Here is a solution I am using in Lucid and Maverick, when not using LVM so as to alllow use of separately encrypted partitions. This is to support multi-disk video editing machines. It is crude and uses hardcoded UUID values for each partition, not reading crypttab for now. Eventually I will play with making it use the crypttab values, but I was simply seeking a quick solution when I wrote this. I've been using this for months with no problems.
ALGORITHM:
Steps:
1: prompt for pasphrase, cache in a variable in ram (runs in initramfs, nothing should write to any disk)
a: if plymouth is running, use plymouth ask-for-passphrase
2: unlock encrypted volumes-hard code these into script for now
3: if cryptsetup returns error, go back to 1.
4: forcibly reset the variable to a string of zeros
5: Delete the variable
6: exit
INITRAMFS SCRIPT: Name Cryptall, remove cryptroot in /usr/share/initramfs-tools/scripts/local-top
#!/bin/sh
# This is a drop-in replacement for cryptsetup's cryptroot script. It
# caches the passphrase in ram, /tmp/unlocks all volumes, then deletes the
# cached passphrase
#
# Standard initramfs preamble
#
#HARDCODED FOR LUCID ON /DEV/SDA5
#
# Standard initramfs preamble
#
prereqs()
{
# Make sure that cryptall is run last in local-top
for req in $(dirname $0)/*; do
script=${req##*/}
if [ $script != cryptall ]; then
echo $script
fi
done
}
case $1 in
prereqs)
prereqs
exit 0
;;
esac
plymouth "ask-for-password" --prompt="cryptsetup: unlocking all encrypted boot disks" > /tmp/unlock
Here is a solution I am using in Lucid and Maverick, when not using LVM so as to alllow use of separately encrypted partitions. This is to support multi-disk video editing machines. It is crude and uses hardcoded UUID values for each partition, not reading crypttab for now. Eventually I will play with making it use the crypttab values, but I was simply seeking a quick solution when I wrote this. I've been using this for months with no problems.
ALGORITHM:
Steps:
1: prompt for pasphrase, cache in a variable in ram (runs in initramfs, nothing should write to any disk)
a: if plymouth is running, use plymouth ask-for-passphrase
2: unlock encrypted volumes-hard code these into script for now
3: if cryptsetup returns error, go back to 1.
4: forcibly reset the variable to a string of zeros
5: Delete the variable
6: exit
INITRAMFS SCRIPT: Name Cryptall, remove cryptroot in /usr/share/ initramfs- tools/scripts/ local-top
#!/bin/sh
# This is a drop-in replacement for cryptsetup's cryptroot script. It
# caches the passphrase in ram, /tmp/unlocks all volumes, then deletes the
# cached passphrase
#
# Standard initramfs preamble
#
#HARDCODED FOR LUCID ON /DEV/SDA5
#
# Standard initramfs preamble
#
prereqs()
{
# Make sure that cryptall is run last in local-top
for req in $(dirname $0)/*; do
script=${req##*/}
if [ $script != cryptall ]; then
echo $script
fi
done
}
case $1 in
prereqs)
prereqs
exit 0
;;
esac
plymouth "ask-for-password" --prompt= "cryptsetup: unlocking all encrypted boot disks" > /tmp/unlock
cat /tmp/unlock | cryptsetup luksOpen /dev/sda5 cryptroot
if [ -e /dev/mapper/ cryptroot ] ; then
plymouth message --text="cryptsetup: cryptroot setup successfully"
else
plymouth message --text="cryptsetup: unknown fstype, bad password or options?"
plymouth "ask-for-password" --prompt= "cryptsetup: unlocking all encrypted boot disks" > /tmp/unlock
cat /tmp/unlock | cryptsetup luksOpen /dev/sda5 cryptroot cryptroot ] ; then
if [ -e /dev/mapper/
else
cat /tmp/unlock | cryptsetup luksOpen /dev/sda5 cryptroot
fi
fi
cat /tmp/unlock | cryptsetup luksOpen /dev/sda8 crypthome
if [ -e /dev/mapper/ crypthome ] ; then
plymouth message --text="cryptsetup: cryptroot setup successfully"
else
plymouth message --text="home directory passphrase does not match root key-you need to make a new home key"
fi
cat /tmp/unlock | cryptsetup luksOpen /dev/sda7 cryptswap
if [ -e /dev/mapper/ crypthome ] ; then
1: prompt for pasphrase, cache in a variable in ram (initramfs
plymouth message --text="cryptsetup: cryptswap setup successfully"
else
plymouth message --text="swap passphrase does not match root key-you need to make a new home key"
fi
echo "00000000000000 000000000000000 000000000000000 000000000000000 00000" >/tmp/unlock
rm /tmp/unlock
exit 0