oam/knowledge base/encrypted root filesystem.md

Encrypted root filesystem

Table of contents

1. Avoiding to type the passphrase twice
2. Further readings

Avoiding to type the passphrase twice

Add a key file to your initrd so that you only type the decryption passphrase in the bootloader.

This should only be done in an encrypted root partition that includes /boot, since having the initrd on an unencrypted /boot partition would defeat encrypting your root partition.

1. generate a new key

   sudo dd if=/dev/urandom of=/.root.key bs=1024 count=1
   

2. make the key file only readable by root:

   sudo chmod 600 /.root.key
   sudo chown root:root /.root.key
   

3. register the key file as a valid way to decrypt your root partition:

   sudo cryptsetup luksAddKey /dev/sda1 /.root.key
   

4. edit /etc/crypttab adding the key file to the third column of the row that pertains to the root partition by UUID:

   cr_sda1 UUID=... /.root.key
   

5. add the key file to the initrd

   # suse
   echo -e 'install_items+=" /.root.key "' | sudo tee --append /etc/dracut.conf.d/99-root-key.conf > /dev/null
   

6. make /boot accessible to root only to prevent non-root users to read the initrd and extract the key file:

   sudo chmod 700 /boot
   

   to ensure that new permissions are not overwritten at a later timepoint, add the following line to /etc/permissions.local:

   /boot/ root:root 700
   

If you have other encrypted partitions (e.g. /home, swap, etc), you can create additional keys to mount them without entering a passphrase.
This works exactly as described above in steps 1-4, except that you don't need to add the key for those partitions to the initrd.

Further readings

• Avoiding to type the passphrase twice on the openSUSE wiki
• Encrypting an entire system on the Archlinux wiki