luks-dmcrypt with (internal) keyfile not documented

[herriett]

With grub2 supporting luks-dmcrypt it is nowadays possible to have the linux kernel and initramfs inside the encrypted filesystem using a minimal boot partition without kernel and initramfs. This protects against certain attack vectors.

To prevent having to enter the password twice it then makes sense to include an internal keyfile inside the initramfs (remember: which resides safely on the encrypted volume). There is no documentation of how to do this with better-initramfs or which parameters to use for pointing it to the keyfile.

[fff7d1bc]

binit never actually got support for key-files. There's a pull request from 2013 but I never decided to merge it. The biggest priority right now is to finally rewrite the build/bootstrap system and switch to Alpine Linux as sysroot, then I will be adding more features. Perhaps for now you may want to just edit the functions.sh file and add --key-file option to cryptsetup arguments.

[herriett]

Thanks, will try just editing functions.sh.