I donât understand what you are asking.
I forgot to mention, when I was first figuring out how to get this working another obstacle I ran into was Calamares would error out when it noticed the installation was encrypted, but it did not have a keyfile for the encrypted device. My way of working around that was so remove the luksbootkeyfile
option from /etc/calamares/settings.conf
. install.sh ¡ main ¡ BluishHumility / garuda-setup ¡ GitLab
Before you start the installer, open /etc/calamares/settings.conf
in an editor and delete that line. Or use something like sed
:
sed -i '/luksbootkeyfile/d' /etc/calamares/settings.conf
Then, after the installation is finished you can chroot into the installed system and set up the keyfile manually. chroot-install.sh ¡ main ¡ BluishHumility / garuda-setup ¡ GitLab
I ended up scripting it for my purpose as you can see. To do it manually would be like this:
From the chroot, remove the dracut config Calamares sets up since it isnât going to work.
rm /etc/dracut.conf.d/calamares-luks.conf
Generate a keyfile.
dd bs=512 count=4 if=/dev/random of=/crypto_keyfile.bin iflag=fullblock
chmod 000 /crypto_keyfile.bin
cryptsetup -v luksAddKey "/dev/[btrfs partition]" /crypto_keyfile.bin
Obviously replace â[btrfs partition]
â with whatever the disk partition identifier is.
Add the keyfile to a dracut config.
echo 'install_items+=" /crypto_keyfile.bin "' > /etc/dracut.conf.d/keyfile.conf
Regenerate the initramfs
dracut-rebuild
Edit /etc/default/grub
and add the cryptdevice
kernel parameter to the GRUB_CMDLINE_LINUX
line. It should be like this:
GRUB_CMDLINE_LINUX="cryptdevice=UUID=[cryptdevice UUID]:[device mapping]"
You can get the cryptdevice UUID like this:
blkid -s UUID -o value "/dev/[btrfs partition]
And then â[device mapping]
â is whatever you decided to call the mapping (âlive-rootâ, âlive-luksâ, or whatever). Note there is a colon in between the cryptdevice UUID and the device mapping.
Reinstall Grub and regenerate the Grub configuration file.
grub-install --no-nvram
update-grub
Finally, exit the chroot and reboot.
As you can see, this whole process is pretty complicated and kind of hacky because you have to sort of work around the installer to do it. Thatâs why I decided encrypted installations are beyond the scope of the wiki document you linked; I figure for most folks, itâs more trouble than it is worth.