This makes it possible to boot from LUKS and DMCrypt volumes. The LUKS header may be detached and stored on a separate device such as a removable USB key. Key files may be stored in a similar way and used instead of interactive passphrase entry.
This extension also adds these features:
The extension provides the
cryptomount command with several new command-line options. Use
cryptomount --help to display them. The options parrallel those offered by cryptsetup.
This work has the same license as Grub (GPL v3).
Get from GitHub.
$ git clone https://github.com/johnlane/grub
Alternatively, check out upstream and apply these patches:
Follow the build and install instructions in the upstream Grub INSTALL file.
Patches compatible with upstream HEAD (8736a048) at time of writing, 2017/02/11
cryptomount command can identify an encrypted LUKS device by its UUID. The UUID value
can be specified with or without being delimited by hyphens. Because the given UUID is
compared against the UUID in the LUKS header, such lookups only work with LUKS volumes with
Specifically, the UUID cannot be used with plain DMCrypt volumes or when a LUKS detached header is used.
A key file contains the cryptographic material required to unlock a volume. This is a passphrase
for a LUKS volume or a key for a plain volume. The required data is usually read from the beginning
of the given file but the
offset command-line option allows it to be read from within the file.
When used in plain mode, the amount of data read is the number of bytes required for the key and an error will occur if insufficient data can be read.
When used in LUKS mode, all of the available data (up to a maximum of 8KiB) is read and used as a
keyfile-size command-line option can be used to limit the amount of data that is
read. (This option does not apply to plain mode.)
These options can be used together to embed a key or passhrase in a larger file.
A key file may be either a file (
-k (hd0,1)/keyfile) or a raw device (
-k (hd0,1)). Thanks to
@giddie for the patch.
This example assumes the default cipher and passphrase hash. These defaults are the same as
the ones in cryptsetup:
ripemd160 passphrase hash.
insmod cryptodisk cryptomount -p hd1,1
This example opens a LUKS volume using plain DMCrypt. The volume master key is read from a file and the LUKS cipher and payload offset details are supplied as parameters.
insmod cryptodisk cryptomount -p -k (hd0,1)/keyfile -K 256 -c aes-xts-plain64 -o 4096 hd1,1
This example opens a LUKS voume and is the only method supported by upstream Grub.
insmod luks cryptomount hd1,1
The device may alternatively be specified using the UUID contained in the LUKS header.
cryptomount -u af4b9159-8cbb-4122-b801-0c18adf26b3e
This example opens a LUKS volume using a detached LUKS header.
insmod luks cryptomount -H (hd0,1)/header hd1,1
insmod luks cryptomount -H (hd0,1)/header -k (hd0,1)/keyfile hd1,1
insmod luks cryptomount -k (hd0,1)/keyfile -O 30 -S 50 hd1,1