How to keep LUKS partition decrypted without USB thumb drive with keyfile present?
I'm running DietPi (Debian) and have encrypted an external USB-HDD using Luks. To be able to run in headless I've set up a keyfile for the Luks partition and stored on a USB thumb drive. Using the thumb drive I was able to create a setup where the Luks partition is decrypted and mounted at boot if the thumb drive is present. However, if I, after verifying that I can access my files, remove the thumb drive I can no longer access the decrypted mount. Is there a way to keep the keyfile in memory for the session (i.e. until the user logs out or the machine is powered off)?
I have seen that it's possible to use a `keyscript` setting in the Code:
/etc/crypttab My thinking is that I want to be able to boot the machine without a screen and I don't want the key to be present if someone gets hold of the machine/hdd. |
I guess I don't understand something, once your partition is mounted, it stays mounted encrypted or not, does it mean you umount it and want to be able to re-mount it ?
|
1 Attachment(s)
Sorry for late reply, it's been a very busy week.
I'll try to give some more detailed info, perhaps it'll be easier to find where I go wrong. I have an encrypted USB-drive (D1 at /dev/sdb1) with a file (encrypted_test) and a USB-drive (D2 at /dev/sdc1) with a key-file (test-key.key). I've verified that they work by decrypting sdb1 using the key file and mounting it and listing the encrypted file: Code:
mkdir /mnt/keyusb && mount /dev/sdc1 /mnt/keyusb
My attempt at this is as follows: Get the luksUUID Code:
cryptsetup luksUUID /dev/sdb1 Code:
cryptusb UUID=<luksUUID> none timeout=10,x-systemd.device-timeout=20 Code:
/dev/mapper/cryptusb /mnt/cryptusb auto defaults,noatime,rw,nofail,x-systemd.automount,x-systemd.device-timeout=30 0 0 I added the mounting point of D2 and path to the key-file to my /etc/crypttab as such: Code:
cryptusb UUID=<luksUUID> /mnt/keyusb/test-key.key timeout=10,x-systemd.device-timeout=20 Code:
blkid -s UUID -o value /dev/sdc1 Code:
UUID=<uuid of D2> /mnt/keyusb auto defaults,rw,noatime,nofail,x-systemd.automount,x-systemd.device-timeout=10 0 0 Code:
CRYPTDISK_MOUNT='/mnt/keyusb' Since writing the last post I did notice that D1 will stay decrypted if I run umount in D2 before removing it. Does anyone know if it will stay decrypted until reboot with this method? Perhaps one could run a script to umount the drive after the user has logged in? After this I followed a guide on luks & auto decrypt and mounting with the passdev script. Following this approach I ended up with: a /etc/crypttab like this: Code:
cryptusb UUID=<luksUUID> /dev/disk/by-uuid/<uuid of D2>:/test-key.key:5 luks,initramfs,keyscript=/lib/cryptsetup/scripts/passdev,tries=2 Here the guide asks you to run: Code:
update-initramfs -tuck all Code:
device-mapper: table ioctl on cryptusb failed: No such device or address After this the system the system won't boot quite right (luckily I've got backups :rolleyes:) instead it shows: Code:
cryptsetup (cryptusb): lvm is not available Code:
/dev/disk/by-uuid/<uuid of D1> does not exist Code:
"A start job is running for ...dkey.key:5.device" I get the same result apart from the error message at boot if I omit the "update-initramfs" command, to be honest I'm not quite sure what the "update-initramfs" does. As far as I understand initramfs is the environment loaded into ram to be able to boot into the actual os, or something like that. Any pointers how I get this to work? Or is there another approach, that I haven't tried yet, that might work better? |
All times are GMT -5. The time now is 03:54 AM. |