multidisk crypt support
I have a somewhat complicated setup which involves:
- /boot on a usb that is luks encrypted
- 2+ nvme disks luks encrypted with LVM over the top
- logical volume root sitting inside 2.
- /boot has a keyfile in the root "crypto_keyfile.bin" which is the key to unlock 2.
The problem: "cryptroot" expects a singular blockdevice to contain the root filesystem, irrespective of the separated boot, with lvm striped over multiple luks crypted disks there is no current way to make sure multiple disks are decrypted first
I've been working on a patch that is actually a combination of a couple things: !54 !57
But by adding 2 new style kopts
- cryptboot - this is for setting a UUID for unlocking a boot device that is mounted at /cryptboot during init
- cryptbootkey - this is for setting a path to a keyfile within the /cryptboot mount for unlocking cryptdevices
- cryptdevices - this is a list of UUID's/LABEL's
With the above you would set your root=/dev/vg0/root (or whatever it is) setup cryptboot/cryptbootkey cryptdevices etc with the appropriate values.
The problem im having is that nlplug-findfs wants to do more than i want it to. for example if i use:
+ for dev in $KOPT_cryptroot; do
+ case "$dev" in
+ UUID=*) mapping="luks-${dev#UUID=}";;
+ LABEL=*) mapping="luks-${dev#LABEL=}";;
+ *) mapping="luks-$(echo "$dev" | sed 's/\//-/g')";;
+ esac
+ echo "Unlocking $dev as $mapping"
+ nlplug-findfs $cryptopts -p /sbin/mdev ${KOPT_debug_init:+-d} -c "$dev" -m "$mapping" $KOPT_root
and that disk happens to be an lvm pv, it will try and activate it and break (because my example i have a root as a raid1 logical volume on 2 x striped pv's
If this is of interest or someone knows a better way of accomplishing this id be super excited to look into it