Background
I'm attempting to configure automatic LUKS unlock on CentOS 8 Stream. I would like to place a keyfile on the unencrypted boot partitionand and use it to unlock the LUKS protected LVM PV (which contains the root filesystem). I understand that this is a strange thing to want to do and undermines much of the value of disk encryption - but please humor me.
Here's an overview of the current layout:
$ lsblk
NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINT
nvme0n1 259:0 0 931.5G 0 disk
├─nvme0n1p1 259:1 0 256M 0 part /boot/efi
├─nvme0n1p2 259:2 0 1G 0 part /boot
└─nvme0n1p3 259:3 0 930.3G 0 part
└─luks-3d33d226-9640-4343-ba5a-b9812dda1465 253:0 0 930.3G 0 crypt
└─cs-root 253:1 0 20G 0 lvm /
$ sudo e2label /dev/nvme0n1p2
boot
Today the /etc/crypttab contains the following for booting with a manually entered passphrase (UUIDs redacted for readability) which works just fine:
luks-blah UUID=blah none discard
In order to achieve automatic unlocking I have generated a keyfile /boot/keys/keyfile and added it as a key on the LUKS partition using luksAddKey.
Attempt 1
In my first attempt I changed the crypttab line to this:
luks-blah UUID=blah /keys/keyfile:LABEL=boot discard,keyfile-timeout=10s
This does result in automatic unlocking and mounting of the root filesystem, but the boot process fails and dumps me into rescue mode as the system cannot mount /boot. The reason is that the boot partition has already been mounted (to a randomish location in order to obtain the keyfile: /run/systemd/cryptsetup/keydev-luks-blah).
Attempt 2
I tried changing crypttab to this:
luks-blah UUID=blah /boot/keys/keyfile discard,keyfile-timeout=10s
I thought maybe the boot scripts are smart enough to figure out how to access /boot/keys/keyfile without /boot being mounted yet. This didn't work however, and I just get the prompt to manually enter the passphrase.
Question
Is there a way to unlock the root filesystem using a keyfile stored on a partition that needs to be available for normal mounting?