I have a Red Hat 6.5 Linux implementation that uses LUKS to encrypt the system and - for reasons that aren't relevant - I would like to "turn off" boot encryption checking for a period of time. It will be turned on again at some point so even if it is possible to remove the LUKS encryption entirely, that is not a solution I am interested in.
What I want is to auto-provide the LUKS password on boot so that it doesn't need to be entered manually - thus logically "turning off" encryption even though still actually enabled.
Now, while this is straightforward for secondary devices ie. by creating a key file, applying the key file to the encrypted devices and amending /etc/crypttab to reference the key file, one still has to enter at least one password on boot - because, if the primary device is LUKS encrypted, then it first has to be decrypted before /etc/crypttab is accessible.
There is a way I have seen of removing the requirement to enter the initial password which is:
- create a key file
- apply the key file to the encrypted device ie. enabling the key for the device to be decrypted
- Copy the key file to a removable not-encrypted device (eg. a flash drive)
- append rd.luks.key=absolute path to key file : removable not-encrypted device to the booting kernel line in /boot/grub/grub.conf
- On boot, make sure the removable not-encrypted device is inserted and can be referenced by the boot process.
This all looks good, except that I don't want a removable not-encrypted device involved. I simply want the server to boot as though it wasn't encrypted.
The only way I can see to achieve this is to replace removable not-encrypted device with normal not-encrypted device. In which case the boot process would read normal not-encrypted device, get the key and use it to decrypt the encrypted devices ...hey presto encryption is disabled.
The only device I can find on my system that fulfills the normal not-encrypted device criteria is /dev/sda1 ie. /boot , so I performed the above steps with step 3 and 4 as follows:
- as above
- as above
- copy key file to /boot/keyfile.key
- append rd.luks.key=/boot/keyfile.key:/dev/sda1
- n/a
Unfortunately I can't seem to get this to work.
Red Hat boots and I don't get asked for a password (as expected), however towards the end of the boot process, it fails with "Kernel panic - not syncing: Attempted to kill init! ..."
This behaviour is identical whichever of the following I use:
- rd.luks.key=/boot/keyfile.key:/dev/sda1
- rd.luks.key=/keyfile.key:/dev/sda1
- rd.luks.key=/keyfile.key
- rd.luks.key=/someKeyFileThatIknowDoesNotExist.key:/dev/sda1
So my questions are as follows:
- Is what I am trying to do possible
- If yes, then...
- where should I be putting the key file
- what is the rd.luks.key value I should use to reference the key file
thanks in advance for any help