• Status Closed
  • Percent Complete
  • Task Type Feature Request
  • Category ISO
  • Assigned To
  • Operating System CRUX
  • Severity Low
  • Priority Very Low
  • Reported Version Development
  • Due in Version 3.7
  • Due Date Undecided
  • Votes 5
  • Private
Attached to Project: CRUX
Opened by teK - 05.08.2008
Last edited by jaeger - 29.08.2023

FS#341 - Add support for dmcrypt to the installation ISO

I already spent some time implementing this and currently creating/opening/mounting/installing on a dmcrypt-ed device works like a charm.

Still needed is:
initrd to support setups with encrypted /

a sidenote: I don't know who is in charge of creating the ISOs but I could give some advice/hints for building the next ISO as I switched kernel to 2.6.26 and rebuilt all core and opt ports to reflect the currently available versions.

Closed by  jaeger
29.08.2023 00:07
Reason for closing:  Implemented

I think this got overlooked... maybe for CRUX2.6

Jue Tilman and Matt I think were the ones that built isos.

I would be keen implementing dmcrypt or maybe LUKs into my project. mdadm and lvm2 is supported currently.


Is there any progress on this? Any chances for dmcrypt support in 3.2?

I saw that there is an updated unofficial 3.1 installation ISO on https://serverop.de/~tek/crux-dmcrypt/ and will be glad to know what issues remain to be solved.


Bump for inclusion into crux 3.3?

fun commented on 14.04.2017 08:13


A shameless paste from the Slackware64-current, `/etc/rc.d/rc.S` file, as of 2020-01:

1. Add an empty `/etc/crypttab` to the base install

2. Then, put this function in-between the `# Create device-mapper ...` and the `# Mount root ...` functions in the `/etc/rc` file:


# Open any volumes created by cryptsetup.
# Some notes on /etc/crypttab in Slackware:
# Only LUKS formatted volumes are supported (except for swap)
# crypttab follows the following format:
# <luks_name> <device> <password> <options>
# <luks_name>: This is the name of your LUKS volume.
# For example: crypt-home
# <device>: This is the device containing your LUKS volume.
# For example: /dev/sda2
# <password>: This is either the volume password in plain text, or the name of
# a key file. Use 'none' to interactively enter password on boot.
# <options>: Comma-separated list of options. Note that there must be a
# password field for any options to be picked up (use a password of 'none' to
# get a password prompt at boot). The following options are supported:
# discard -- this will cause --allow-discards to be passed to the cryptsetup
# program while opening the LUKS volume.
# ro -- this will cause --readonly to be passed to the cryptsetup program while
# opening the LUKS volume.
# swap -- this option cannot be used with other options. The device given will
# be formatted as a new encrypted volume with a random key on boot, and used as
# swap.
if [ -f /etc/crypttab -a -x /sbin/cryptsetup ]; then
# First, check for device-mapper support.
if ! grep -wq device-mapper /proc/devices ; then
# If device-mapper exists as a module, try to load it.
# Try to load a device-mapper kernel module:
/sbin/modprobe -q dm-mod
# NOTE: we only support LUKS formatted volumes (except for swap)!
cat /etc/crypttab | grep -v "^#" | grep -v "^$" | while read line; do
eval LUKSARRAY=( $line )
if echo $OPTS | grep -wq ro ; then LUKSOPTS="${LUKSOPTS} --readonly" ; fi
if echo $OPTS | grep -wq discard ; then LUKSOPTS="${LUKSOPTS} --allow-discards" ; fi
# Skip LUKS volumes that were already unlocked (in the initrd):
/sbin/cryptsetup status $LUKS 2>/dev/null | head -n 1 | grep -q "is active" && continue
if /sbin/cryptsetup isLuks $DEV 2>/dev/null ; then
if [ -z "${LUKSOPTS}" ]; then
echo "Unlocking LUKS encrypted volume '${LUKS}' on device '$DEV':"
echo "Unlocking LUKS encrypted volume '${LUKS}' on device '$DEV' with options '${LUKSOPTS}':"
if [ -n "${PASS}" -a "${PASS}" != "none" ]; then
if [ -f "${PASS}" ]; then
# A password was given a key-file filename
/sbin/cryptsetup ${LUKSOPTS} --key-file=${PASS} luksOpen $DEV $LUKS
# A password was provided in plain text
echo "${PASS}" | /sbin/cryptsetup ${LUKSOPTS} luksOpen $DEV $LUKS
# No password was given, or a password of 'none' was given
/sbin/cryptsetup ${LUKSOPTS} luksOpen $DEV $LUKS </dev/tty0 >/dev/tty0 2>&1
elif echo $OPTS | grep -wq swap ; then
# If any of the volumes is to be used as encrypted swap,
# then encrypt it using a random key and run mkswap:
echo "Creating encrypted swap volume '${LUKS}' on device '$DEV':"
/sbin/cryptsetup --cipher=aes --key-file=/dev/urandom --key-size=256 create $LUKS $DEV
mkswap /dev/mapper/$LUKS



Very recently support for using cryptsetup was improved on the -updated ISO (https://crux.ninja/updated-iso/). cryptsetup on the ISO works for the simple setups I tested, at least, and using contrib/dracut to generate an initramfs works properly.


Note that these changes will persist into the next official CRUX release as well.

tb commented on 07.05.2022 12:18

Will this be closed with 3.7?


I will close this since both official and updated ISOs support it now.


Available keyboard shortcuts


Task Details

Task Editing