usb stick unlocking scheme for root encrypted partition in current

escaflown · 05-09-2010, 02:46 PM

In slackware{,64}-current, the mkinitrd script now has a -K switch that should allow to unlock a LUKS encrypted root filesystem with a keyfile on a removable usb stick. I have been trying to use it on my LVM + LUKS setup without any success so far. I was just wondering if someone has successfully tested that new option. Thanks!

GazL · 05-09-2010, 03:16 PM

Yep, I've had it working. It took a bit of trial and error to get the modules right. Here's my initrd building script if it's any use to you:

Code:

root@nix:~/changes# cat 001_mkinitrd.sh 
#!/bin/sh
#
#    Build initrd
#

VERSION=${VERSION:-2.6.33.3}
INITRD_NAME="initrd-${VERSION}.gz"


cd /boot
mkinitrd -c -k ${VERSION} \
         -m ext4:ehci-hcd:uhci-hcd:usbhid \
         -f ext4 -r /dev/rootvg/lvroot \
         -l uk -L -C /dev/sda5

# The following are needed if you use a keyfile on a vfat usbstick.
# Add them to the module list in the command above
#        -m sg:usb_storage:nls_cp437:nls_iso8859-1:fat:vfat 

#echo "LABEL=USB_BAR:/nix.key" > /boot/initrd-tree/lukskey

# Add pause to allow usb devices to activate.

echo "2" > /boot/initrd-tree/wait-for-root

# Rebuild and rename new initrd file.

mkinitrd 

cp initrd.gz $INITRD_NAME

echo "New initrd created: $INITRD_NAME"
echo "REMINDER:  Don't forget to edit/re-run lilo"

The keyfile stuff is commented out (I'm not using it at present). You'll need to add those extra modules to the mkinitrd command and uncomment the bit that creates the lukskey file.

I prefer to do it this way rather than use mkinitrd.conf.

The above should give you a pointer in the right direction. Obviously, you'll need to create a keyfile and add it to a slot using cryptsetup before this'll work.

escaflown · 05-09-2010, 03:38 PM

Thanks GazL! The -K switch now takes care of putting the right modules in load_kernel_modules and it also puts the usb stick label in lukskey with the right path. So, it does exactly what your script is doing. For instance, this is what I have in my load_kernel modules after adding -K LABEL=ESCSTICK:/keys/escfree in the mkinitrd command:

Code:

insmod -v /lib/modules/$(uname -r)/kernel/drivers/hid/hid.ko
insmod -v /lib/modules/$(uname -r)/kernel/drivers/hid/usbhid/usbhid.ko
insmod -v /lib/modules/$(uname -r)/kernel/drivers/usb/host/ehci-hcd.ko
insmod -v /lib/modules/$(uname -r)/kernel/drivers/usb/host/uhci-hcd.ko
insmod -v /lib/modules/$(uname -r)/kernel/fs/jbd2/jbd2.ko
insmod -v /lib/modules/$(uname -r)/kernel/fs/mbcache.ko
insmod -v /lib/modules/$(uname -r)/kernel/fs/ext4/ext4.ko
insmod -v /lib/modules/$(uname -r)/kernel/drivers/usb/storage/usb-storage.ko
insmod -v /lib/modules/$(uname -r)/kernel/fs/fat/fat.ko
insmod -v /lib/modules/$(uname -r)/kernel/fs/nls/nls_cp437.ko
insmod -v /lib/modules/$(uname -r)/kernel/fs/nls/nls_iso8859-1.ko
insmod -v /lib/modules/$(uname -r)/kernel/fs/fat/msdos.ko
insmod -v /lib/modules/$(uname -r)/kernel/fs/fat/vfat.ko

The lukskey looks like this:

Code:

LABEL=ESCSTICK:/keys/escfree

and wait-for-root:

Code:

The usb stick has a FAT partition. Still, when I boot up, I have to type the passphrase in slot 0 instead of having the keyfile directly used. I couldn't figure out what's wrong in my setup!

GazL · 05-09-2010, 03:58 PM

Ahh ok, It's been a while since I played with it, so it may be a little friendlier now.

I'm fairly sure my usb stick need the generic scsi "sg" module too, but that may just be due to the type of device it is. (I notice it's not in your list).

Did you add your new file based key to a slot with "cryptsetup luksAddKey"?
I kept my passphrase in slot0 (just in case I lose the keyfile somehow) and added the keyfile to slot1.

escaflown · 05-09-2010, 04:01 PM

Quote:

Originally Posted by GazL

Ahh ok, It's been a while since I played with it, so it may be a little friendlier now.

I'm fairly sure my usb stick need the generic scsi "sg" module too, but that may just be due to the type of device it is. (I notice it's not in your list).

Did you add your new file based key to a slot with "cryptsetup luksAddKey"?
I kept my passphrase in slot0 (just in case I lose the keyfile somehow) and added the keyfile to slot1.

yep,I added the keyfile in slot1 and I do have the passphrase in slot0 just like you.

GazL · 05-09-2010, 04:08 PM

Quote:

Originally Posted by escaflown

yep,I added the keyfile in slot1 and I do have the passphrase in slot0 just like you.

Fair enough. I suspected you had. Just wanted to cover all the bases.

Other than trying adding that 'sg' module, I can't think of much else.

I guess you need to look for clues in the boot messages you get before it prompts you for the passphrase to try and figure out why it can't see your stick.

If it's any consolation, when I first started playing with this it took a little while to get it right for me too.

escaflown · 05-09-2010, 04:16 PM

Quote:

Originally Posted by GazL

Fair enough. I suspected you had. Just wanted to cover all the bases.

Other than trying adding that 'sg' module, I can't think of much else.

I guess you need to look for clues in the boot messages you get before it prompts you for the passphrase to try and figure out why it can't see your stick.

If it's any consolation, when I first started playing with this it took a little while to get it right for me too.

Thanks anyway. I'll keep looking: I guess that's what current is for