Full disk LUKS encryption without LVM or separate /boot partition, passphrase typed only once
by Didier Spaier from LinuxQuestions.org on (#5RXGA)
This is an answer to this post.
Context: installation of Slint64-14.2.1.
If users chooses the Auto mode and dedicate a drive to Slint the installer propose to encrypt the drive. if they accept, they are prompted to type a passphrase twice. Then the installer encrypts the root partition and if requested an additional partition using the same passphrase. A key files for each partition is stored in /etc/keys. If an additional partition is created the file /etc/crypttab is written accordingly. The installer creates an iniramfs and stores there the key file. The init script in the initrd is modified from one in the mkinitrd Slackware package to handle unlocking the root partition (named by UUID) with a key file stored inside it. /etc/defaut/grub includes ' GRUB_ENABLE_CRYPTODISK=y' and 'GRUB_PRELOAD_MODULES="luks cryptodisk"' so when booting:
Context: installation of Slint64-14.2.1.
If users chooses the Auto mode and dedicate a drive to Slint the installer propose to encrypt the drive. if they accept, they are prompted to type a passphrase twice. Then the installer encrypts the root partition and if requested an additional partition using the same passphrase. A key files for each partition is stored in /etc/keys. If an additional partition is created the file /etc/crypttab is written accordingly. The installer creates an iniramfs and stores there the key file. The init script in the initrd is modified from one in the mkinitrd Slackware package to handle unlocking the root partition (named by UUID) with a key file stored inside it. /etc/defaut/grub includes ' GRUB_ENABLE_CRYPTODISK=y' and 'GRUB_PRELOAD_MODULES="luks cryptodisk"' so when booting:
- GRUB asks the passphrase to unlock the drive before displaying the boot menu.
- The init script of the initramfs unlocks the root partition.
- The optional additional partition is unlocked.