1. Brian Mearns
  2. dracut-crypt-wait


dracut-crypt-wait /

Filename Size Date modified Message
1.7 KB
4.9 KB
Replaced echos with infos for better logging without rddebug options.
1.2 KB
Renamed the module to crypt-wait
628 B
Renamed the module to crypt-wait
220 B
Renamed the module to crypt-wait
crypt-wait module for Dracut.

This is a dracut module for unlocking LUKS encrypted root filesystems
remotely over SSH. The module launches Dropbear SSH server during boot
and also replaces the cryptroot-ask shell script from the dracut crypt
module with one which sits around and waits for you to unlock the root,
instead of asking for your passphrase.

You'll need to install dropbear and the dracut-crypt module, and setup the
server keys for dropbear, as well as an authorized_keys file for root for
dropbear to use.

To use, you'll need to add the following parameters to your kernel command
line (e.g., in your grub config file): 'rd.lukswait=1' You may also want to
add 'ip=dhcp rd.neednet=1 rdneednet=1' to make sure (hopefully) that your
network will be setup during boot.  The 'rd.lukswait=1' parameter tells the
module to replace the cryptroot-ask shell script that is normally used to
ask for your password, with the custom one from this module. Without these,
the module will still start dropbear, but you'll have to figure out how
to send your password to the script that's asking for it, which I could
never figure out how to do.

When booting, the module's hook script will write out some useful info
messages to the kernal log (try `dmesg`) about what you need to do. It
will provide details on the LUKS filesystem you need to unlock in a file
called /tmp/cryptroot-unlock-root.sh (which isn't actually executable). In
the meantime, the script hangs around in an idle loop waiting for you to
delete this same file. Once it's deleted, init will continue as usual. So
in summary: unlock your root filesystem and then delete the tmp file.