1. Brian Mearns
  2. dracut-crypt-wait


Brian Mearns  committed 82047d9 Draft


  • Participants
  • Parent commits a67de85
  • Branches default

Comments (0)

Files changed (1)


View file
+crypt-wait module for Dracut.
+This is a dracut module for unlocking LUKS encrypted root filesystems
+remotely over SSH. The module launches Dropbear SSH server during boot
+and also replaces the cryptroot-ask shell script from the dracut crypt
+module with one which sits around and waits for you to unlock the root,
+instead of asking for your passphrase.
+You'll need to install dropbear and the dracut-crypt module, and setup the
+server keys for dropbear, as well as an authorized_keys file for root for
+dropbear to use.
+To use, you'll need to add the following parameters to your kernel command
+line (e.g., in your grub config file): 'rd.lukswait=1' You may also want to
+add 'ip=dhcp rd.neednet=1 rdneednet=1' to make sure (hopefully) that your
+network will be setup during boot.  The 'rd.lukswait=1' parameter tells the
+module to replace the cryptroot-ask shell script that is normally used to
+ask for your password, with the custom one from this module. Without these,
+the module will still start dropbear, but you'll have to figure out how
+to send your password to the script that's asking for it, which I could
+never figure out how to do.
+When booting, the module's hook script will write out some useful info
+messages to the kernal log (try `dmesg`) about what you need to do. It
+will provide details on the LUKS filesystem you need to unlock in a file
+called /tmp/cryptroot-unlock-root.sh (which isn't actually executable). In
+the meantime, the script hangs around in an idle loop waiting for you to
+delete this same file. Once it's deleted, init will continue as usual. So
+in summary: unlock your root filesystem and then delete the tmp file.