LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Security (http://www.linuxquestions.org/questions/linux-security-4/)
-   -   How to use key file instead of password for LUKS encrypted file systems? (http://www.linuxquestions.org/questions/linux-security-4/how-to-use-key-file-instead-of-password-for-luks-encrypted-file-systems-735560/)

lucmove 06-25-2009 09:18 AM

How to use key file instead of password for LUKS encrypted file systems?
 
I've been using LUKS encryption on my home partition for years and always typed my password at boot. Now I have an extra hard disk with encryption and have to type two passwords. So I thought I would have a key file inside my home partition to automate decryption of the second HD. I ran these commands:

# dd if=/dev/random of=/home/luc/keyfile bs=256 count=1

# cryptsetup --key-file=/home/luc/keyfile luksAddKey /dev/sdb1

# cryptsetup luksAddKey /dev/sdc1 /home/luc/keyfile

I don't remember which of the two last lines worked, but cryptsetup accepted it and 'cryptsetup luksDump' confirms the new slot.

But I still have to type two passwords at boot. What am I doing wrong?

TIA

mostlyharmless 06-26-2009 06:51 PM

You have to modify the initrd to read the keyfile. I'm not at my computer so I can't remember exactly how I set that up (I read mine from a removable drive), but it's not hard. (after all I figured it out!) I'll post it later if I get the chance.

mostlyharmless 06-30-2009 09:17 AM

Let's say the keyfile is file "arggh" on a drive mounted under /zip (previously done by the initrd) then replace lines like

# /sbin/cryptsetup luksOpen ${LUKSDEV} $CRYPTDEV </dev/systty >/dev/systty 2$

with

/sbin/cryptsetup -d /zip/arggh luksOpen ${LUKSDEV} $CRYPTDEV

in /boot/initrd-tree/init; then remake the initrd with mkinitrd (no parameters)


All times are GMT -5. The time now is 08:49 AM.