Menu
I have a Red Hat 6.5 Linux implementation that uses LUKS to encrypt the system and - for reasons that aren't relevant - I would like to "turn off" boot encryption checking for a period of time. It will be turned on again at some point so even if it is possible to remove the LUKS encryption entirely, that is not a solution I am interested in.
What I want is to auto-provide the LUKS password on boot so that it doesn't need to be entered manually - thus logically "turning off" encryption even though still actually enabled.
Now, while this is straightforward for secondary devices ie. by creating a key file, applying the key file to the encrypted devices and amending /etc/crypttab to reference the key file, one still has to enter at least one password on boot - because, if the primary device is LUKS encrypted, then it first has to be decrypted before /etc/crypttab is accessible.
There is a way I have seen of removing the requirement to enter the initial password which is:
This all looks good, except that I don't want a removable not-encrypted device involved. I simply want the server to boot as though it wasn't encrypted.
The only way I can see to achieve this is to replace removable not-encrypted device with normal not-encrypted device. In which case the boot process would read normal not-encrypted device, get the key and use it to decrypt the encrypted devices ...hey presto encryption is disabled.
The only device I can find on my system that fulfills the normal not-encrypted device criteria is /dev/sda1 ie. /boot , so I performed the above steps with step 3 and 4 as follows:
Unfortunately I can't seem to get this to work.
Red Hat boots and I don't get asked for a password (as expected), however towards the end of the boot process, it fails with "Kernel panic - not syncing: Attempted to kill init! ..."
This behaviour is identical whichever of the following I use:
So my questions are as follows:
thanks in advance for any help
560
Full-disk encryption, usually referred to simply as FDE, is a simple but effective idea: encrypt every sector just before it's written to the disk, regardless of the software, user, file or directory that it belongs to; decrypt every sector just after it's read back in.
Red Hat Enterprise Linux 7 utilizes LUKS to perform file system encryption. By default, the option to encrypt the file system is unchecked during the installation.
Type Disk Utility and launch the program with the same name. Select the encrypted partition. Click Change passphrase .
After much digging I have finally found the answer (which works on both CentOS 6.6 and 7). Thanks to the following 2 resources in particular:
What I did is as follows (as root user):
# insert a password into my chosen password file
echo -n "anypassword" > /etc/mypasswdfile
# instruct the LUKS device to take the password from my password file
vi /etc/crypttab and replaced the 3rd parameter "none" with "/etc/mypasswdfile"
# add my password file as a valid key for the luks device
cryptsetup luksAddKey /dev/sda2 /etc/mypasswdfile
# configure dracut to add the following 2 items to the initramfs (so accessible at boot)
echo 'install_items="/etc/mypasswdfile /etc/crypttab"' > /etc/dracut.conf.d/99-mypwfile.conf
# instruct dracut to apply the configuration
dracut -f
# reboot the server
reboot
And that's it. The server reboots without requesting a password. (This can be disabled/enabled at will by removing/adding the keyfile from the LUKS device via the cryptsetup command)
143
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With