Unlock LUKS encrypted root system with keyfile on USB device

Märk Owen · 02-10-2017, 08:57 AM

Hello,

I'm finding a lot of different and confusing information about what I want to do and nothing I tried seemed to work, unfortunately.

I'm running Debian Jessie with its root and swap partition encrypted (/boot is clear). I created a keyfile and added them to the LUKS volumes.

The issue is that this keyfile is present on a USB stick (vfat formatted) which I'm unable to mount at boot time so that /etc/crypttab can read the keyfile and unlock the root and swap volumes.

Does anybody know what to do?

TheEzekielProject · 02-10-2017, 09:53 AM

Have you looked at the Arch wiki? https://wiki.archlinux.org/index.php..._entire_system

Märk Owen · 02-10-2017, 10:04 AM

Yes I have and I'm completely lost when I look at it.

It doesn't seem to have my case scenario. On this wiki, the only keyfile-USB based example I can find is when the key is the entire USB stick itself. In my situation, the keyfile is simply another file sitting on a FAT32 filesystem inside my USB drive.

TheEzekielProject · 02-10-2017, 10:19 AM

Quote:

The issue is that this keyfile is present on a USB stick (vfat formatted) which I'm unable to mount at boot time so that /etc/crypttab can read the keyfile and unlock the root and swap volumes.

What is preventing you from mounting the USB at boot time?

On my system, to unlock with keyfile at boot I added a line to my /etc/crypttab like so:

Code:

media /dev/disk/by-uuid/<uuid here> /path/to/keyfile luks

, however my root partition is not encrypted, and according to crypttab should be setup elsewhere. This is where you would setup your swap though.

Quote:

# NOTE: Do not list your root (/) partition here, it must be set up
# beforehand by the initramfs (/etc/mkinitcpio.conf).

this section shows the format of the needed entry in mkinitcpio.conf. Also see the section on mkinitcpio https://wiki.archlinux.org/index.php...ion#mkinitcpio

Märk Owen · 02-10-2017, 10:34 AM

Well my /etc/crypttab is setup like this:

Code:

sda3_crypt UUID=xxxx-xxx-xxx sdb1:/folder/keyfile.luks luks,discard,keyscript=/usr/local/sbin/bootkeyscript

sdb1 being the USB stick's partition on which the keyfile is. And /usr/local/sbin/bootkeyscript (I got it here) is supposed to be able to mount the USB stick and allow the operation but to no avail. When I reboot I get a:

Code:

Missing boot device sdb1

Or similar message when I try with UUID or LABEL, etc...

EDIT: of course, each time I modify something, I redo a

Code:

update-initramfs -v -u

to make sure it is taken into account.

TheEzekielProject · 02-10-2017, 10:49 AM

https://wiki.archlinux.org/index.php...tition_at_boot this may give a little more useful information. Also see my edits to post #4 above if you have not already.

Märk Owen · 02-10-2017, 11:39 AM

Thanks that's helpful but alas it still doesn't work and it doesn't give me any error message.

Since this is the arch wiki and I'm using Debian, there are a few tweaks to make (Or at least I think, I might be wrong):

mkinitcpio doesn't seem to exist on Jessie. Instead, I had to use initramfs. So I modified the file /etc/initramfs-tools/initramfs.conf to add these
Code:
```
HOOKS="base udev autodetect keyboard keymap consolefont modconf block encrypt lvm2 filesystems fsck"
```
And to add the kernel parameters, I modified /etc/default/grub and changed the line:
Code:
```
GRUB_CMDLINE_LINUX_DEFAULT=""
```
To:
Code:
```
GRUB_CMDLINE_LINUX_DEFAULT="cryptdevice=/dev/sda3:root cryptkey=/dev/sdb1:vfat:/pathtofile/keyfile.luks"
```

Anyway, since I'm hitting a wall again and again, I think I'll just work around the problem and reinstall my system to only encrypt my /home partition.

TheEzekielProject · 02-10-2017, 12:57 PM

This is for an older version of Debian but may be useful http://www.oxygenimpaired.com/debian...en-usb-keyfile