <varname>luks.key=</varname> of the corresponding UUID, or the password file that was specified without a UUID.</para> + + <para>It is also possible to specify an external device which + should be mounted before we attempt to unlock the LUKS device. + systemd-cryptsetup will use password file stored on that + device. Device containing password file is specified by + appending colon and a device identifier to the password file + path. For example, + <varname>rd.luks.uuid=</varname>b40f1abf-2a53-400a-889a-2eccc27eaa40 + <varname>rd.luks.key=</varname>b40f1abf-2a53-400a-889a-2eccc27eaa40=/keyfile:LABEL=keydev. + Hence, in this case, we will attempt to mount file system + residing on the block device with label <literal>keydev</literal>. + This syntax is for now only supported on a per-device basis, + i.e. you have to specify LUKS device UUID.</para> + <para><varname>rd.luks.key=</varname> is honored only by initial RAM disk (initrd) while |