Back to Dm-crypt.
When encrypting a system it is necessary to regenerate the initial ramdisk after properly configuring mkinitcpio. Depending on the particular scenarios, a subset of the following hooks will have to be enabled:
encrypt: always needed when encrypting the root partition, or a partition that needs to be mounted before root; it must come before the
filesystemshook; it is not needed in all the other cases, as system initialization scripts like
/etc/crypttabtake care of unencrypting any other partitions.
shutdown: highly recommended, ensures controlled unmounting during system shutdown.
keymap: provides support for foreign keymaps for typing encryption passwords; it must come before the
keyboard: needed to make USB keyboards work in early userspace.
usbinput: deprecated, but can be given a try in case
keyboarddoes not work.
Other hooks needed should be clear from other manual steps followed during the installation of the system.
Configuring the boot loader
The main parameter is
cryptdevice, with the following syntax:
deviceis the path to the raw encrypted device. Usage of Persistent block device naming is advisable.
dmnameis the device-mapper name given to the device after decryption, which will be available as
So if the encrypted root device in the example is
/dev/sda2 and the decrypted one should be mapped to
/dev/mapper/cryptroot, the kernel parameter would be:
This will make the system prompt for the passphrase to unlock the root device on a cold boot.
Depending on the setup other parameters are required as well:
cryptdevice=device:dmname root=device resume=device cryptkey=device:fstype:path
root=deviceis the device file of the actual (decrypted) root file system. If the file system is formatted directly on the decrypted device file this will be
resume=deviceis the device file of the decrypted (swap) filesystem used for suspend2disk. See also Dm-crypt/Swap Encryption.
cryptkey=device:fstype:pathis required for reading a keyfile from a file system. See also Dm-crypt/Device Encryption#Using Cryptsetup with a Keyfile.
deviceis the raw block device where the key exists.
fstypeis the filesystem type of
pathis the absolute path of the keyfile within the device.