In the last few posts I’ve shown how to make a USB key for use as an encrypted gateway to unlocking and booting a Linux system. While the setup works, there are a few steps left that could be automated. Wouldn’t it be nice to have everything set up to just update itself without manual intervention on every kernel update?
Well, we’re not going to get quite that far - but very close. In fact, all that
really remains is to ensure that
/boot is mounted before upgrading the
package and to rename the kernel and initramfs image files after the
package builds them. This post will show how to do this, and also present an AUR
package which will do the heavy lifting for Arch users.
First of all, you should already have
/boot set up in your
not, do it now. Refer to the fstab Arch Wiki article if you
need help with this.
If you’re not using Arch Linux, this section may not be of much help to you. Your package manager may provide functionality similar to the hook system used here, but you’re on your own figuring that out.
pacman [recently][pacman-hooks-release] released a hook API we can use to do the tedious things for us:
- Unlock and mount
- Rename kernel and initramfs image files after
- Unmount and close
These are all really simple. All we need to do is place some files in
Also remember to
chmod a+x /usr/share/libalpm/scripts/shared-cryptboot-build, or pacman won't be able to run it. This hook copies the kernel and initramfs image files to file names with the hostname as a suffix - i.e.
huginhost. If you want another file name, just modify the hook and set
SHARED_CRYPTBOOT_IMAGE_SUFFIXto something else - or replace the filename entirely if you prefer something completely different.
With this set up, pacman will attempt to mount
/boot before upgrading the
linux package. If it fails - for example, if you haven’t unlocked the
encrypted container - it will abort the transaction and let you fix that. After
linux package, it will copy the new kernel and initramfs images
to the safe file names used by GRUB as set up in the previous post. The only manual step remaining is to unlock and close the
encrypted container - but I, at least, actually prefer to keep it that way.
Pacman hooks AUR package
If you’re like me, you don’t like having anything outside
that’s not managed by the package manager. So I’ve packaged the above pacman
hooks as the shared-cryptboot-utils package
available in the AUR. Feel free to use it, and also to contribute any
improvements you can think of!
These last three posts detail how I’ve set up a USB storage drive for use as a USB key in the true sense of the word, holding boot files and encryption headers for several different Linux systems - including one installed on the drive itself - and thus requiring a kind of 2-factor authentication for accessing these systems. I hope this will help you set up your own convoluted encryption rig - let me know what cool things you do with this, and what improvements you’ve thought of!