Created attachment 454520 [details] patches 00-crypt.sh genkernel-next supports a LUKS encrypted root partition, the proper key must be passed via root_keydev+root_key parameters from GRUB2. Unfortunately genkernel-next does not check whether the file pointed to by root_key already exists, but instead always wants to mount a device root_keydev first and only then looks for file root_key. I hacked a workaround for this into 00-crypth.sh, at about line 135: if [ -n "${luks_key}" ]; then if [ -s "${luks_key}" ]; then echo "*** keyfile already found!" cryptsetup_opts="${cryptsetup_opts} --key-file ${luks_key}" else echo "*** cannot access supplied keyfile, trying original way..." So first I check if luks_key is already there and if yes just ignore the following ~80 lines of script. If I properly pass a keyfile that's already in initramfs -> all is ok and root automatically mounted. If I made a typo in filename of key -> I am asked to enter password manually. If I fail to pass root_keydev+root_key -> I am asked to enter password manually. I attach my patched 00-crypt.sh to this bug. TODO: currently my patched version still requires root_keydev=/, however this is just extra noise in the GRUB2 options. "But what's the point?" you ask, having the keyfile accessible in the initramfs is stupid/unsafe ? It is needed in case of full-disk encryption: meaning the whole disk is one large encrypted partition (e.g. /dev/sda1) and within this partition you use LVM logical volumes for root, swap etc. Upon boot GRUB2 asks for the password of the encrypted partition and only after success decrypts+boots further to the GRUB2 menu. In order to boot Linux one would then have to enter the same password a second time for the initramfs root mounting - or you can put the key into the initramfs image and pass it via root_keydev+root_key. So this saves the user a second question for the identical password and note that he would not come so far if he doesn't know it on the first question for decryption by GRUB2 already. Please improve my ugly hack and consider this feature for upstream so one can have comfortable full-disk encryption.
For reference, someone has the same need, developed a patch and offers it to upstream: https://github.com/Sabayon/genkernel-next/pull/50
Package removed.