我已经设置了加密的 UEFI-Booting Arch 安装1。为什么我没有询问启动时的短语?
备注:如果我改名字加密货币在`/etc/crypttab`中例如加密引导我需要在启动时输入密码,但我可以输入任何内容并轻松登录。
LSBLK
NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINT
sda 8:0 0 119.2G 0 disk
├─sda1 8:1 0 100M 0 part /boot/efi
├─sda2 8:2 0 250M 0 part /boot
└─sda3 8:3 0 118.9G 0 part
└─crypto 254:0 0 118.9G 0 crypt
├─Arch-swap 254:1 0 512M 0 lvm [SWAP]
└─Arch-root 254:2 0 118.4G 0 lvm /
dmesg | grep -i "错误\|警告\|失败"
[ 1.052685] acpi PNP0A08:00: _OSC failed (AE_SUPPORT); disabling ASPM
[ 2.340204] RAS: Correctable Errors collector initialized.
[ 9.002142] ACPI Warning: SystemIO range 0x0000000000000428-0x000000000000042F conflicts with OpRegion 0x0000000000000400-0x000000000000047F (\_SB.PCI0.LPC.PMIO) (20181213/utaddress-213)
[ 9.004065] ACPI Warning: SystemIO range 0x0000000000000540-0x000000000000054F conflicts with OpRegion 0x0000000000000500-0x000000000000057F (\_SB.PCI0.LPC.LPIO) (20181213/utaddress-213)
[ 9.004107] ACPI Warning: SystemIO range 0x0000000000000530-0x000000000000053F conflicts with OpRegion 0x0000000000000500-0x000000000000057F (\_SB.PCI0.LPC.LPIO) (20181213/utaddress-213)
[ 9.004185] ACPI Warning: SystemIO range 0x0000000000000500-0x000000000000052F conflicts with OpRegion 0x0000000000000500-0x000000000000057F (\_SB.PCI0.LPC.LPIO) (20181213/utaddress-213)
[ 9.455380] platform regulatory.0: Direct firmware load for regulatory.db failed with error -2
[ 9.455385] cfg80211: failed to load regulatory.db
[ 175.019957] random: 5 urandom warning(s) missed due to ratelimiting
df-h
Filesystem Size Used Avail Use% Mounted on
dev 1.9G 0 1.9G 0% /dev
run 1.9G 756K 1.9G 1% /run
/dev/mapper/Arch-root 117G 1.8G 109G 2% /
tmpfs 1.9G 0 1.9G 0% /dev/shm
tmpfs 1.9G 0 1.9G 0% /sys/fs/cgroup
tmpfs 1.9G 0 1.9G 0% /tmp
/dev/sda2 243M 76M 155M 33% /boot
/dev/sda1 99M 125K 99M 1% /boot/efi
tmpfs 383M 0 383M 0% /run/user/0
cryptsetup luksDump /dev/sda3
LUKS header information
Version: 2
Epoch: 4
Metadata area: 16384 [bytes]
Keyslots area: 16744448 [bytes]
UUID: 16459d28-76a6-40c4-b96d-090cf2f411fc
Label: (no label)
Subsystem: (no subsystem)
Flags: (no flags)
Data segments:
0: crypt
offset: 16777216 [bytes]
length: (whole device)
cipher: aes-xts-plain64
sector: 512 [bytes]
Keyslots:
0: luks2
Key: 512 bits
Priority: normal
Cipher: aes-xts-plain64
Cipher key: 512 bits
PBKDF: argon2i
Time cost: 4
Memory: 608808
Threads: 4
Salt: 10 23 09 25 cd 08 38 47 e4 56 27 2f e9 ab d6 96
61 ed 32 9a 6a f7 36 a6 12 d3 1e 8b 02 4b cf f3
AF stripes: 4000
AF hash: sha512
Area offset:32768 [bytes]
Area length:258048 [bytes]
Digest ID: 0
1: luks2
Key: 512 bits
Priority: normal
Cipher: aes-xts-plain64
Cipher key: 512 bits
PBKDF: argon2i
Time cost: 4
Memory: 605120
Threads: 4
Salt: 2e df 79 1d 5b c8 2d d6 89 c3 d0 7c a7 47 a7 e1
d4 63 4e 42 38 51 0d 12 4d a8 cd dd 09 d0 cb 1b
AF stripes: 4000
AF hash: sha256
Area offset:290816 [bytes]
Area length:258048 [bytes]
Digest ID: 0
Tokens:
Digests:
0: pbkdf2
Hash: sha512
Iterations: 125307
Salt: 11 8b 07 aa 78 49 32 4e bf a7 8b b0 8a 29 89 d6
ff 5d 90 3f a4 68 ee f6 c5 71 7a 44 10 7e 0d 1f
Digest: d4 42 ae 00 6c 03 d1 ab b9 37 62 4a ce be 93 dd 20 d4 71 6e 03 7b 92 40 b4 8d ff 54 3c 97 72 21
3b 86 fe 5e ec 18 79 2f 1f 3c 19 d8 20 94 44 a1 06 b7 44 30 a5 75 4d 5b f8 a1 cc 03 c6 a9 98 0f
/etc/默认/grub
# GRUB boot loader configuration
GRUB_DEFAULT=0
GRUB_TIMEOUT=5
GRUB_DISTRIBUTOR="Arch"
GRUB_CMDLINE_LINUX_DEFAULT="quiet"
GRUB_CMDLINE_LINUX="cryptdevice=/dev/sda3:crypto resume=/dev/mapper/Arch-swap"
# Preload both GPT and MBR modules so that they are not missed
GRUB_PRELOAD_MODULES="part_gpt part_msdos"
# Uncomment to enable booting from LUKS encrypted devices
GRUB_ENABLE_CRYPTODISK=y
# Uncomment to enable Hidden Menu, and optionally hide the timeout count
#GRUB_HIDDEN_TIMEOUT=5
#GRUB_HIDDEN_TIMEOUT_QUIET=true
# Uncomment to use basic console
GRUB_TERMINAL_INPUT=console
# Uncomment to disable graphical terminal
#GRUB_TERMINAL_OUTPUT=console
# The resolution used on graphical terminal
# note that you can use only modes which your graphic card supports via VBE
# you can see them in real GRUB with the command `vbeinfo'
GRUB_GFXMODE=auto
# Uncomment to allow the kernel use the same resolution used by grub
GRUB_GFXPAYLOAD_LINUX=keep
# Uncomment if you want GRUB to pass to the Linux kernel the old parameter
# format "root=/dev/xxx" instead of "root=/dev/disk/by-uuid/xxx"
#GRUB_DISABLE_LINUX_UUID=true
# Uncomment to disable generation of recovery mode menu entries
GRUB_DISABLE_RECOVERY=true
# Uncomment and set to the desired menu colors. Used by normal and wallpaper
# modes only. Entries specified as foreground/background.
#GRUB_COLOR_NORMAL="light-blue/black"
#GRUB_COLOR_HIGHLIGHT="light-cyan/blue"
# Uncomment one of them for the gfx desired, a image background or a gfxtheme
#GRUB_BACKGROUND="/path/to/wallpaper"
#GRUB_THEME="/path/to/gfxtheme"
# Uncomment to get a beep at GRUB start
#GRUB_INIT_TUNE="480 440 1"
# Uncomment to make GRUB remember the last selection. This requires to
# set 'GRUB_DEFAULT=saved' above.
#GRUB_SAVEDEFAULT="true"
/boot/grub/grub.cfg
#
# DO NOT EDIT THIS FILE
#
# It is automatically generated by grub-mkconfig using templates
# from /etc/grub.d and settings from /etc/default/grub
#
### BEGIN /etc/grub.d/00_header ###
insmod part_gpt
insmod part_msdos
if [ -s $prefix/grubenv ]; then
load_env
fi
if [ "${next_entry}" ] ; then
set default="${next_entry}"
set next_entry=
save_env next_entry
set boot_once=true
else
set default="0"
fi
if [ x"${feature_menuentry_id}" = xy ]; then
menuentry_id_option="--id"
else
menuentry_id_option=""
fi
export menuentry_id_option
if [ "${prev_saved_entry}" ]; then
set saved_entry="${prev_saved_entry}"
save_env saved_entry
set prev_saved_entry=
save_env prev_saved_entry
set boot_once=true
fi
function savedefault {
if [ -z "${boot_once}" ]; then
saved_entry="${chosen}"
save_env saved_entry
fi
}
function load_video {
if [ x$feature_all_video_module = xy ]; then
insmod all_video
else
insmod efi_gop
insmod efi_uga
insmod ieee1275_fb
insmod vbe
insmod vga
insmod video_bochs
insmod video_cirrus
fi
}
if [ x$feature_default_font_path = xy ] ; then
font=unicode
else
insmod lvm
insmod ext2
set root='lvmid/YPm8Dv-HYiA-CyfU-yV0y-aVH0-n917-W3uEwd/GyClul-dXdo-8gyf-j0N4-RwTG-wFVt-3KH4fO'
if [ x$feature_platform_search_hint = xy ]; then
search --no-floppy --fs-uuid --set=root --hint='lvmid/YPm8Dv-HYiA-CyfU-yV0y-aVH0-n917-W3uEwd/GyClul-dXdo-8gyf-j0N4-RwTG-wFVt-3KH4fO' 46268152-ba54-4ecf-ad04-b381c8da1c2b
else
search --no-floppy --fs-uuid --set=root 46268152-ba54-4ecf-ad04-b381c8da1c2b
fi
font="/usr/share/grub/unicode.pf2"
fi
if loadfont $font ; then
set gfxmode=auto
load_video
insmod gfxterm
set locale_dir=$prefix/locale
set lang=en_US
insmod gettext
fi
terminal_input console
terminal_output gfxterm
if [ x$feature_timeout_style = xy ] ; then
set timeout_style=menu
set timeout=5
# Fallback normal timeout code in case the timeout_style feature is
# unavailable.
else
set timeout=5
fi
### END /etc/grub.d/00_header ###
### BEGIN /etc/grub.d/10_linux ###
menuentry 'Arch Linux' --class arch --class gnu-linux --class gnu --class os $menuentry_id_option 'gnulinux-simple-46268152-ba54-4ecf-ad04-b381c8da1c2b' {
load_video
set gfxpayload=keep
insmod gzio
insmod part_gpt
insmod ext2
set root='hd0,gpt2'
if [ x$feature_platform_search_hint = xy ]; then
search --no-floppy --fs-uuid --set=root --hint-ieee1275='ieee1275//disk@0,gpt2' --hint-bios=hd0,gpt2 --hint-efi=hd0,gpt2 --hint-baremetal=ahci0,gpt2 b558ecc3-2d22-481b-91eb-26cdc2e86cf0
else
search --no-floppy --fs-uuid --set=root b558ecc3-2d22-481b-91eb-26cdc2e86cf0
fi
echo 'Loading Linux linux ...'
linux /vmlinuz-linux root=/dev/mapper/Arch-root rw cryptdevice=/dev/sda3:crypto resume=/dev/mapper/Arch-swap quiet
echo 'Loading initial ramdisk ...'
initrd /initramfs-linux.img
}
submenu 'Advanced options for Arch Linux' $menuentry_id_option 'gnulinux-advanced-46268152-ba54-4ecf-ad04-b381c8da1c2b' {
menuentry 'Arch Linux, with Linux linux' --class arch --class gnu-linux --class gnu --class os $menuentry_id_option 'gnulinux-linux-advanced-46268152-ba54-4ecf-ad04-b381c8da1c2b' {
load_video
set gfxpayload=keep
insmod gzio
insmod part_gpt
insmod ext2
set root='hd0,gpt2'
if [ x$feature_platform_search_hint = xy ]; then
search --no-floppy --fs-uuid --set=root --hint-ieee1275='ieee1275//disk@0,gpt2' --hint-bios=hd0,gpt2 --hint-efi=hd0,gpt2 --hint-baremetal=ahci0,gpt2 b558ecc3-2d22-481b-91eb-26cdc2e86cf0
else
search --no-floppy --fs-uuid --set=root b558ecc3-2d22-481b-91eb-26cdc2e86cf0
fi
echo 'Loading Linux linux ...'
linux /vmlinuz-linux root=/dev/mapper/Arch-root rw cryptdevice=/dev/sda3:crypto resume=/dev/mapper/Arch-swap quiet
echo 'Loading initial ramdisk ...'
initrd /initramfs-linux.img
}
menuentry 'Arch Linux, with Linux linux (fallback initramfs)' --class arch --class gnu-linux --class gnu --class os $menuentry_id_option 'gnulinux-linux-fallback-46268152-ba54-4ecf-ad04-b381c8da1c2b' {
load_video
set gfxpayload=keep
insmod gzio
insmod part_gpt
insmod ext2
set root='hd0,gpt2'
if [ x$feature_platform_search_hint = xy ]; then
search --no-floppy --fs-uuid --set=root --hint-ieee1275='ieee1275//disk@0,gpt2' --hint-bios=hd0,gpt2 --hint-efi=hd0,gpt2 --hint-baremetal=ahci0,gpt2 b558ecc3-2d22-481b-91eb-26cdc2e86cf0
else
search --no-floppy --fs-uuid --set=root b558ecc3-2d22-481b-91eb-26cdc2e86cf0
fi
echo 'Loading Linux linux ...'
linux /vmlinuz-linux root=/dev/mapper/Arch-root rw cryptdevice=/dev/sda3:crypto resume=/dev/mapper/Arch-swap quiet
echo 'Loading initial ramdisk ...'
initrd /initramfs-linux-fallback.img
}
}
### END /etc/grub.d/10_linux ###
### BEGIN /etc/grub.d/20_linux_xen ###
### END /etc/grub.d/20_linux_xen ###
### BEGIN /etc/grub.d/30_os-prober ###
### END /etc/grub.d/30_os-prober ###
### BEGIN /etc/grub.d/40_custom ###
# This file provides an easy way to add custom menu entries. Simply type the
# menu entries you want to add after this comment. Be careful not to change
# the 'exec tail' line above.
### END /etc/grub.d/40_custom ###
### BEGIN /etc/grub.d/41_custom ###
if [ -f ${config_directory}/custom.cfg ]; then
source ${config_directory}/custom.cfg
elif [ -z "${config_directory}" -a -f $prefix/custom.cfg ]; then
source $prefix/custom.cfg;
fi
### END /etc/grub.d/41_custom ###
ls -l /dev/disk/by-uuid
lrwxrwxrwx 1 root root 10 Mar 29 18:13 16459d28-76a6-40c4-b96d-090cf2f411fc -> ../../sda3
lrwxrwxrwx 1 root root 10 Mar 29 18:13 46268152-ba54-4ecf-ad04-b381c8da1c2b -> ../../dm-2
lrwxrwxrwx 1 root root 10 Mar 29 18:13 4ef43d75-a4c7-4ef0-84d9-66a968578ff1 -> ../../dm-1
lrwxrwxrwx 1 root root 10 Mar 29 18:13 7AE8-13D9 -> ../../sda1
lrwxrwxrwx 1 root root 9 Mar 29 18:44 9671-F6FA -> ../../sdb
lrwxrwxrwx 1 root root 10 Mar 29 18:13 b558ecc3-2d22-481b-91eb-26cdc2e86cf0 -> ../../sda2
/etc/fstab
# /dev/mapper/Arch-root
UUID=46268152-ba54-4ecf-ad04-b381c8da1c2b / ext4 rw,relatime 0 1
# /dev/sda2
UUID=b558ecc3-2d22-481b-91eb-26cdc2e86cf0 /boot ext2 rw,relatime,block_validity,barrier,user_xattr,acl 0 2
# /dev/sda1
UUID=7AE8-13D9 /boot/efi vfat rw,relatime,fmask=0022,dmask=0022,codepage=437,iocharset=iso8859-1,shortname=mixed,utf8,errors=remount-ro 0 2
# /dev/mapper/Arch-swap
UUID=4ef43d75-a4c7-4ef0-84d9-66a968578ff1 none swap defaults 0 0
/etc/crypttab
# Configuration for encrypted block devices.
# See crypttab(5) for details.
# NOTE: Do not list your root (/) partition here, it must be set up
# beforehand by the initramfs (/etc/mkinitcpio.conf).
# <name> <device> <password> <options>
# home UUID=b8ad5c18-f445-495d-9095-c9ec4f9d2f37 /etc/mypassword1
# data1 /dev/sda3 /etc/mypassword2
# data2 /dev/sda5 /etc/cryptfs.key
# swap /dev/sdx4 /dev/urandom swap,cipher=aes-cbc-essiv:sha256,size=256
# vol /dev/sdb7 none
crypto UUID=b558ecc3-2d22-481b-91eb-26cdc2e86cf0 none luks,timeout=180
/etc/mkinitcpio.conf
# Configuration for encrypted block devices.
# vim:set ft=sh
# MODULES
# The following modules are loaded before any boot hooks are
# run. Advanced users may wish to specify all system modules
# in this array. For instance:
# MODULES=(piix ide_disk reiserfs)
MODULES=()
# BINARIES
# This setting includes any additional binaries a given user may
# wish into the CPIO image. This is run last, so it may be used to
# override the actual binaries included by a given hook
# BINARIES are dependency parsed, so you may safely ignore libraries
BINARIES=()
# FILES
# This setting is similar to BINARIES above, however, files are added
# as-is and are not parsed in any way. This is useful for config files.
FILES=(/crypto_keyfile.bin)
# HOOKS
# This is the most important setting in this file. The HOOKS control the
# modules and scripts added to the image, and what happens at boot time.
# Order is important, and it is recommended that you do not change the
# order in which HOOKS are added. Run 'mkinitcpio -H <hook name>' for
# help on a given hook.
# 'base' is _required_ unless you know precisely what you are doing.
# 'udev' is _required_ in order to automatically load modules
# 'filesystems' is _required_ unless you specify your fs modules in MODULES
# Examples:
## This setup specifies all modules in the MODULES setting above.
## No raid, lvm2, or encrypted root is needed.
# HOOKS=(base)
#
## This setup will autodetect all modules for your system and should
## work as a sane default
# HOOKS=(base udev autodetect block filesystems)
#
## This setup will generate a 'full' image which supports most systems.
## No autodetection is done.
# HOOKS=(base udev block filesystems)
#
## This setup assembles a pata mdadm array with an encrypted root FS.
## Note: See 'mkinitcpio -H mdadm' for more information on raid devices.
# HOOKS=(base udev block mdadm encrypt filesystems)
#
## This setup loads an lvm2 volume group on a usb device.
# HOOKS=(base udev block lvm2 filesystems)
#
## NOTE: If you have /usr on a separate partition, you MUST include the
# usr, fsck and shutdown hooks.
HOOKS=(base udev autodetect modconf block keymap encrypt lvm2 resume filesystems keyboard fsck)
# COMPRESSION
# Use this to compress the initramfs image. By default, gzip compression
# is used. Use 'cat' to create an uncompressed image.
#COMPRESSION="gzip"
#COMPRESSION="bzip2"
#COMPRESSION="lzma"
#COMPRESSION="xz"
#COMPRESSION="lzop"
#COMPRESSION="lz4"
# COMPRESSION_OPTIONS
# Additional options for the compressor
#COMPRESSION_OPTIONS=()
脚注
1 https://gist.github.com/HardenedArray/31915e3d73a4ae45adc0efa9ba458b07
答案1
一个迟到的答案,但也许它对其他人有帮助:
您有一个 UEFI 系统。因此,引导加载程序是由/boot/efi/EFI/ArchLinux/grubx64.efi
固件等加载的。固件/boot/efi
使用其 PARTUUID 查找分区(也称为 EFI 系统分区,简称 ESP),该分区存储在 UEFI NVRAM 引导变量中,可通过efibootmgr -v
.固件也可以通过分区类型找到 ESP。 ESP 必须未加密,否则固件将无法读取引导加载程序。
一旦引导加载程序启动,它将读取自己的配置文件。配置文件的位置因发行版而异,但常见方案将最小grub.cfg
文件放置在 ESP 上,与该grubx64.efi
文件位于同一目录中。该 mini-将仅包含从 中grub.cfg
查找和读取“真实”所需的行。grub.cfg
/boot/grub/grub.cfg
(另一种方法是将 real 的位置嵌入grub.cfg
到grubx64.efi
安装中......但这会使 的签名无效grubx64.efi
,因此在使用安全启动的系统上不起作用。)
在你的情况下,/boot/efi/EFI/ArchLinux/grub.cfg
可能会是这样的:
search.fs_uuid b558ecc3-2d22-481b-91eb-26cdc2e86cf0 root
set prefix=($root)'/grub'
configfile $prefix/grub.cfg
请注意,root
这里不指Linux根文件系统而是包含 GRUB 配置文件的文件系统的根目录,即/boot
文件系统。这就是为什么第一行提到了分区的 UUID /dev/sda2
。
在您的情况下,/dev/sda2
是您的非加密/boot
.迷你配置告诉GRUB通过UUID找到它,从 中读取真正的GRUB配置文件,这在操作系统运行和挂载时<root of /boot filesystem>/grub/grub.cfg
会很熟悉。但在启动时,GRUB 一次只能访问一个文件系统。/boot/grub/grub.cfg
/boot
您的实际包含此位以使用图形模式并从 Linux 根文件系统grub.cfg
加载:/usr/share/grub/unicode.pf2
set root='lvmid/YPm8Dv-HYiA-CyfU-yV0y-aVH0-n917-W3uEwd/GyClul-dXdo-8gyf-j0N4-RwTG-wFVt-3KH4fO'
if [ x$feature_platform_search_hint = xy ]; then
search --no-floppy --fs-uuid --set=root --hint='lvmid/YPm8Dv-HYiA-CyfU-yV0y-aVH0-n917-W3uEwd/GyClul-dXdo-8gyf-j0N4-RwTG-wFVt-3KH4fO' 46268152-ba54-4ecf-ad04-b381c8da1c2b
else
search --no-floppy --fs-uuid --set=root 46268152-ba54-4ecf-ad04-b381c8da1c2b
fi
font="/usr/share/grub/unicode.pf2"
fi
if loadfont $font ; then
set gfxmode=auto
load_video
insmod gfxterm
set locale_dir=$prefix/locale
set lang=en_US
insmod gettext
fi
terminal_input console
terminal_output gfxterm
对于当前的加密根文件系统,这将不起作用,因为那些暗示的 UUID 需要 GRUB 已经能够访问加密的根文件系统,但到目前为止,还没有被告知要查找加密的 LUKS 卷。 GRUB 将退回到使用固件提供的显示模式和字体,但可能会显示有关无法加载/usr/share/grub/unicode.pf2
.
现代 GRUB 可以从 LUKS 加密的文件系统读取文件,但它需要cryptomount -u 16459d28-76a6-40c4-b96d-090cf2f411fc
首先看到一个命令:这将导致 GRUB 提示输入 LUKS 密码并使 GRUB 可以访问加密卷(允许 GRUB 搜索文件系统和 LVM)之后加密卷内的逻辑卷)。
由于不包含任何秘密,因此将其复制到并设置可能unicode.pf2
更容易,因此将知道添加命令以从那里加载字体,而不是尝试访问根文件系统。/boot/grub/
GRUB_FONT=/boot/grub/unicode.pf2
/etc/default/grub
grub-mkconfig
根据您当前的配置,这应该消除 GRUB 理解 LUKS 加密的需要:它只会从非加密/boot
文件系统加载内核和 initramfs,并将一组参数传递给内核。然后,initramfs 文件将包含一个脚本,用于询问加密密码并解锁加密以供 Linux 使用。
您当前的内核参数在以下位置可见grub.cfg
:
linux /vmlinuz-linux root=/dev/mapper/Arch-root rw cryptdevice=/dev/sda3:crypto resume=/dev/mapper/Arch-swap quiet
它是由以下几行决定的/etc/default/grub
:
GRUB_CMDLINE_LINUX_DEFAULT="quiet"
GRUB_CMDLINE_LINUX="cryptdevice=/dev/sda3:crypto resume=/dev/mapper/Arch-swap"
虽然只要磁盘设备的顺序不变,这种方法就有效,但使用 UUID 是当前推荐的方法,因为它对于防止 USB 记忆棒在启动时意外插入等情况更加稳健。所以你应该将该GRUB_CMDLINE_LINUX
行更改为:
GRUB_CMDLINE_LINUX="cryptdevice=UUID:16459d28-76a6-40c4-b96d-090cf2f411fc:crypto resume=/dev/mapper/Arch-swap"
请注意,此处的 UUID 是 所显示的 UUID cryptsetup luksDump
,而不是加密卷内文件系统的 UUID,因为只有先解锁加密,文件系统 UUID 才可用。
(即使您使用加密也是如此,/boot
因为 GRUB 无法将 cryptsetup 解锁状态传递给内核:即使 GRUB 已经解锁过一次,内核也需要再次解锁加密。避免需要输入加密密码一次用于 GRUB,再次用于 initramfs,您可以使用存储在 initramfs 中的密钥文件来解锁根文件系统...但如果您这样做,那么 initramfs绝对不可以存储在非加密分区上,因为访问包含根文件系统密钥文件的 initramfs 文件将免费访问根文件系统。)
该cryptdevice=
选项本质上相当于/etc/crypttab
解锁 initramfs 中包含根文件系统的 LUKS 卷的行:如果这负责解锁您唯一的 LUKS 卷,那么技术上您可能/etc/crypttab
根本不需要,但为了完整性,您的/etc/crypttab
行应该:
crypto UUID=16459d28-76a6-40c4-b96d-090cf2f411fc none luks,timeout=180
这里的UUID也是命令显示的UUID cryptsetup luksDump
。目的/etc/crypttab
是确定每个加密卷应如何以解锁形式呈现,以及解锁应如何发生。在这种情况下,该行指示加密卷/dev/sda3
(由加密卷的 UUID 标识,这是在成功解锁之前可通过内容识别它的所有信息 - 您不能使用加密卷中保存的文件系统或 LVM 的 UUID)此处的加密卷),它是 LUKS 卷,并且没有加密密码的自动来源,因此必须显示密码提示。这是通过encrypt
initramfs 文件中的钩子脚本完成的。
输入密码后,initramfs 将自动探测加密卷中的 LVM 卷组,并Arch
在找到后立即激活 VG。这一切都是由lvm2
initramfs中的hook脚本完成的。之后,/dev/mapper/Arch-root
和/dev/mapper/Arch-swap
将变得可访问,并且 initramfs 可以继续激活交换(并可选择检查其中是否有休眠映像,如果有则恢复它)并挂载根文件系统。
您当前/etc/mkinitcpio.conf
包含以下行:
FILES=(/crypto_keyfile.bin)
这可以与加密一起使用/boot
来识别将解锁系统上任何 LUKS 卷的密钥文件。换句话说,使用 crypto 时/boot
,您只需手动解锁/boot
GRUB 的加密,然后 GRUB 将从那里加载包含密钥文件的 initramfs 文件,该文件将允许 initramfs 解锁根文件系统(或实际上任意数量的加密卷)无需输入任何进一步的密码。但这也将使 initramfs 文件的安全性对系统的安全至关重要。
如果未加密,那么我看不到该文件的用途,因为您的或其他任何地方/boot
都没有引用它。/etc/crypttab
如果此文件存在并且包含用于解锁 LUKS 卷而无需输入密码的有效密钥,则它将在未加密的 initramfs 文件中可用因此您的磁盘加密可以在不知道密码的情况下解锁一旦攻击者检查 initramfs 文件并注意到crypto_keyfile.bin
其中的内容。
答案2
您实际上不需要 crypttab 来完成这项工作。
我看到的第一个问题是您的 GRUB 配置需要修复。不要使用像 /dev/sdX 这样的硬路径,而是使用 UUID,并且您需要指定映射的加密设备的根路径。
cryptdevice=UUID=device-UUID:root root=/dev/mapper/root
这Arch 文档是提供比我在这里发布的更多详细信息的可靠来源,但如果您需要更详细的信息,请直接询问。
答案3
您需要创建一个正确的/etc/crypttab
文件。另外,请记住将您的挂载点添加到/etc/fstab
.
crypttab
应该包含这样的内容:
targetname physicalpartition none
例如:
targetData /dev/sdb3 none
其中targetData
是您为目标创建的名称,该名称将由/dev/mapper
.