Sorry for late reply, it's been a very busy week.
I'll try to give some more detailed info, perhaps it'll be easier to find where I go wrong. I have an encrypted USB-drive (D1 at /dev/sdb1) with a file (encrypted_test) and a USB-drive (D2 at /dev/sdc1) with a key-file (test-key.key). I've verified that they work by decrypting sdb1 using the key file and mounting it and listing the encrypted file:
Code:
mkdir /mnt/keyusb && mount /dev/sdc1 /mnt/keyusb
cryptsetup luksOpen --key-file /mnt/keyusb/test-key.key /dev/sdb1 cryptusb
mkdir /mnt/cryptusb && mount /dev/mapper/cryptusb /mnt/cryptusb
ls /mnt/cryptusb
# result: "encrypted_test"
So far so good. Now, at boot, I want something like this:
- Start the machine, with D1 present (connected to the machine)
- During boot it should attempt to decrypt and mount D1 using the key on D2
- If D2 is not present the system should wait for some time before it gives up, resulting in D1 not being decrypted and mounted.
- If D2 becomes available, during the wait, D1 should be decrypted and mounted
- It should now be possible to remove D2 while keeping D1 mounted in a decrypted state until the system reboots.
If D1 is not present at boot, there should be a timeout and then it should start normally, ignoring D1. As I'll be running a headless server I won't be able to run any manual commands.
My attempt at this is as follows:
Get the luksUUID
Code:
cryptsetup luksUUID /dev/sdb1
/etc/crypttab:
Code:
cryptusb UUID=<luksUUID> none timeout=10,x-systemd.device-timeout=20
/etc/fstab:
Code:
/dev/mapper/cryptusb /mnt/cryptusb auto defaults,noatime,rw,nofail,x-systemd.automount,x-systemd.device-timeout=30 0 0
With this setup I will be asked a password (as I haven't yet specified a key-file). The system will wait a password for 10 seconds and then continue booting. If D1 is not present it waits for 20s then continues without D1. If I provide the correct password D1 will be decrypted and mounted in /mnt/cryptusb. Now for the key-file:
I added the mounting point of D2 and path to the key-file to my /etc/crypttab as such:
Code:
cryptusb UUID=<luksUUID> /mnt/keyusb/test-key.key timeout=10,x-systemd.device-timeout=20
got the UUID of D2 (usb with the key file)
Code:
blkid -s UUID -o value /dev/sdc1
and added D2 to fstab:
Code:
UUID=<uuid of D2> /mnt/keyusb auto defaults,rw,noatime,nofail,x-systemd.automount,x-systemd.device-timeout=10 0 0
I also had to add a /etc/cryptdisks to make sure D2 was mounted before D1:
Code:
CRYPTDISK_MOUNT='/mnt/keyusb'
This works in the sense that D1 was decrypted and mounted.
However, if I remove D2 (the key drive) (without running umount as I would if I was running a headless server) D1 will be unmounted and encrypted again (/dev/mapper/cryptusb disappears).
Since writing the last post I did notice that D1 will stay decrypted if I run umount in D2 before removing it. Does anyone know if it will stay decrypted until reboot with this method? Perhaps one could run a script to umount the drive after the user has logged in?
After this I followed a guide on
luks & auto decrypt and mounting with the passdev script. Following this approach I ended up with:
a /etc/crypttab like this:
Code:
cryptusb UUID=<luksUUID> /dev/disk/by-uuid/<uuid of D2>:/test-key.key:5 luks,initramfs,keyscript=/lib/cryptsetup/scripts/passdev,tries=2
the /etc/fstab I left unchanged and I removed the /etc/cryptdisks file. As far as I understand the third column (with the key-file path etc.) is supposed to be sent to the passdev script which should store the key in memory?
Here the guide asks you to run:
Code:
update-initramfs -tuck all
update-grub
reboot
However, running update-initramfs -tuck all gives:
Code:
device-mapper: table ioctl on cryptusb failed: No such device or address
Command failed
cryptsetup: WARNING: failed to determine cipher modules to load for cryptusb
What does this message actually mean?
After this the system the system won't boot quite right (luckily I've got backups
) instead it shows:
Code:
cryptsetup (cryptusb): lvm is not available
cryptsetup (cryptusb): lvm is not available
...
after a while it enters a terminal (initramfs) with an alert that:
Code:
/dev/disk/by-uuid/<uuid of D1> does not exist
exiting this terminal will run the boot sequence and it will find D1 but doesn't seem to be able to read /etc/crypttab correctly I see a systemd (I think) message about
:
Code:
"A start job is running for ...dkey.key:5.device"
see attached image. I guess (as it mentions in the guide) systemd isn't able to read the line? After 1 1/2 minutes one the user is logged in but D1 remains encrypted.
I get the same result apart from the error message at boot if I omit the "update-initramfs" command, to be honest I'm not quite sure what the "update-initramfs" does. As far as I understand initramfs is the environment loaded into ram to be able to boot into the actual os, or something like that.
Any pointers how I get this to work? Or is there another approach, that I haven't tried yet, that might work better?