[bug #59520] Dynamically append luks key to initramfs to avoid having it stored on system

[INVALID.NOREPLY]

Follow-up Comment #1, bug #59520 (project grub):

Seems like this might be an idea who time has come. I recently realized this
earlier this year and implemented it in my setup. 
Actually, no changes to grub are required. Just create your initrd with the
key, and then when booting add the new initrd to the "initrd" command along
with the already existing initrd. The key here is that grub already has had
for a long while now the capability to specify multiple initrds as arguments
to the "initrd" command and it will concatenate all arguments.

For key security and to provide one-password boot, I store the new initrd
inside a luks volume. On boot I provide the password to the luks volume
containing the initrd, and then append the initrd with the key to the main
initrd when booting.

If I understand you correctly, you're suggesting that the password be the
contents of a path in a created initrd. That would cut out a lot of the extra
hoops I need to jump through in my setup. I don't think grub should add any
behavior to specifically pass LUKS keys though. There should be a more general
mechanism that is not on by default.

Perhaps part of that general mechanism would be a grub command to create a
in-memory initrd from a list of paths, which can then be added as an argument
to the "initrd" command.

This may take a while before it gets implemented. In the mean time, I suggest
my current work around.

    _______________________________________________________

Reply to this item at:

  <https://savannah.gnu.org/bugs/?59520>

_______________________________________________
  Message sent via Savannah
  https://savannah.gnu.org/