TLDR; Here's a wiki section I created that may be a little clearer and explicit.
Have you tried adding export PREINIT=1; mount_root to /etc/rc.local as suggested in the troubleshooting section? I haven't confirmed, but I believe this could be the missing piece.
As mentioned without creating a special build, it looks like you can get extroot to work on an encypted device in preinit. However, once you've got everything up an running you should be able to setup the crypt device and switch root. I've done some testing to convince myself this works.
It should go without saying that you'll need to have all binaries required to bring up the crypt device installed into your rootfs_data. Here's some steps that I roughly did:
- Make sure all needed packages are installed (eg. cryptsetup, which should pull in all the required kmods)
- Create LUKS container with one of the supported extroot filesystems (eg. ext4)
- Configure
/etc/config/fstabas in the wiki using the UUID- The extroot will fail to mount in the preinit phase of the boot, that's expected
- Edit
/etc/rc.localto unlock the LUKS container and then doPREINIT=1 mount_root- If you require user input for the password (eg. not using a key file on the device), cryptsetup will fail as stdin is not setup. I'm sure there's a way to set it up, but I haven't loked into it yet.
- Reboot
- You should not have the upper dir of the
/overlay be in the LUKS container.
- You should not have the upper dir of the
- [OPTIONAL require user input for password] run
ash /etc/rc.localfrom shell.- Since stdin is not setup for cryptsetup when
rc.localis normally run, you'll need to manually runrc.localfrom a shell (which has stdin setup correctly).
- Since stdin is not setup for cryptsetup when