Unlock LUKS encrypted root system with keyfile on USB device
Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Unlock LUKS encrypted root system with keyfile on USB device
Hello,
I'm finding a lot of different and confusing information about what I want to do and nothing I tried seemed to work, unfortunately.
I'm running Debian Jessie with its root and swap partition encrypted (/boot is clear). I created a keyfile and added them to the LUKS volumes.
The issue is that this keyfile is present on a USB stick (vfat formatted) which I'm unable to mount at boot time so that /etc/crypttab can read the keyfile and unlock the root and swap volumes.
Yes I have and I'm completely lost when I look at it.
It doesn't seem to have my case scenario. On this wiki, the only keyfile-USB based example I can find is when the key is the entire USB stick itself. In my situation, the keyfile is simply another file sitting on a FAT32 filesystem inside my USB drive.
The issue is that this keyfile is present on a USB stick (vfat formatted) which I'm unable to mount at boot time so that /etc/crypttab can read the keyfile and unlock the root and swap volumes.
What is preventing you from mounting the USB at boot time?
On my system, to unlock with keyfile at boot I added a line to my /etc/crypttab like so:
Code:
media /dev/disk/by-uuid/<uuid here> /path/to/keyfile luks
, however my root partition is not encrypted, and according to crypttab should be setup elsewhere. This is where you would setup your swap though.
Quote:
# NOTE: Do not list your root (/) partition here, it must be set up
# beforehand by the initramfs (/etc/mkinitcpio.conf).
sdb1 being the USB stick's partition on which the keyfile is. And /usr/local/sbin/bootkeyscript (I got it here) is supposed to be able to mount the USB stick and allow the operation but to no avail. When I reboot I get a:
Code:
Missing boot device sdb1
Or similar message when I try with UUID or LABEL, etc...
EDIT: of course, each time I modify something, I redo a
Anyway, since I'm hitting a wall again and again, I think I'll just work around the problem and reinstall my system to only encrypt my /home partition.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.