LinuxQuestions.org
Download your favorite Linux distribution at LQ ISO.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 11-21-2018, 06:09 AM   #1
SirSkorpan
LQ Newbie
 
Registered: Nov 2018
Posts: 3

Rep: Reputation: Disabled
Question How to keep LUKS partition decrypted without USB thumb drive with keyfile present?


I'm running DietPi (Debian) and have encrypted an external USB-HDD using Luks. To be able to run in headless I've set up a keyfile for the Luks partition and stored on a USB thumb drive. Using the thumb drive I was able to create a setup where the Luks partition is decrypted and mounted at boot if the thumb drive is present. However, if I, after verifying that I can access my files, remove the thumb drive I can no longer access the decrypted mount. Is there a way to keep the keyfile in memory for the session (i.e. until the user logs out or the machine is powered off)?

I have seen that it's possible to use a `keyscript` setting in the
Code:
/etc/crypttab
Is it possible to write your own script that achieves the desired effect?

My thinking is that I want to be able to boot the machine without a screen and I don't want the key to be present if someone gets hold of the machine/hdd.
 
Old 11-22-2018, 04:08 AM   #2
lougavulin
Member
 
Registered: Jul 2018
Distribution: Slackware,x86_64,current
Posts: 279

Rep: Reputation: 100Reputation: 100
I guess I don't understand something, once your partition is mounted, it stays mounted encrypted or not, does it mean you umount it and want to be able to re-mount it ?
 
Old 11-29-2018, 02:31 PM   #3
SirSkorpan
LQ Newbie
 
Registered: Nov 2018
Posts: 3

Original Poster
Rep: Reputation: Disabled
Sorry for late reply, it's been a very busy week.

I'll try to give some more detailed info, perhaps it'll be easier to find where I go wrong. I have an encrypted USB-drive (D1 at /dev/sdb1) with a file (encrypted_test) and a USB-drive (D2 at /dev/sdc1) with a key-file (test-key.key). I've verified that they work by decrypting sdb1 using the key file and mounting it and listing the encrypted file:
Code:
mkdir /mnt/keyusb && mount /dev/sdc1 /mnt/keyusb
cryptsetup luksOpen --key-file /mnt/keyusb/test-key.key /dev/sdb1 cryptusb
mkdir /mnt/cryptusb && mount /dev/mapper/cryptusb /mnt/cryptusb
ls /mnt/cryptusb
# result: "encrypted_test"
So far so good. Now, at boot, I want something like this:
  1. Start the machine, with D1 present (connected to the machine)
  2. During boot it should attempt to decrypt and mount D1 using the key on D2
  3. If D2 is not present the system should wait for some time before it gives up, resulting in D1 not being decrypted and mounted.
  4. If D2 becomes available, during the wait, D1 should be decrypted and mounted
  5. It should now be possible to remove D2 while keeping D1 mounted in a decrypted state until the system reboots.
If D1 is not present at boot, there should be a timeout and then it should start normally, ignoring D1. As I'll be running a headless server I won't be able to run any manual commands.

My attempt at this is as follows:
Get the luksUUID
Code:
cryptsetup luksUUID /dev/sdb1
/etc/crypttab:
Code:
cryptusb UUID=<luksUUID> none timeout=10,x-systemd.device-timeout=20
/etc/fstab:
Code:
/dev/mapper/cryptusb /mnt/cryptusb auto defaults,noatime,rw,nofail,x-systemd.automount,x-systemd.device-timeout=30 0 0
With this setup I will be asked a password (as I haven't yet specified a key-file). The system will wait a password for 10 seconds and then continue booting. If D1 is not present it waits for 20s then continues without D1. If I provide the correct password D1 will be decrypted and mounted in /mnt/cryptusb. Now for the key-file:

I added the mounting point of D2 and path to the key-file to my /etc/crypttab as such:

Code:
cryptusb UUID=<luksUUID> /mnt/keyusb/test-key.key timeout=10,x-systemd.device-timeout=20
got the UUID of D2 (usb with the key file)

Code:
blkid -s UUID -o value /dev/sdc1
and added D2 to fstab:

Code:
UUID=<uuid of D2> /mnt/keyusb auto defaults,rw,noatime,nofail,x-systemd.automount,x-systemd.device-timeout=10 0 0
I also had to add a /etc/cryptdisks to make sure D2 was mounted before D1:

Code:
CRYPTDISK_MOUNT='/mnt/keyusb'
This works in the sense that D1 was decrypted and mounted. However, if I remove D2 (the key drive) (without running umount as I would if I was running a headless server) D1 will be unmounted and encrypted again (/dev/mapper/cryptusb disappears).

Since writing the last post I did notice that D1 will stay decrypted if I run umount in D2 before removing it. Does anyone know if it will stay decrypted until reboot with this method? Perhaps one could run a script to umount the drive after the user has logged in?

After this I followed a guide on luks & auto decrypt and mounting with the passdev script. Following this approach I ended up with:

a /etc/crypttab like this:
Code:
cryptusb UUID=<luksUUID> /dev/disk/by-uuid/<uuid of D2>:/test-key.key:5 luks,initramfs,keyscript=/lib/cryptsetup/scripts/passdev,tries=2
the /etc/fstab I left unchanged and I removed the /etc/cryptdisks file. As far as I understand the third column (with the key-file path etc.) is supposed to be sent to the passdev script which should store the key in memory?

Here the guide asks you to run:
Code:
update-initramfs -tuck all
update-grub
reboot
However, running update-initramfs -tuck all gives:
Code:
device-mapper: table ioctl on cryptusb failed: No such device or address
Command failed
cryptsetup: WARNING: failed to determine cipher modules to load for cryptusb
What does this message actually mean?

After this the system the system won't boot quite right (luckily I've got backups ) instead it shows:
Code:
cryptsetup (cryptusb): lvm is not available
cryptsetup (cryptusb): lvm is not available
...
after a while it enters a terminal (initramfs) with an alert that:
Code:
/dev/disk/by-uuid/<uuid of D1> does not exist
exiting this terminal will run the boot sequence and it will find D1 but doesn't seem to be able to read /etc/crypttab correctly I see a systemd (I think) message about:
Code:
"A start job is running for ...dkey.key:5.device"
see attached image. I guess (as it mentions in the guide) systemd isn't able to read the line? After 1 1/2 minutes one the user is logged in but D1 remains encrypted.

I get the same result apart from the error message at boot if I omit the "update-initramfs" command, to be honest I'm not quite sure what the "update-initramfs" does. As far as I understand initramfs is the environment loaded into ram to be able to boot into the actual os, or something like that.

Any pointers how I get this to work? Or is there another approach, that I haven't tried yet, that might work better?
Attached Thumbnails
Click image for larger version

Name:	capture1.png
Views:	26
Size:	6.1 KB
ID:	29067  

Last edited by SirSkorpan; 11-29-2018 at 02:34 PM. Reason: Mixed up D1 and D2
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Unlock LUKS encrypted root system with keyfile on USB device Märk Owen Linux - Security 7 02-10-2017 12:57 PM
debian luks root drive with usb keyfile help needed muxman Linux - Security 4 12-17-2014 09:15 AM
Unlocking LUKS with keyfile on USB slaka Linux - Software 1 05-16-2014 03:04 PM
LXer: How to set up an auto-mounted keyfile based luks partition for your home direct LXer Syndicated Linux News 0 02-13-2009 06:50 AM
LXer: Automatically Unlock LUKS Encrypted Drives With A Keyfile LXer Syndicated Linux News 0 07-09-2008 03:40 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 07:33 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration