[SOLVED] Unlock LUKS encrypted partition with USB drive
SlackwareThis Forum is for the discussion of Slackware Linux.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I recently installed Slackware64 14.0 on NAS server with full disk encryption (except /boot) and since I want to run it headless, it won't have monitor attached all the time. I'd like to use USB drive with key file so I won't have to type password on every start.
I tried initrd with -K luks_keyfile option but it won't unlock disk and still asks about password.
USB drive is FAT32 formated with label 'NASKEY'
Code:
$ cfdisk /dev/sdb
Name Flags Part Type FS Type [Label] Size (MB)
------------------------------------------------------------------------------------------------
Pri/Log Free Space 1.05 *
sdb1 Primary vfat [NASKEY] 2011.17 *
My initrd was created with following command (sda1 /boot, sda2 encrypted partition)
You first have to create that file on the USB stick, called "/boot/key.luks" and add it to your computer's LUKS key store. The initrd command will not do either of these steps. All it does is cause Slackware to check if there is a USB stick with the configured FAT label, and then locate that file you mentioned on the mkinitrd commandline, and present that file to cryptsetup for unlocking the encrypted volume. But if you did not first add the contents of that file into a LUKS key slot, then cryptsetup will not accept that file as a valid key.
For example, create a file with random content (512 characters), then add the file to the LUKS volume on partition /dev/sdX1 as a new unlock key. The new key will be accepted after you type a valid LUKS unlock passphrase:
Sorry, I didn't mention it in original post, but I have already created key, added it to LUKS keyslot and save it on boot stick. I know key works because I can unlock encrypted partition with it.
Only difference I see is key size. I created 4096 bytes key and you suggested 512 bytes. Does size make a difference?
I can see at boot that kernel recognize my boot stick, therefore It should unlock encrypted partition.
Size or content of the key file does not make a difference.
Also note the support for FAT filesystems which gets added to the initrd:
Code:
# Several extra modules are needed to support a vfat formatted USB stick...
# assuming here we are using a western codepage.
# This possibly adds doublures, but we clean up the MODULE_LIST further down!
MODULE_LIST="${MODULE_LIST}:ehci-hcd:uhci-hcd:usb-storage:hid:usbhid:fat:nls_cp437:nls_iso8859-1:msdos:vfat"
Since you are czech, perhaps your FAT filesystem needs another codepage module added, but I doubt that since you are using "normal" western directory- and file names.
What also happens in the initrd is to pause for 5 seconds in order to give the OS time to query the USB stick. Maybe your computer needs more time? Change the "5" to something higher in /boot/initrd-tree/wait-for-root and re-run "mkinitrd", followed by "lilo".
Well, I finally found out what was wrong. All initrd modules, keys, etc. was correct except one thing. I looked through .bash_history and find this command:
Code:
$ pwd
/root
$ mkinitrd [...] -o boot/initrd.gz
Which created initrd in /root/boot/ and I was using wrong initrd all the time. Correct parameter is
Code:
$ mkinitrd [...] -o /boot/initrd.gz
Now it works as intended. Anyway, thanks for suggestions!
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.