Auto decryption error root file system

agd · 03-31-2015, 05:45 AM

I did a clean install of fedora and encryption everything except /boot. Currently works fine, but I need manually enter the password to decrypt the partition that contains the volume group "fedora" and the root partition.

I want to make startup to be unattended (yes, that is a security risk). I configured grub to do so; but does not work and I still need to manually enter the password.

Then I show the steps I've done, can anyone tell me where is the error?

The current scheme of my hard drives is:

Code:

NAME                              MAJ:MIN RM   SIZE RO TYPE  MOUNTPOINT
sda                                 8:0    0 465,8G  0 disk  
├─sda1                              8:1    0   500M  0 part  /boot
└─sda2                              8:2    0 465,3G  0 part  
  └─luks-2528738d-cab3-4fda-8268-337e74b63b6e
                                  253:0    0 465,3G  0 crypt 
    ├─fedora-root                 253:1    0    20G  0 lvm   /
    ├─fedora-swap                 253:2    0   7,8G  0 lvm   [SWAP]
    └─fedora-home                 253:3    0 407,5G  0 lvm   /home

In /etc/dracut.conf i add:

Code:

add_dracutmodules+="crypt lvm"

/etc/default/grub (i also try with uuid and put key in usb)

Code:

GRUB_TIMEOUT=5
GRUB_DISTRIBUTOR="$(sed 's, release .*$,,g' /etc/system-release)"
GRUB_DEFAULT=saved
GRUB_DISABLE_SUBMENU=true
GRUB_TERMINAL_OUTPUT="console"
GRUB_DISABLE_RECOVERY="true"
GRUB_CMDLINE_LINUX="cryptdevice=/dev/sda2:fedora:allow-discards cryptkey=/dev/sda1:ext4:/unlock.key"

The unlock.key is ok:

Code:

[root@folio13 agd]# cryptsetup luksOpen /dev/sda2 crypt -v --test-passphrase < /boot/unlock.key 
Key slot 1 unlocked.
Command executed correctly.

Of course after each modification in the configuration, I run dracut -fv and grub2-mkconfig -o /boot/grub2/grub.cfg

Code:

[root@folio13 agd]# dracut -fv
Executing: /usr/bin/dracut -fv
dracut module 'busybox' will not be installed, because command 'busybox' could not be found!
dracut module 'nbd' will not be installed, because command 'nbd-client' could not be found!
dracut module 'biosdevname' will not be installed, because command 'biosdevname' could not be found!
dracut module 'busybox' will not be installed, because command 'busybox' could not be found!
dracut module 'nbd' will not be installed, because command 'nbd-client' could not be found!
*** Including module: bash ***
*** Including module: i18n ***
*** Including module: network ***
*** Including module: ifcfg ***
*** Including module: drm ***
*** Including module: plymouth ***
*** Including module: crypt ***
*** Including module: dm ***
Skipping udev rule: 64-device-mapper.rules
Skipping udev rule: 60-persistent-storage-dm.rules
Skipping udev rule: 55-dm.rules
*** Including module: kernel-modules ***
*** Including module: lvm ***
Skipping udev rule: 64-device-mapper.rules
Skipping udev rule: 56-lvm.rules
Skipping udev rule: 60-persistent-storage-lvm.rules
*** Including module: fcoe ***
*** Including module: fcoe-uefi ***
*** Including module: resume ***
*** Including module: rootfs-block ***
*** Including module: terminfo ***
*** Including module: udev-rules ***
Skipping udev rule: 91-permissions.rules
Skipping udev rule: 80-drivers-modprobe.rules
*** Including module: systemd ***
*** Including module: usrmount ***
*** Including module: base ***
*** Including module: fs-lib ***
*** Including module: shutdown ***
*** Including module: uefi-lib ***
*** Including modules done ***
*** Installing kernel module dependencies and firmware ***
*** Installing kernel module dependencies and firmware done ***
*** Resolving executable dependencies ***
*** Resolving executable dependencies done***
*** Hardlinking files ***
*** Hardlinking files done ***
Could not find 'strip'. Not stripping the initramfs.
*** Generating early-microcode cpio image ***
*** Constructing GenuineIntel.bin ****
*** Store current command line parameters ***
*** Creating image file ***
*** Creating image file done ***
[root@folio13 agd]# grub2-mkconfig -o /boot/grub2/grub.cfg
Generating grub configuration file ...
Found linux image: /boot/vmlinuz-3.19.2-201.fc21.x86_64
Found initrd image: /boot/initramfs-3.19.2-201.fc21.x86_64.img
Found linux image: /boot/vmlinuz-3.17.4-301.fc21.x86_64
Found initrd image: /boot/initramfs-3.17.4-301.fc21.x86_64.img
Found linux image: /boot/vmlinuz-0-rescue-a8829f47eebe4360a11c07a209508e9e
Found initrd image: /boot/initramfs-0-rescue-a8829f47eebe4360a11c07a209508e9e.img
done

where is the error?

veerain · 04-01-2015, 11:22 AM

Simply install without encryption.

agd · 04-02-2015, 11:16 AM

Quote:

Originally Posted by veerain

Simply install without encryption.

Your answer is not the solution. If I need a truck, a bicycle is not a solution.

rknichols · 04-02-2015, 12:17 PM

Quote:

Originally Posted by agd

Your answer is not the solution. If I need a truck, a bicycle is not a solution.

And if you need encryption, automatically decrypting whenever the system is booted is not the answer either. It's the equivalent of locking the door but leaving the key under the doormat. Anyone who takes the time to look around can get in.

agd · 04-04-2015, 06:28 AM

Quote:

Originally Posted by rknichols

And if you need encryption, automatically decrypting whenever the system is booted is not the answer either. It's the equivalent of locking the door but leaving the key under the doormat. Anyone who takes the time to look around can get in.

Write a passphrase is better security than auto decryption, but auto decryption is better security than plain.

You can put the 'keyfile' on a USB key. For automatic decryption USB key is needed. If you do not put the USB key, you must type the passphrase. In this model, the security is very high and you have not problem with low level passphrase or if the user write the passphrase in a post-it.

For added security you can write 'keyfile' low-level hard disk in this way if someone takes the USB key and look inside, you will not find anything. Because the 'keyfile' is not a file, it is a string of bits written out of partition.

John VV · 04-04-2015, 01:53 PM

reinstall without using encryption
simple

a 30 min. job

but if you NEED encryption
use full disk encryption and use a PASS PHRASE that is MORE!!! than 5 words long
a simple 3 word pass phrase is VERY crackable in SHORT ORDER

something this long but NOT common
" ToBeOrNtToBeThatIsTheQuestion*Whether'TisNobler "

rememberable TO YOU