Dracut module to provide passwordless decryption for LUKS-encrypted root
volumes. This module in itself does not provide any LUKS decryption mechanism
but relies on the crypt
module already distributed with dracut. It works by
overwriting /etc/crypttab
with a version that specifies a key file in /tmp
which is generated at boot. This key is derived from system board information
using dmidecode
.
What happens if I change my hardware? When you change your motherboard or upgrade your BIOS, the crypt module will be unable to unlock the volume with the keyfile and fall back to prompting for a password in another key slot (typically #0 created by the installer).
This is dumb - what's the use of this? It's used to protect the root device should you need to send it in for servicing and it cannot be wiped effectively or in a timely manner. It's similar to using an external USB device that contains the key, but slightly less secure as parts of the keyfile can be guessed. This removes the need for another USB key, or the reliance on a hardware TPM module.
Install the system as you would, and opt to encrypt the root partition.
Run the add-key.sh
script on the system:
/usr/share/dracut/modules.d/90zgmcrypt/add-key.sh <luks-device>
Note that if you are on CentOS 7, the path has changed to /usr/lib/dracut
instead of /usr/share/dracut
.
If you upgrade your system and it no longer automatically unlocks, just run this script again. It assumes the system-generated key resides in slot #1 and will prompt you to remove it on each run.
This module was designed for CentOS/RHEL systems, so it's built as an RPM.
You can build the RPM from the tar.gz
file:
rpmbuild -tb dracut-gmcrypt.tar.gz
The module name starts with 90z
to execute after 90crypt
, so that it can
replace the /etc/crypttab
file with a version that specifies the location of
the key file (for the root volume). This key file is generated at the
pre-trigger hook, and removed at the pre-pivot hook. During the "ask-pass"
routine, if the key file can unlock the volume, no password prompt will be
displayed.
CentOS 7 is largely the same, except that dracut has been updated (functions
changed) and systemd is used to drive the process. The cmdline parameters have
also been updated, for example, rd_LUKS_UUID
is now rd.luks.uuid
. The
various hooks points will be executed in sequence by systemd. The unlocking and
mounting of encrypted volumes is done by unit files generated by
systemd-cryptsetup-generator
. The unit files then call systemd-cryptsetup attach
to attach the volume, which will prompt for the password if required.
This process used to be done by scripts called by dracut.
Copyright (C) 2014 Darell Tan
This module follows the same license as dracut, which is GPLv2. Some parts of the scripts are clearly copied from dracut.