Unlock LUKS encrypted partition with USB drive
Hi,
I recently installed Slackware64 14.0 on NAS server with full disk encryption (except /boot) and since I want to run it headless, it won't have monitor attached all the time. I'd like to use USB drive with key file so I won't have to type password on every start. I tried initrd with -K luks_keyfile option but it won't unlock disk and still asks about password. USB drive is FAT32 formated with label 'NASKEY' Code:
$ cfdisk /dev/sdb Code:
mkinitrd -c -k 3.2.29 -f ext4 -m ext4:<other modules for usb keyboard> -r /dev/linuxvg/slackware-root -C /dev/sda2 -K LABEL=NASKEY:/boot/key.luks Am I missing something? |
You first have to create that file on the USB stick, called "/boot/key.luks" and add it to your computer's LUKS key store. The initrd command will not do either of these steps. All it does is cause Slackware to check if there is a USB stick with the configured FAT label, and then locate that file you mentioned on the mkinitrd commandline, and present that file to cryptsetup for unlocking the encrypted volume. But if you did not first add the contents of that file into a LUKS key slot, then cryptsetup will not accept that file as a valid key.
For example, create a file with random content (512 characters), then add the file to the LUKS volume on partition /dev/sdX1 as a new unlock key. The new key will be accepted after you type a valid LUKS unlock passphrase: Code:
# dd if=/dev/urandom of=/media/NASKEY/boot/key.luks bs=512 count=1 When you do this, your LUKS volume will have two unlock keys: the original passphrase, and the new key-file. It will not matter which one you use. Eric |
Sorry, I didn't mention it in original post, but I have already created key, added it to LUKS keyslot and save it on boot stick. I know key works because I can unlock encrypted partition with it.
Only difference I see is key size. I created 4096 bytes key and you suggested 512 bytes. Does size make a difference? I can see at boot that kernel recognize my boot stick, therefore It should unlock encrypted partition. |
Size or content of the key file does not make a difference.
Also note the support for FAT filesystems which gets added to the initrd: Code:
# Several extra modules are needed to support a vfat formatted USB stick... What also happens in the initrd is to pause for 5 seconds in order to give the OS time to query the USB stick. Maybe your computer needs more time? Change the "5" to something higher in /boot/initrd-tree/wait-for-root and re-run "mkinitrd", followed by "lilo". Eric |
Well, I finally found out what was wrong. All initrd modules, keys, etc. was correct except one thing. I looked through .bash_history and find this command:
Code:
$ pwd Code:
$ mkinitrd [...] -o /boot/initrd.gz |
All times are GMT -5. The time now is 05:06 PM. |