Unlocking LUKS with keyfile on USB

slaka · 05-13-2014, 01:45 PM

I have formatted USB stick to fat

Code:

mkfs.fat -N USBKEY /dev/sdX1

made keyfile and moved it into USB stick, created initrd accordingly

Code:

#echo password > /mnt/USBKEY/keys/key.luks
#cryptsetup luksAddKey /dev/sdXY /mny/USBKEY/keys/key.luks
#mkinitrd -c -k 3.2.29-smp -m ext3 -f ext3 -r /dev/cryptvg/root -C /dev/sdx2 -L -K LABEL=USBKEY:/keys/key.luks

Problem is that I am prompted for password during boot, I have tried to insert USB stick right after booting process starts and obviously having it inserted during whole boot/reboot process.

mostlyharmless · 05-16-2014, 03:04 PM

Maybe your usb drive isn't being recognized

My mkinitrd is

Code:

 mkinitrd -c -k 3.13.2 -f ext4 -r /dev/cryptvg/root -m usb-storage:xhci-hcd:usbhid:hid_generic:mbcache:jbd2:ext4:ext2:vfat:hid:usbhid -C /dev/sda3 -L -u -o /boot/initrd-3.13.2.gz -K UUID=XXXX-XXXX:/keyfile

Note that I use the UUID rather than LABEL to avoid different mount points, either should work. The keyfile is in the root of the USB stick.

For you that'd be

Code:

 mkinitrd -c -k 3.2.29-smp -f ext3 -r /dev/cryptvg/root -m usb-storage:xhci:hcd:usbhid:hid_generic:mbcache:ext3:vfat:hid:usbhid -C /dev/sda2 -L -u LABEL=USBKEY:/keys/key.luks

Note the modules included in the initrd for usb, usbstorage and vfat. You might not need all of those other modules.

Also, I'm not sure your path to the keyfile is correct. Had you mounted your stick into /mny? If your stick is in at boot time, I expect /keys to be in the root of the USB drive.