From b8aee29bab31d5b1fa0dac68d88d9230f2c4fde9 Mon Sep 17 00:00:00 2001
From: Thomas Zelch <address@hidden>
Date: Sat, 28 Feb 2015 23:28:42 -0800
Subject: [PATCH] Add documentation on how to unlock root encrypted fs with key
 in initramfs in Parabola Linux

---
 docs/gnulinux/encrypted_parabola.html | 30 ++++++++++++++++++++++++++++++
 1 file changed, 30 insertions(+)

diff --git a/docs/gnulinux/encrypted_parabola.html b/docs/gnulinux/encrypted_parabola.html
index 85cb6ce..ae81ad0 100644
--- a/docs/gnulinux/encrypted_parabola.html
+++ b/docs/gnulinux/encrypted_parabola.html
@@ -586,6 +586,35 @@
 	</div>
 
 	<div class="section">
+		<h2>Optional: Use Keyfile in Initramfs to unlock encrypted root</h2>
+		<p>
+			Using the above Installation method, you will have to unlock the encrypted Filesystems two times.
+			Once in Grub and once during the boot of Parabola. <br/>
+			In order to circumvent this, it is possible to inlcude a Keyfile into the Initramfs of Parabola and unlock it at boot.<br/>
+			As mkinitcpio in Parabola and Archlinux needs patching for this to work, it is currently more of a "dirty hack" until it gets merged.<br/>
+			Everytime the mkinitcpio Package gets updated, you need to reapply the patch, or add mkinitcpio to HoldPkg in /etc/pacman.conf, this way it won't get updated.<br/>
+			<br/>
+			Download the encrypt.patch for the hook from the Feature request that is open : <a href=https://bugs.archlinux.org/index.php?do=details&action=details.addvote&task_id=31877>FS#31877</a><br/>
+			Patch the encrypt hook:<br/>
+			# <b>patch /usr/lib/initcpio/hooks/encrypt /path/to/encrypt.patch</b><br/>
+			Create a Keyfile:<br/>
+			# <b>dd bs=512 count=4 if=/dev/urandom of=/etc/mykeyfile iflag=fullblock</b><br/>
+			Add Keyfile to the Luks Device:<br/>
+			# <b>cryptsetup luksAddKey /dev/sdX /etc/mykeyfile</b><br/> 
+			Add Keyfile to the initramfs by adding it to FILES in /etc/mkinitcpio.conf, for example:<br/>
+			# <b>FILES="/etc/mykeyfile"</b><br/>
+			Recreate the initramfs Image, replace linux-libre with whatever flavour of Kernel you are using.<br/>
+			# <b>mkinitcpio -p linux-libre</b><br/>
+			Reboot and add the following to the kernel command line in Grub:<br/>
+			# <b>cryptkey=initramfs:/etc/mykeyfile</b><br/>
+			<br/>
+			If everything works as expected you can permanently add the kernel parameter to the grub config inside your image and reflash it.
+			
+		</p>
+	
+	</div>
+
+	<div class="section">
 
 		<h2>Further security tips</h2>
 			<p>
@@ -611,6 +640,7 @@
 
 		<p>
 			Copyright &copy; 2014, 2015 Francis Rowe &lt;address@hidden&gt;<br/>
+			Copyright &copy; 2015 Thomas Zelch &lt;address@hidden&gt;<br/>
 			This document is released under the Creative Commons Attribution-ShareAlike 4.0 International Public License and all future versions.
 			A copy of the license can be found at <a href="../license.txt">../license.txt</a>.
 		</p>
-- 
2.3.0