Hello,
Can anyone help me to achieve a luks encryption setup where an external USB key is used to decrypt disks on boot OR when the usb is not present it asks for a passphrase instead.

I use my laptop on a dock and would like to leave the usb key connected to the dock so when I am connected to the dock the machine boots seamlessly decrypting from the usb keyfile. Then when I am on the road the machine will ask for the passphrase when booting as there is no keyfile present.

The system uses UEFI to boot and I have set the crypttab file to point to the usb key file, updated grub and initramfs and it all works as should. If the usb key is disconnected the machine just hangs after grub and doesn't decrypt as it does not ask for a passphrase and cannot find the usb key.

Ideally I would like to have the /boot partition encrypted on the laptop so it asks for the password once to unlock the boot partition and load grub, then asks for the luks password again when selecting ubunutu.

Next a seperate, unencrypted boot partition is on the usb key together with the keyfile. I would then build the initramfs,grub,efi with the usb key mounted at /boot and the crypttab pointing to the keyfile. This would/should give a seemless boot process, as /boot is now unencrypted when docked and the usb keyfile is loaded to decrypt the hdd. I would give the usb boot priority over the HDD.

Then I remove the usb key, /boot is now inside the luks container and update the crypttab to "none" for keyfile and rebuild initramfs and grub. This process achieves the double password boot (once for grub, once for booting ubuntu).

Where I am stuck is - I have been unable to successfully copy the boot partition to the usb drive and update it with the different crypttab/efi boot files.
When I select the usb to boot it attempts to boot then drops back to the BIOS boot menu and moves to the next option of booting from the HDD.

Does anyone know if this is possible or can shed some light the process to achieve it? I think possibly I need to set the /boot drive in fstab to the usb key to get it to work, but then this would mean it will fail to find the /boot partion on the hdd should the usb be disconnected?


I am using ubuntu 16.10

/dev/sda
sda1 /boot/efi
sda2 luksCrypt
@ / btrfs (including /boot)
@home /home btrfs
/dev/sdb - usb
sda1 /boot and keyfile.key

You'll likely have to modify the crypto hooks for initramfs-tools and then update grub2 with appropriate files. A shell script should be needed that looks for a keyfile, and if it fails then asks for a password instead. The LUKS partition could probably use two slots - one with a keyfile and another with password. The boot partition can theoretically be encrypted too, provided the GRUB is setup to decrypt it first. I think it's possible to do, but I haven't done so myself *yet*.

I found two interesting docs on how to encrypt the boot partition. Give them a read:
http://www.pavelkogan.com/2014/05/23...sk-encryption/
http://www.pavelkogan.com/2015/01/25...nt-encryption/

If you want to achieve this level of security, you can't do it in software.

A Amazon search for "encrypted hard drive laptop" shows various things – including an external hard drive with a keypad on top of it. Secure encrypted NAS for only $6,000.00 (USD). "IronKey" hard drives for $400.00. And, so on.

You can also purchase "hardened" laptops that have soup-to-nuts hardware security features, once again including hardware encryption and modified BIOSes that are not stored in "flash memory." You're probably looking at $2,500.00 and up. Way up. The equipment is much more expensive, and the market is small.