LinuxQuestions.org
Welcome to the most active Linux Forum on the web.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 02-10-2017, 08:57 AM   #1
Märk Owen
LQ Newbie
 
Registered: Nov 2014
Posts: 22

Rep: Reputation: Disabled
Unlock LUKS encrypted root system with keyfile on USB device


Hello,

I'm finding a lot of different and confusing information about what I want to do and nothing I tried seemed to work, unfortunately.

I'm running Debian Jessie with its root and swap partition encrypted (/boot is clear). I created a keyfile and added them to the LUKS volumes.

The issue is that this keyfile is present on a USB stick (vfat formatted) which I'm unable to mount at boot time so that /etc/crypttab can read the keyfile and unlock the root and swap volumes.

Does anybody know what to do?
 
Old 02-10-2017, 09:53 AM   #2
TheEzekielProject
Member
 
Registered: Dec 2016
Distribution: Devuan+lxde
Posts: 658

Rep: Reputation: 190Reputation: 190
Have you looked at the Arch wiki? https://wiki.archlinux.org/index.php..._entire_system
 
Old 02-10-2017, 10:04 AM   #3
Märk Owen
LQ Newbie
 
Registered: Nov 2014
Posts: 22

Original Poster
Rep: Reputation: Disabled
Yes I have and I'm completely lost when I look at it.

It doesn't seem to have my case scenario. On this wiki, the only keyfile-USB based example I can find is when the key is the entire USB stick itself. In my situation, the keyfile is simply another file sitting on a FAT32 filesystem inside my USB drive.
 
Old 02-10-2017, 10:19 AM   #4
TheEzekielProject
Member
 
Registered: Dec 2016
Distribution: Devuan+lxde
Posts: 658

Rep: Reputation: 190Reputation: 190
Quote:
The issue is that this keyfile is present on a USB stick (vfat formatted) which I'm unable to mount at boot time so that /etc/crypttab can read the keyfile and unlock the root and swap volumes.
What is preventing you from mounting the USB at boot time?

On my system, to unlock with keyfile at boot I added a line to my /etc/crypttab like so:
Code:
media /dev/disk/by-uuid/<uuid here> /path/to/keyfile luks
, however my root partition is not encrypted, and according to crypttab should be setup elsewhere. This is where you would setup your swap though.
Quote:
# NOTE: Do not list your root (/) partition here, it must be set up
# beforehand by the initramfs (/etc/mkinitcpio.conf).
this section shows the format of the needed entry in mkinitcpio.conf. Also see the section on mkinitcpio https://wiki.archlinux.org/index.php...ion#mkinitcpio

Last edited by TheEzekielProject; 02-10-2017 at 10:40 AM.
 
Old 02-10-2017, 10:34 AM   #5
Märk Owen
LQ Newbie
 
Registered: Nov 2014
Posts: 22

Original Poster
Rep: Reputation: Disabled
Well my /etc/crypttab is setup like this:

Code:
sda3_crypt UUID=xxxx-xxx-xxx sdb1:/folder/keyfile.luks luks,discard,keyscript=/usr/local/sbin/bootkeyscript
sdb1 being the USB stick's partition on which the keyfile is. And /usr/local/sbin/bootkeyscript (I got it here) is supposed to be able to mount the USB stick and allow the operation but to no avail. When I reboot I get a:

Code:
Missing boot device sdb1
Or similar message when I try with UUID or LABEL, etc...

EDIT: of course, each time I modify something, I redo a
Code:
update-initramfs -v -u
to make sure it is taken into account.

Last edited by Märk Owen; 02-10-2017 at 10:35 AM.
 
Old 02-10-2017, 10:49 AM   #6
TheEzekielProject
Member
 
Registered: Dec 2016
Distribution: Devuan+lxde
Posts: 658

Rep: Reputation: 190Reputation: 190
https://wiki.archlinux.org/index.php...tition_at_boot this may give a little more useful information. Also see my edits to post #4 above if you have not already.
 
Old 02-10-2017, 11:39 AM   #7
Märk Owen
LQ Newbie
 
Registered: Nov 2014
Posts: 22

Original Poster
Rep: Reputation: Disabled
Thanks that's helpful but alas it still doesn't work and it doesn't give me any error message.

Since this is the arch wiki and I'm using Debian, there are a few tweaks to make (Or at least I think, I might be wrong):
  • mkinitcpio doesn't seem to exist on Jessie. Instead, I had to use initramfs. So I modified the file /etc/initramfs-tools/initramfs.conf to add these

    Code:
    HOOKS="base udev autodetect keyboard keymap consolefont modconf block encrypt lvm2 filesystems fsck"
    And to add the kernel parameters, I modified /etc/default/grub and changed the line:

    Code:
    GRUB_CMDLINE_LINUX_DEFAULT=""
    To:

    Code:
    GRUB_CMDLINE_LINUX_DEFAULT="cryptdevice=/dev/sda3:root cryptkey=/dev/sdb1:vfat:/pathtofile/keyfile.luks"

Anyway, since I'm hitting a wall again and again, I think I'll just work around the problem and reinstall my system to only encrypt my /home partition.
 
Old 02-10-2017, 12:57 PM   #8
TheEzekielProject
Member
 
Registered: Dec 2016
Distribution: Devuan+lxde
Posts: 658

Rep: Reputation: 190Reputation: 190
This is for an older version of Debian but may be useful http://www.oxygenimpaired.com/debian...en-usb-keyfile
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
debian luks root drive with usb keyfile help needed muxman Linux - Security 4 12-17-2014 09:15 AM
[SOLVED] Can't unlock LUKS volume with a keyfile during boot natharran Slackware 3 02-27-2013 02:00 PM
[SOLVED] Unlock LUKS encrypted partition with USB drive yenn Slackware 4 02-26-2013 04:39 PM
[SOLVED] How to unlock (Luks) encrypted root, during boot, when key-file is on USB?? pizzar0 Slackware 2 10-22-2011 07:14 AM
LXer: Automatically Unlock LUKS Encrypted Drives With A Keyfile LXer Syndicated Linux News 0 07-09-2008 03:40 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 07:57 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration