LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Security (https://www.linuxquestions.org/questions/linux-security-4/)
-   -   How to keep LUKS partition decrypted without USB thumb drive with keyfile present? (https://www.linuxquestions.org/questions/linux-security-4/how-to-keep-luks-partition-decrypted-without-usb-thumb-drive-with-keyfile-present-4175642765/)

SirSkorpan 11-21-2018 06:09 AM
How to keep LUKS partition decrypted without USB thumb drive with keyfile present?
 
I'm running DietPi (Debian) and have encrypted an external USB-HDD using Luks. To be able to run in headless I've set up a keyfile for the Luks partition and stored on a USB thumb drive. Using the thumb drive I was able to create a setup where the Luks partition is decrypted and mounted at boot if the thumb drive is present. However, if I, after verifying that I can access my files, remove the thumb drive I can no longer access the decrypted mount. Is there a way to keep the keyfile in memory for the session (i.e. until the user logs out or the machine is powered off)?

I have seen that it's possible to use a `keyscript` setting in the
Code:
/etc/crypttab
Is it possible to write your own script that achieves the desired effect?

My thinking is that I want to be able to boot the machine without a screen and I don't want the key to be present if someone gets hold of the machine/hdd.

lougavulin 11-22-2018 04:08 AM
I guess I don't understand something, once your partition is mounted, it stays mounted encrypted or not, does it mean you umount it and want to be able to re-mount it ?

SirSkorpan 11-29-2018 02:31 PM
1 Attachment(s)
Sorry for late reply, it's been a very busy week.

I'll try to give some more detailed info, perhaps it'll be easier to find where I go wrong. I have an encrypted USB-drive (D1 at /dev/sdb1) with a file (encrypted_test) and a USB-drive (D2 at /dev/sdc1) with a key-file (test-key.key). I've verified that they work by decrypting sdb1 using the key file and mounting it and listing the encrypted file:
Code:
mkdir /mnt/keyusb && mount /dev/sdc1 /mnt/keyusb
cryptsetup luksOpen --key-file /mnt/keyusb/test-key.key /dev/sdb1 cryptusb
mkdir /mnt/cryptusb && mount /dev/mapper/cryptusb /mnt/cryptusb
ls /mnt/cryptusb
# result: "encrypted_test"
So far so good. Now, at boot, I want something like this:
  1. Start the machine, with D1 present (connected to the machine)
  2. During boot it should attempt to decrypt and mount D1 using the key on D2
  3. If D2 is not present the system should wait for some time before it gives up, resulting in D1 not being decrypted and mounted.
  4. If D2 becomes available, during the wait, D1 should be decrypted and mounted
  5. It should now be possible to remove D2 while keeping D1 mounted in a decrypted state until the system reboots.
If D1 is not present at boot, there should be a timeout and then it should start normally, ignoring D1. As I'll be running a headless server I won't be able to run any manual commands.

My attempt at this is as follows:
Get the luksUUID
Code:
cryptsetup luksUUID /dev/sdb1
/etc/crypttab:
Code:
cryptusb UUID=<luksUUID> none timeout=10,x-systemd.device-timeout=20
/etc/fstab:
Code:
/dev/mapper/cryptusb /mnt/cryptusb auto defaults,noatime,rw,nofail,x-systemd.automount,x-systemd.device-timeout=30 0 0
With this setup I will be asked a password (as I haven't yet specified a key-file). The system will wait a password for 10 seconds and then continue booting. If D1 is not present it waits for 20s then continues without D1. If I provide the correct password D1 will be decrypted and mounted in /mnt/cryptusb. Now for the key-file:

I added the mounting point of D2 and path to the key-file to my /etc/crypttab as such:

Code:
cryptusb UUID=<luksUUID> /mnt/keyusb/test-key.key timeout=10,x-systemd.device-timeout=20
got the UUID of D2 (usb with the key file)

Code:
blkid -s UUID -o value /dev/sdc1
and added D2 to fstab:

Code:
UUID=<uuid of D2> /mnt/keyusb auto defaults,rw,noatime,nofail,x-systemd.automount,x-systemd.device-timeout=10 0 0
I also had to add a /etc/cryptdisks to make sure D2 was mounted before D1:

Code:
CRYPTDISK_MOUNT='/mnt/keyusb'
This works in the sense that D1 was decrypted and mounted. However, if I remove D2 (the key drive) (without running umount as I would if I was running a headless server) D1 will be unmounted and encrypted again (/dev/mapper/cryptusb disappears).

Since writing the last post I did notice that D1 will stay decrypted if I run umount in D2 before removing it. Does anyone know if it will stay decrypted until reboot with this method? Perhaps one could run a script to umount the drive after the user has logged in?

After this I followed a guide on luks & auto decrypt and mounting with the passdev script. Following this approach I ended up with:

a /etc/crypttab like this:
Code:
cryptusb UUID=<luksUUID> /dev/disk/by-uuid/<uuid of D2>:/test-key.key:5 luks,initramfs,keyscript=/lib/cryptsetup/scripts/passdev,tries=2
the /etc/fstab I left unchanged and I removed the /etc/cryptdisks file. As far as I understand the third column (with the key-file path etc.) is supposed to be sent to the passdev script which should store the key in memory?

Here the guide asks you to run:
Code:
update-initramfs -tuck all
update-grub
reboot
However, running update-initramfs -tuck all gives:
Code:
device-mapper: table ioctl on cryptusb failed: No such device or address
Command failed
cryptsetup: WARNING: failed to determine cipher modules to load for cryptusb
What does this message actually mean?

After this the system the system won't boot quite right (luckily I've got backups :rolleyes:) instead it shows:
Code:
cryptsetup (cryptusb): lvm is not available
cryptsetup (cryptusb): lvm is not available
...
after a while it enters a terminal (initramfs) with an alert that:
Code:
/dev/disk/by-uuid/<uuid of D1> does not exist
exiting this terminal will run the boot sequence and it will find D1 but doesn't seem to be able to read /etc/crypttab correctly I see a systemd (I think) message about:
Code:
"A start job is running for ...dkey.key:5.device"
see attached image. I guess (as it mentions in the guide) systemd isn't able to read the line? After 1 1/2 minutes one the user is logged in but D1 remains encrypted.

I get the same result apart from the error message at boot if I omit the "update-initramfs" command, to be honest I'm not quite sure what the "update-initramfs" does. As far as I understand initramfs is the environment loaded into ram to be able to boot into the actual os, or something like that.

Any pointers how I get this to work? Or is there another approach, that I haven't tried yet, that might work better?


All times are GMT -5. The time now is 03:54 AM.