LinuxQuestions.org
View the Most Wanted LQ Wiki articles.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Distributions > Slackware
User Name
Password
Slackware This Forum is for the discussion of Slackware Linux.

Notices

Reply
 
Search this Thread
Old 05-09-2010, 02:46 PM   #1
escaflown
Member
 
Registered: Apr 2009
Location: Canada
Distribution: Slackware
Posts: 237

Rep: Reputation: 30
Question usb stick unlocking scheme for root encrypted partition in current


In slackware{,64}-current, the mkinitrd script now has a -K switch that should allow to unlock a LUKS encrypted root filesystem with a keyfile on a removable usb stick. I have been trying to use it on my LVM + LUKS setup without any success so far. I was just wondering if someone has successfully tested that new option. Thanks!
 
Old 05-09-2010, 03:16 PM   #2
GazL
Senior Member
 
Registered: May 2008
Posts: 3,440

Rep: Reputation: 959Reputation: 959Reputation: 959Reputation: 959Reputation: 959Reputation: 959Reputation: 959Reputation: 959
Yep, I've had it working. It took a bit of trial and error to get the modules right. Here's my initrd building script if it's any use to you:
Code:
root@nix:~/changes# cat 001_mkinitrd.sh 
#!/bin/sh
#
#    Build initrd
#

VERSION=${VERSION:-2.6.33.3}
INITRD_NAME="initrd-${VERSION}.gz"


cd /boot
mkinitrd -c -k ${VERSION} \
         -m ext4:ehci-hcd:uhci-hcd:usbhid \
         -f ext4 -r /dev/rootvg/lvroot \
         -l uk -L -C /dev/sda5

# The following are needed if you use a keyfile on a vfat usbstick.
# Add them to the module list in the command above
#        -m sg:usb_storage:nls_cp437:nls_iso8859-1:fat:vfat 

#echo "LABEL=USB_BAR:/nix.key" > /boot/initrd-tree/lukskey

# Add pause to allow usb devices to activate.

echo "2" > /boot/initrd-tree/wait-for-root

# Rebuild and rename new initrd file.

mkinitrd 

cp initrd.gz $INITRD_NAME

echo "New initrd created: $INITRD_NAME"
echo "REMINDER:  Don't forget to edit/re-run lilo"
The keyfile stuff is commented out (I'm not using it at present). You'll need to add those extra modules to the mkinitrd command and uncomment the bit that creates the lukskey file.

I prefer to do it this way rather than use mkinitrd.conf.

The above should give you a pointer in the right direction. Obviously, you'll need to create a keyfile and add it to a slot using cryptsetup before this'll work.

Last edited by GazL; 05-09-2010 at 03:26 PM.
 
Old 05-09-2010, 03:38 PM   #3
escaflown
Member
 
Registered: Apr 2009
Location: Canada
Distribution: Slackware
Posts: 237

Original Poster
Rep: Reputation: 30
Thanks GazL! The -K switch now takes care of putting the right modules in load_kernel_modules and it also puts the usb stick label in lukskey with the right path. So, it does exactly what your script is doing. For instance, this is what I have in my load_kernel modules after adding -K LABEL=ESCSTICK:/keys/escfree in the mkinitrd command:
Code:
insmod -v /lib/modules/$(uname -r)/kernel/drivers/hid/hid.ko
insmod -v /lib/modules/$(uname -r)/kernel/drivers/hid/usbhid/usbhid.ko
insmod -v /lib/modules/$(uname -r)/kernel/drivers/usb/host/ehci-hcd.ko
insmod -v /lib/modules/$(uname -r)/kernel/drivers/usb/host/uhci-hcd.ko
insmod -v /lib/modules/$(uname -r)/kernel/fs/jbd2/jbd2.ko
insmod -v /lib/modules/$(uname -r)/kernel/fs/mbcache.ko
insmod -v /lib/modules/$(uname -r)/kernel/fs/ext4/ext4.ko
insmod -v /lib/modules/$(uname -r)/kernel/drivers/usb/storage/usb-storage.ko
insmod -v /lib/modules/$(uname -r)/kernel/fs/fat/fat.ko
insmod -v /lib/modules/$(uname -r)/kernel/fs/nls/nls_cp437.ko
insmod -v /lib/modules/$(uname -r)/kernel/fs/nls/nls_iso8859-1.ko
insmod -v /lib/modules/$(uname -r)/kernel/fs/fat/msdos.ko
insmod -v /lib/modules/$(uname -r)/kernel/fs/fat/vfat.ko
The lukskey looks like this:
Code:
LABEL=ESCSTICK:/keys/escfree
and wait-for-root:
Code:
 5
The usb stick has a FAT partition. Still, when I boot up, I have to type the passphrase in slot 0 instead of having the keyfile directly used. I couldn't figure out what's wrong in my setup!
 
Old 05-09-2010, 03:58 PM   #4
GazL
Senior Member
 
Registered: May 2008
Posts: 3,440

Rep: Reputation: 959Reputation: 959Reputation: 959Reputation: 959Reputation: 959Reputation: 959Reputation: 959Reputation: 959
Ahh ok, It's been a while since I played with it, so it may be a little friendlier now.

I'm fairly sure my usb stick need the generic scsi "sg" module too, but that may just be due to the type of device it is. (I notice it's not in your list).

Did you add your new file based key to a slot with "cryptsetup luksAddKey"?
I kept my passphrase in slot0 (just in case I lose the keyfile somehow) and added the keyfile to slot1.
 
Old 05-09-2010, 04:01 PM   #5
escaflown
Member
 
Registered: Apr 2009
Location: Canada
Distribution: Slackware
Posts: 237

Original Poster
Rep: Reputation: 30
Quote:
Originally Posted by GazL View Post
Ahh ok, It's been a while since I played with it, so it may be a little friendlier now.

I'm fairly sure my usb stick need the generic scsi "sg" module too, but that may just be due to the type of device it is. (I notice it's not in your list).

Did you add your new file based key to a slot with "cryptsetup luksAddKey"?
I kept my passphrase in slot0 (just in case I lose the keyfile somehow) and added the keyfile to slot1.
yep,I added the keyfile in slot1 and I do have the passphrase in slot0 just like you.
 
Old 05-09-2010, 04:08 PM   #6
GazL
Senior Member
 
Registered: May 2008
Posts: 3,440

Rep: Reputation: 959Reputation: 959Reputation: 959Reputation: 959Reputation: 959Reputation: 959Reputation: 959Reputation: 959
Quote:
Originally Posted by escaflown View Post
yep,I added the keyfile in slot1 and I do have the passphrase in slot0 just like you.
Fair enough. I suspected you had. Just wanted to cover all the bases.
Other than trying adding that 'sg' module, I can't think of much else.

I guess you need to look for clues in the boot messages you get before it prompts you for the passphrase to try and figure out why it can't see your stick.

If it's any consolation, when I first started playing with this it took a little while to get it right for me too.
 
Old 05-09-2010, 04:16 PM   #7
escaflown
Member
 
Registered: Apr 2009
Location: Canada
Distribution: Slackware
Posts: 237

Original Poster
Rep: Reputation: 30
Quote:
Originally Posted by GazL View Post
Fair enough. I suspected you had. Just wanted to cover all the bases.
Other than trying adding that 'sg' module, I can't think of much else.

I guess you need to look for clues in the boot messages you get before it prompts you for the passphrase to try and figure out why it can't see your stick.

If it's any consolation, when I first started playing with this it took a little while to get it right for me too.
Thanks anyway. I'll keep looking: I guess that's what current is for
 
  


Reply

Tags
current, luks, mkinitrd


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Slackware64-current: Creation of LUKS encrypted partition segfaults titopoquito Slackware 16 08-16-2009 04:02 AM
load current DSL info onto usb stick davehateMS DamnSmallLinux 1 10-23-2007 12:44 AM
Setting up encrypted root partition yukon65 Slackware 3 07-18-2007 08:51 AM
Partition Scheme /boot, /root, /var, etc allpurpbox Slackware 5 01-25-2006 06:44 PM
Encrypted FS Partition Scheme? DJ Cacophony Linux - Newbie 1 10-01-2004 04:52 PM


All times are GMT -5. The time now is 11:06 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration