Automatically unlocking additional Truecrypt or Luks volumes during boot, without asking password twice.
The solution was tested on Fedora 24 64-bit.
Additional containers should have the same passwords as an encrypted root.
-
Download systemd form https://github.com/systemd/systemd. Use
Clone or download
button. -
Unpack downloaded archive and compile it. You have to do all standard steps like configure, install missing libraries and finally make. Don’t be afraid. We need only one application, not the entire systemd.
-
In a text editor open file
cryptsetup.c
located insystemd-master/src/cryptsetup/
directory.
Modify it, like I did in this github repository:
https://github.com/appdevsw/systemd-cryptsetup-mod/commits/master/cryptsetup.c.
You can also view the differences between the original and modified version:
https://github.com/appdevsw/systemd-cryptsetup-mod/commit/b49450409bd9cabeb9f055262c175b6a54561ae5#diff-babd06e0454f527a616eb6cf3796ed8c
There are two pieces of code between lines//---------------- new code begin
//---------------- new code end
Copy and paste these fragments to your edited file in the right places.
-
Run make again. After a successful compilation we need two files from
.libs
subdirectory:systemd-cryptsetup libsystemd-shared-230.so
Check if they are there.
-
Next commands should be executed as root.
-
Create a new file in
/etc
directory, namedcrypttab-other.conf
.
The file will contain the information about additional encrypted containers. Each line should have 4 words:
(1) First word from the/etc/crypttab
file. This is usually the symbol of an encrypted root.
(2)truecrypt
orluks
(3) Path to device/partition thet should be unlocked
(4) Mount pointExample: lvm_crypt truecrypt /dev/sda3 mytc
It means: Unlock the truecrypt partition /dev/sda3 with the same password as lvm_crypt and mount it as /dev/mapper/mytc
-
Now we have 3 files and we need them inside
initramfs
image, which is used to boot our system. We have to create a newinitramfs
usingdracut
utility and force thedracut
to include our files. -
Include
crypttab-other.conf
intoinitramfs
:
Edit/usr/lib/dracut/dracut.conf.d/01-dist.conf
and modify the line withinstall_optional_items
adding a reference to ourcrypttab-other.conf
file.
example:install_optional_items+=" vi /etc/virc ps grep cat rm /etc/crypttab-other.conf"
-
Include
systemd-cryptsetup
andlibsystemd-shared-230.so
into initramfs :
a) Copylibsystemd-shared-230.so
to/usr/lib64/
directory.
In my case it was a new file, so adding it to/usr/lib64
should not cause any harm.
b) Make a copy of the current existing file/usr/lib/systemd/systemd-cryptsetup
cd /usr/lib/systemd/
cp ./systemd-cryptsetup ./systemd-cryptsetup.copyc) Replace
/usr/lib/systemd/systemd-cryptsetup
with our file from.libs
subdirectorycp (our compilation dir)/.libs/systemd-cryptsetup /usr/lib/systemd/
-
Create new initramfs:
dracut -f
After this command check the
/boot
directory. There should be a fileinitramfs(kernel version).img
with the current modification time.
You can uselsinitrd
utility to display the content of theinitramfs
and check if our files are there. -
Restart the system and check if your devices are unlocked.
ls /dev/mapper/*
You can automatically mount unlocked devices using fstab.
-
Remember, that these modifications will remain unchanged only to the next
systemd
upgrade.
In this case you have to replace/usr/lib/systemd/systemd-cryptsetup
with your modified version again.
Do you need to download and compile the systemd again? It's up to you.