Encrypted root partition in kickstart

Issues related to applications and software problems and general support
Post Reply
harrywangca
Posts: 80
Joined: 2016/01/12 23:27:04
Location: Vista California

Encrypted root partition in kickstart

Post by harrywangca » 2020/04/07 23:25:46

Hello Team,

Please help me.
I am installing CentOS 8 using my own kickstart which has encrypted root partition (/) like below:
part / --fstype="xfs" --ondisk=$ROOTDRIVE --grow --encrypted --passphrase=temppass

After installation boot up :
[root@localhost ~]# lsblk
NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINT
sda 8:0 0 238.5G 0 disk
├─sda1 8:1 0 600M 0 part /boot/efi
├─sda2 8:2 0 1G 0 part /boot
├─sda3 8:3 0 80G 0 part /sdc5
├─sda4 8:4 0 8G 0 part [SWAP]
├─sda5 8:5 0 2G 0 part /System
└─sda6 8:6 0 146.9G 0 part
└─luks-b4e9b888-7fde-4650-b679-11f8bd446cb4 253:0 0 146.9G 0 crypt /
I see the root partition is encrypted. But every time power on the machine I have to manually input password. This is root partition. I tried to follow guide: https://access.redhat.com/documentation ... -hardening
using TPM2 to bind the root partition volume to PCR7
echo "temppass" | clevis encrypt tpm2 '{"pcr_bank":"sha256","pcr_ids":"7"}' > secret.jwe
clevis luks bind -d /dev/sda6 tpm2 '{"pcr_ids":"7"}' < secret.jwe (I also tried: clevis luks bind -d /dev/sda6 tpm2 '{"pcr_ids":"7"}' < << "temppass")
cryptsetup luksRemoveKey /dev/sda6 <<< "temppass" (I also tried: cryptsetup luksRemoveKey /dev/sda6 < secret.jwe)

then re-create initramfs : dracut -f
reboot, It still prompt me to input pass word. But this time password already removed I can not log in system, and I have to install again and again.

Does anybody know how to remove prompt input password and bring it up automatically?

Please help.....Thank you!!

aks
Posts: 2994
Joined: 2014/09/20 11:22:14

Re: Encrypted root partition in kickstart

Post by aks » 2020/04/08 17:30:11

A long time ago I faced a similar situation.
From (very old) notes:
cryptsetup luksAddKey /dev/mapper/vg-root /etc/ks
# input word.
Then change none to the keyfile location (/etc/ks) in /etc/crypttab
Re-gen the initramfs: dracut -f -v -H --include /etc/ks /etc/ks
It worked at the time, I seem to recall the idea of 'slots' for keys.

All of this may be not applicable now.

But it's pretty pointless in that the key is on the machine!

harrywangca
Posts: 80
Joined: 2016/01/12 23:27:04
Location: Vista California

Re: Encrypted root partition in kickstart

Post by harrywangca » 2020/04/14 19:20:31

Thanks aks for replying.

Are you sure you encrypted root partition?
Right now I follow your instructions to change /etc/crypttab from none to /etc/ks but it didn't work.

It still prompt for input password.

Post Reply

Return to “CentOS 8 - General Support”