Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
Custom command in initramfs
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Kernel & Hardware
View previous topic :: View next topic  
Author Message
BlueFusion
Guru
Guru


Joined: 08 Mar 2006
Posts: 371

PostPosted: Fri Jul 25, 2014 1:21 am    Post subject: Custom command in initramfs Reply with quote

Hey all,

I don't know if this fits best here or elsewhere, but let me start by explaining what I experience and then how I want it to act.

I have 4 harddrives in a btrfs array that are encrypted with dm-crypt/luks. The btrfs fs houses the rootfs and all other mountpoints on it which means they must all have their keys provided to them before init can begin.

This is a real pain in the butt because, while it prompts for the passphrase for the first disk, the rest must be entered by running the cryptsetup luksOpen /dev/sdx command in a shell.

What I'd like to do is make this easier by having the initramfs ask me for the passphrase, open Luks on all 4 drives, and then "forget" the passphrase that was entered.

I have no idea how to go about doing the initramfs stuff as I just use genkernel to build my kernels. Can anybody point me in the correct direction? Also, any tips of the "forgetting" of the passphrase other than for luks/dmcrypt itself? I have very basic C++ knowledge from a few classes years ago but am good at figuring things out with a tip in the right direction.

Thanks.
_________________
i7-940 2.93Ghz | ASUS P6T Deluxe (v.1) | 24GB Triple Channel RAM | nVidia GTX660
4x 4TB Seagate NAS HDD (Btrfs raid5) | 2x 120GB Samsung 850 EVO SSD (Btrfs raid1)
Back to top
View user's profile Send private message
The Doctor
Moderator
Moderator


Joined: 27 Jul 2010
Posts: 2600

PostPosted: Fri Jul 25, 2014 1:36 am    Post subject: Reply with quote

It sounds to me like your are trying to use the wrong tool for the job. Ease of use would be greatly enhanced by making a slight change in your setup. Security shouldn't be affected by doing this since its weakest point is going to be your password anyway.

Use a password for opening your root partition and then use keyfiles stored on your root partition to open your other partitions. This way you won't have to store your password and the commands in your init will work easily.

Basically, you would create keys and store them in /root/keyfile and then have them automatically sorted out by the boot process.

Details are left as an exercise to the reader :wink:

EDIT: Sorry, I just reread your post and I realized this isn't really going to help since you need to unlock multiple drives to get to your root. Although a keyfile on a flashdrive would do the same thing.

Also, you might be able to do something like this in your init
Code:
read -s -p "Password: " password
echo "$password" | <foo unlock1>
echo "$password" | <foo unlock2>
echo "$password" | <foo unlock3>
$password=trash
but I haven't been able to get this code to quite work.

Edit 2: The above seems to work for crypsetup, but not for sudo.
_________________
First things first, but not necessarily in that order.

Apologies if I take a while to respond. I'm currently working on the dematerialization circuit for my blue box.


Last edited by The Doctor on Fri Jul 25, 2014 1:53 am; edited 1 time in total
Back to top
View user's profile Send private message
BlueFusion
Guru
Guru


Joined: 08 Mar 2006
Posts: 371

PostPosted: Fri Jul 25, 2014 1:50 am    Post subject: Reply with quote

Hi Doc,

Unfortunately, all 4 drives MUST be accessible for / to be mounted since all 4 are combined as a single array. I had thought about using your method when I first set this up....and then I realized the problem of my ways too late.

The only filesystem other than /boot on here is this one:
area51 ~ # btrfs fi sh /
Code:
Label: 'btrfs1'  uuid: 1feb351f-7e16-4663-a2a6-caa18ee3317a
        Total devices 4 FS bytes used 1.77TiB
        devid    1 size 463.71GiB used 0.00 path /dev/mapper/root
        devid    2 size 931.51GiB used 445.03GiB path /dev/mapper/root3
        devid    3 size 465.76GiB used 1.00GiB path /dev/mapper/root2
        devid    4 size 1.82TiB used 1.35TiB path /dev/mapper/root4


As you can see, it requires all 4 drives (sda,b,c,d as root1,2,3,4 respectively) to access data.
_________________
i7-940 2.93Ghz | ASUS P6T Deluxe (v.1) | 24GB Triple Channel RAM | nVidia GTX660
4x 4TB Seagate NAS HDD (Btrfs raid5) | 2x 120GB Samsung 850 EVO SSD (Btrfs raid1)
Back to top
View user's profile Send private message
BlueFusion
Guru
Guru


Joined: 08 Mar 2006
Posts: 371

PostPosted: Fri Jul 25, 2014 1:57 am    Post subject: Reply with quote

The cryptsetup should work with something similar to:

echo ${pass} | cryptsetup luksOpen --key-file=- ${cryptdev} ${cryptname}

Where ${pass} is read from stdin.

My main question is how do I get a custom script into the genkernel0built initramfs? I've never done that bit before and a bunch of Google searches aren't very definitive.
_________________
i7-940 2.93Ghz | ASUS P6T Deluxe (v.1) | 24GB Triple Channel RAM | nVidia GTX660
4x 4TB Seagate NAS HDD (Btrfs raid5) | 2x 120GB Samsung 850 EVO SSD (Btrfs raid1)
Back to top
View user's profile Send private message
The Doctor
Moderator
Moderator


Joined: 27 Jul 2010
Posts: 2600

PostPosted: Fri Jul 25, 2014 2:11 am    Post subject: Reply with quote

That point is a little more complex. I don't think genkernel actually supports this. It might be easer to build yourself a custom one or you may be able to edit the init file directly.

Rolling your own is actually a lot easer than it sounds.

If you want to try editing genkernl's then I would make a copy to /usr/src/initramfs (or other location), extract it, edit the init file and then zip it back up. I would then copy this to your /boot under a different name and create a different test entry while preserving the original.
_________________
First things first, but not necessarily in that order.

Apologies if I take a while to respond. I'm currently working on the dematerialization circuit for my blue box.
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Kernel & Hardware All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum