6

Decrypt during boot using luks keyfile on usb drive

view full story
linux-howto

http://forums.fedoraforum.org – I have a machine with a brand new install of Fedora 11 with luks encryption. I've added a keyfile to luks and have put that keyfile on a usb stick. I'd like the machine to boot all the way in when it's powered on with the usb stick plugged in. I've searched for hours and haven't been able to find an easy solution to this... I think my brain is out of sync with google :p. If anyone could help me out I sure would appreciate it. From what I gather there's two paths I could take... boot entirely from usb or modify initrd to mount the usb drive and check for the key. I don't really mind which way to go... preferably the one that requires the least work :rolleyes: I've started down the road of modifying the init script in initrd... but I'm not real familiar with doing this and don't know how to setup a failsafe in case I screw up. Could someone help me out? edit: I should add... the root filesystem is encrypted. It's the default encrypted partitioning scheme... a small unencrypted /boot partition and then the luks encrypted partition that has LVM -> /root and /swap. (HowTos)

dalinux's picture
Submitted by dalinux on 10/19/2009 – Made popular on 10/19/2009

Stories similar to Decrypt during boot using luks keyfile on usb drive

I already asked once about LUKS unlocking of multiple HDDs in Linux: LUKS and multiple hard drives.

Now I would like to know how to secure store the keyfile used for the automatic unlock of the associated partitions.

My plan is (if possible):

Encrypt a small USB drive with LUKS that requires a passphrase Unlock it at boot as the first drive by using the passphrase Mount it to a given mount poi

Since I have not found a way to have it set so that the computer will fallback to a passphrase on a encrypted root if the usb with keyfile isn't inserted.

On the lines of this thread: Unlocking LUKS with USB key - method - seeking help to improve, I am trying to automatically boot a system with an encrypted drive by pointing it to a keyfile on a CD-ROM. I have revived this laptop to use it as a file server. This would enable me to boot the server when away from home.

I have a Debian Linux system (amd64) installed on a RAID-1 system encrypted device (LVM on LUKS) and will have a RAID-6 of >=4 disks where I'll put my data (LUKS and maybe LVM).

I think the basic idea is to unlock the system encrypted partition (at boot at local or via ssh) and to store a keyfile in /etc/crypttab for the RAID-6 encrypted partition. Does that pose a security risk ? I mean ...

I've got SIFT (based on Ubuntu 9.10) installed on a work laptop. We're trying to encrypt the entire installation (root partition and swap), which is apparently doable using LUKS, but I'm having some trouble getting it all to work.

Here's where I'm at so far:

I have an unencrypted /boot partition, one unencrypted root partition, and one encrypted partition.

Thanks for the help so far. I decided against using a keyfile and tailored a set of instructions for my goal (LVM on LUKS, passphrase, non-efi).

Hi all.

[ update: manually mounting them can now be done if you read all the way though... retaining the entire post as it may help others... BUT root cause is still outstanding in that encrypted disks that automatically setup LVM volumes at boot in F17 will not in F18]

I have been unable to access encrypted LUKS volumes since I used fedup to upgrade to F18.

Hello:

Today I upgraded kernel packages to 3.2.45-3, then created an initrd, then reconfigured and installed lilo...

I was battling with setting up a Mint install on an encrypted hard-drive, and I think I partially succeeded.