{"id":33119225,"url":"https://github.com/Symantec/dracut-encryptrootfs","last_synced_at":"2025-11-19T21:02:06.189Z","repository":{"id":85691598,"uuid":"65248442","full_name":"Symantec/dracut-encryptrootfs","owner":"Symantec","description":null,"archived":false,"fork":false,"pushed_at":"2016-11-11T19:41:46.000Z","size":93,"stargazers_count":4,"open_issues_count":0,"forks_count":5,"subscribers_count":5,"default_branch":"master","last_synced_at":"2025-11-06T17:24:40.303Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":null,"language":"Shell","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/Symantec.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2016-08-09T00:04:50.000Z","updated_at":"2022-08-30T09:54:18.000Z","dependencies_parsed_at":null,"dependency_job_id":"74f46731-ad1b-4d57-8abb-45add265bd85","html_url":"https://github.com/Symantec/dracut-encryptrootfs","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/Symantec/dracut-encryptrootfs","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Symantec%2Fdracut-encryptrootfs","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Symantec%2Fdracut-encryptrootfs/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Symantec%2Fdracut-encryptrootfs/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Symantec%2Fdracut-encryptrootfs/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/Symantec","download_url":"https://codeload.github.com/Symantec/dracut-encryptrootfs/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Symantec%2Fdracut-encryptrootfs/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":285327645,"owners_count":27152947,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","status":"online","status_checked_at":"2025-11-19T02:00:05.673Z","response_time":65,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2025-11-15T04:00:29.679Z","updated_at":"2025-11-19T21:02:06.183Z","avatar_url":"https://github.com/Symantec.png","language":"Shell","funding_links":[],"categories":["Minimal rootfs"],"sub_categories":[],"readme":"# dracut-encryptrootfs\nDracut module for encryption of rootfs partition during first boot. The \n[Cryptsetup](https://gitlab.com/cryptsetup/cryptsetup)\n[LUKS](https://en.wikipedia.org/wiki/Linux_Unified_Key_Setup)\nimplementation is used for crypto. \n\nIt is targeted to protect data with encryption for cases when physical \naccess to disk is technically possible.\n\n## Workflow\ndracut-encryptrootfs does the following to encrypt rootfs partition.\n\n1. During boot on `initramfs` aks early user space\n    1. copying all rootfs partition content to memory \n    1. repartitioning of disk\n        1. creating, formatting, labeling `label:boot` partition\n        1. creating, formatting future rootfs partition\n    1. generating plain text LUKS key\n    1. creating and configuring LUKS volume\n    1. copying back rootfs content from memory to LUKS backed partition\n    1. encrypting LUKS key and storing it to `/boot/luks.key` location\n1. During `init` process\n    1. moving all `/boot` content to `label:boot` partition where \n        `/boot/luks.key` is already located\n    1. updating `/etc/fstab`\n    1. updating GRUB configuration\n    1. updating MBR with re-installing boot loader\n\n\nResult partition table looks like this\n\n![Disk diagram][disk_diagram]\n\n## Installation\nModule could be installed from git repo directly.\nHere is a sample for AWS instance (Centos 7).\nMake sure that all filesystem content fits in available memory. m3.medium is \nsufficient for ~2GB of image content.\n\n\n```bash\n#!/usr/bin/env bash\n\n# Sample configuration for Centos 7\ngit clone https://github.com/zaletniy/dracut-encryptrootfs.git\ncd dracut-encryptrootfs\n\nyum -y install dropbear cryptsetup\n\n#installing dracut modules\ncp -a modules.d/* /usr/lib/dracut/modules.d/\ncp encryptrootfs.conf /etc/dracut.conf.d/\n\n#adding public key to config\necho \"dropbear_acl=\\\"ssh-rsa AAAABPAR...e user\\\"\" \u003e\u003e /etc/dracut.conf.d/encryptrootfs.conf\necho \"disk=xvda\" \u003e\u003e /etc/dracut.conf.d/encryptrootfs.conf\necho \"root_partition=xvda1\" \u003e\u003e /etc/dracut.conf.d/encryptrootfs.conf\necho \"install_debug_deps=true\" \u003e\u003e /etc/dracut.conf.d/encryptrootfs.conf\necho \"networking_configuration_implementation=\"dhcp_networking_configuration_centos7.sh\"\necho \"debug_deps=\\\"blockdev e2fsck partx partprobe resize2fs tune2fs lsmod env df du md5sum chmod\\\"\" \u003e\u003e /etc/dracut.conf.d/encryptrootfs.conf\n\n#useful for AWS EC2 to update /usr/lib/modules/$(uname -r)/modules.dep\n#if image was imported to EC2\ndepmod -a\n\n#rebuilding of initramfs\ndracut -f -v\n\n#installing Systemd service\ncp init/dracut-encryptrootfs-final /usr/local/sbin/dracut-encryptrootfs-final\ncp init/systemd/encryptrootfs.service /etc/systemd/system/encryptrootfs.service\n\nchmod 664 /etc/systemd/system/encryptrootfs.service\nchmod 744 /usr/local/sbin/dracut-encryptrootfs-final\n\nsystemctl daemon-reload\nsystemctl enable encryptrootfs.service\n\nsed -i '/GRUB_CMDLINE_LINUX/d' /etc/default/grub\necho \"GRUB_CMDLINE_LINUX=\\\"ttyS0,115200n8 console=tty0 vconsole.font=latarcyrheb-sun16 vconsole.keymap=us biosdevname=0 plymouth.enable=0 crashkernel=auto rd.neednet=1 ip=dhcp rd.net.dhcp.retry=5 rd.net.timeout.dhcp=60 rd.shell rd.debug log_buf_len=1M\\\"\n\" \u003e\u003e /etc/default/grub\n\nsed -i '/GRUB_TIMEOUT/d' /etc/default/grub\necho \"GRUB_TIMEOUT=5\" \u003e\u003e /etc/default/grub\n\n#debug output\ncat /etc/default/grub\n\ngrub2-mkconfig -o /boot/grub2/grub.cfg\n\n#debug output\nblkid\n\nreboot\n```\n\n### Compatibility\nModule is compatible with Centos 7 and Centos 6. It uses `GRUB`, `Cryptsetup`,\n`systemd` and expects `MBR` partitioning schema.\n\n### Key management\nThe key management logic is pluggable and could be configured with\nproviding corresponding bash implementation\n[`naive_keymanagement.sh`](../master/modules.d/50encryptrootfs/naive_keymanagement.sh)\ncould be used as example.\n\n### Networking configuration\nIt is expected that LUKS key is never stored in unencrypted way on\nmachine and decrypted with external key management system. So network\nconnectivity is a critical dependency.\n\nAnother reason for networking is ability to troubleshoot dracut for\nheadless system where console or VNC is not an option (f.e. AWS EC2). \n\nThe networking configuration logic could be customized with providing \nbash implementation. DHCP implementation\n[`dhcp_networking_configuration.sh`](../master/modules.d/50encryptrootfs/dhcp_networking_configuration.sh)\ncould be used as sample.\n\nThis script will be called until it returns `0` as part of dracut\n`initqueue`\n\n### AWS KMS integration\nTo integrate module with AWS Key Management System \n[simple-cloud-encrypt](https://github.com/cviecco/simple-cloud-encrypt)\nutility could be used.\n\n## Troubleshooting\nTo troubleshoot boot process you can follow all standard\n[documentation](https://www.kernel.org/pub/linux/utils/boot/dracut/dracut.html#_troubleshooting)\nwith the only difference when you don't have access to machine console\nyou can login via ssh using RSA key configured during module \ninstallation.\n\n`ssh root@VM_HOST -p 2222`, where `2222` - default port\n\n## Contributions\n\nPrior to receiving information from any contributor, Symantec requires\nthat all contributors complete, sign, and submit Symantec Personal\nContributor Agreement (SPCA).  The purpose of the SPCA is to clearly\ndefine the terms under which intellectual property has been\ncontributed to the project and thereby allow Symantec to defend the\nproject should there be a legal dispute regarding the software at some\nfuture time. A signed SPCA is required to be on file before an\nindividual is given commit privileges to the Symantec open source\nproject.  Please note that the privilege to commit to the project is\nconditional and may be revoked by Symantec.\n\nIf you are employed by a corporation, a Symantec Corporate Contributor\nAgreement (SCCA) is also required before you may contribute to the\nproject.  If you are employed by a company, you may have signed an\nemployment agreement that assigns intellectual property ownership in\ncertain of your ideas or code to your company.  We require a SCCA to\nmake sure that the intellectual property in your contribution is\nclearly contributed to the Symantec open source project, even if that\nintellectual property had previously been assigned by you.\n\nPlease complete the SPCA and, if required, the SCCA and return to\nSymantec at:\n\nSymantec Corporation\nLegal Department\nAttention:  Product Legal Support Team\n350 Ellis Street\nMountain View, CA 94043\n\nPlease be sure to keep a signed copy for your records.\n\n## LICENSE\n\nCopyright 2015 Symantec Corporation.\n\nLicensed under the Apache License, Version 2.0 (the “License”); you\nmay not use this file except in compliance with the License.\n\nYou may obtain a copy of the License at\n\nhttp://www.apache.org/licenses/LICENSE-2.0 Unless required by\napplicable law or agreed to in writing, software distributed under the\nLicense is distributed on an “AS IS” BASIS, WITHOUT WARRANTIES OR\nCONDITIONS OF ANY KIND, either express or implied. See the License for\nthe specific language governing permissions and limitations under the\nLicense.\n\n[disk_diagram]: ../master/docs/disk_diagram.png \"Disk diagram\"","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2FSymantec%2Fdracut-encryptrootfs","html_url":"https://awesome.ecosyste.ms/projects/github.com%2FSymantec%2Fdracut-encryptrootfs","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2FSymantec%2Fdracut-encryptrootfs/lists"}