1

I have a device I've encrypted with luks1 and I decrypt it with a script in init.d. (Centos 6, no keyscript in crypttab). Its a raid disk, with the encryption under the raid, but I don't think that matters.

The lsblk looks like:

sda                                   8:0    0 238.5G  0 disk  
└─md127                               9:127  0 476.7G  0 raid0 
  └─luksmap1 (dm-15)                253:15   0 476.7G  0 crypt /data11
sdb                                   8:16   0 238.5G  0 disk  
└─md127                               9:127  0 476.7G  0 raid0 
  └─luksmap1 (dm-15)                253:15   0 476.7G  0 crypt /data1

The problem is that dracut finds it during boot and asks for a password. I need to be able reboot this without being physically present.

It's set to noauto in fstab. I've told dracut not to load /etc/mdadm.conf. cryptab is empty.

How do I tell dracut not to look for ask for the password? Or timeout after waiting a bit? Or just keep going if there's no keyboard present?

yesennes
  • 173
  • 5

1 Answers1

1

To completely prevent dracut from scanning for LUKS devices, add the following to your kernel command line:

rd.luks=0

If you want to only decrypt specific disks (e.g. I wanted it to decrypt the root partition, but not other encrypted disks), you should instead add

rd.luks.uuid=<DISK_UUID_HERE>

once per encrypted disk and not add rd.luks=0. You can find the UUIDs for disks with lsblk -o +uuid.

More on the options can be found in the manpage dracut.cmdline(7).

crater2150
  • 3,836
  • 2
  • 22
  • 26
  • 1
    I can't verify if this worked, because I've unfortunately no longer have access to the system. I've accepted this as the correct answer but will leave this comment for anyone else with the same problem. – yesennes Dec 19 '22 at 02:52
  • I've tried it before posting, as I came about this question while needing this myself. I added the manpage documenting these options to the answer. – crater2150 Dec 20 '22 at 11:25