Hello,
I would like to share wip for adding LUKS support for mender-convert.
I used image build by mkosi with LUKS partition and added mender-support here: GitHub - nandra/mender-conversion-tools at LUKS
Basically added LUKS handling for opening rootfs + adding formatting back. For that purpose I also used forked grubenv: GitHub - nandra/grub-mender-grubenv at nandra-luks
Also add custom config with following content:
MENDER_GRUBENV_VERSION="718442304646df570b25bd5e5bd1968f285c2d22" MENDER_GRUBENV_URL="https://github.com/nandra/grub-mender-grubenv/archive/${MENDER_GRUBENV_VERSION}.tar.gz" LUKS_PWD="%PWD%"
where LUKS_PWD is password for LUKS encryption/decryption.
There are still few things missing:
for booting encrypted rootfs kernel argument needs to be provided in format luks.name=UUID=rootfs root=/dev/mapper/rootfs. Fetching UUID from luks encrypted filesystem doesn’t work (also filesystem is reported as unknown → needs to be checked). It must be manually updated by finding UUID of rootfs partition and then updateting grub.cfg. Other thing is that user is asked for pwd 2x. Once when grub would like to load kernel + initrd then second time when initrd want to mount rootfs. Later one can be resolved by hadrcoding key to existing initrs. This is more RFC or proff of concept. Ideas and comments are welcomed. Thanks.