noauto option ignored in /etc/fstab?

Wed Dec 6 14:20:17 UTC 2017

On Wed, 6 Dec 2017, Josef Wolf wrote:

> I thought grub is mandatory? How do you boot without grub? The days of lilo
> are gone...

I don't know why you are ignoring me, your unattended-upgrades.service 
pulls in boot.mount, if your system is the same as mine (16.04).

> My use-case is a completely encrypted laptop. Since /boot can't be encrypted,

You can have encrypted boot just fine.

1. store a key in /root/keyfile.bin

2. add a file like

---
#!/bin/sh

if [ "$1" = "prereqs" ]; then
     exit 0
fi

cp /root/keyfile.bin "${DESTDIR}"
---

as /etc/initramfs-tools/hooks/copykey

3. add the key to your LUKS container device:

cryptsetup luksAddKey /dev/sda1 /root/keyfile.bin

NOTE: someone might still hack your running system of course.

4. echo "UMASK=0600" > /etc/initramfs-tools/conf.d/umask

5. not entirely sure about the necessity of this complexity, but:

    add the following to /etc/crypttab:

<luksname>    <device>    /keyfile.bin   luks,keyscript=/bin/cat

    but this might also work:

<luksname>    <device>    /keyfile.bin   luks

6. run update-initramfs -u

7. verify that the initramfs contains your key:

lsinitramfs /boot/init* | grep keyfile

8. verify that it contains cryptsetup and/or /bin/cat

9. add GRUB_ENABLE_CRYPTODISK=y to /etc/default/grub

10. add GRUB_CMDLINE_LINUX="cryptdevice=/dev/sda1:<vgname>" to 
/etc/default/grub, where <vgname> is the volume group of your /boot 
partition, if you have any.

Otherwise (not using LVM) it has to point to your boot partition (if you 
encrypt it separately).

So it would be /dev/sda1 if your boot is /dev/sda1

"cryptdevice=/dev/sda1"

In that case you have to feed the keyfile to your ROOT PARTITION to your 
initrd.

So /root/keyfile.bin has to be the key to the root partition.

11. update-grub

12. ensure that /boot/grub/grub.cfg contains a insmod cryptodisk, and a 
cryptomount, command.

     The cryptomount command has to reference your PARTITION, so /dev/sda1,
     it will be a UUID like:

     cryptomount -u 6ce14a28290744edb3b86e8c5387d8e1

     Verify that it's the same as sudo blkid /dev/sda1

13. reboot.

     You should end up on a grub crypt prompt that will unlock your /boot,
     read the initrd and the kernel, start the initrd,
     which will unlock the crypt again (or for the first time if / is
     separate) using the key found in /keyfile.bin in the initrd.

     Having unlocked the container it will discover your root partition/
     volume and boot your system.

     You will need to enter your password at the grub prompt, but only
     once.

That's it.

But I guess you'd just ignore this again ;-).

Regards.