Any actually working tutorial how to boot LUKS passwordless?

[SystemUser]

Hi!

I have luks encrypted root ans swap partitions. In addition, during the installation I created ext4 unencrypted partition for which I set mount point /test.

Then I followed this tutorial:
https://askubuntu.com/questions/996155/ ... ext-reboot

Where I replaced /boot/keyfile with /test/keyfile
and in commandcryptsetup -v luksAddKey /dev/sda3 /boot/keyfile I replaced /dev/sda3 with UUID=uuid that I got from my /etc/crypttab (for some reason cryptsetup wasnt happy with /dev/sdX)
and in /etc/crypttab I wrote keyscript=/test/passdev instead of keyscript=/lib/cryptsetup/scripts/passdev (I also copied that script to my unencrypted partition).


Now I keep getting "cryptsetup failed, bad password or options?" Invalid key path.

I am trying to figure out how to boot encrypted device with out manually entering password.

[cds60601]

Not sure exactly what you want to do but for me, I wanted to have some external drives, encrypted and accessible on boot-up.
Whit that being said, something in this thread might help you.

http://forums.debian.net/viewtopic.php?f=5&t=137674

I also did up a tutorial and posted it here:
https://www.howtoforge.com/tutorial/ful ... untu-1804/

EDIT: After reading your post a few times, I "think" the answer to your question may be this question. Consider this thought process;
How can you access the keyfile IF the keyfile sits on the drive that is encrypted?
Meaning, that unless the system can read the keyfile before accessing the encrypted drive, how else would it decrypt unless you use a password.

I'm certain there is a way since you can encrypt the drive on initial install - unfortunately, I don't have an actual answer for you.
This is just my reasoning as I don't know in your situation.


Hope this helps you
Cheers
Chris

[SystemUser]

This time I installed new Debian installation with default settings.

I used Guided - use entire disk and set up encrypted LVM.


It means that my root and swap are encrypted and I have unencrypted boot. Now when I tried this tutorial again: https://askubuntu.com/questions/996155/ ... ext-reboot, it again said: cryptsetup failed, bad password or options?

The tutorial that you linked: https://www.howtoforge.com/tutorial/ful ... untu-1804/ is to add encryption for new partition. But I have already encrypted partition.

[dilberts_left_nut]

WTF is the point of having an encrypted volume that decrypts automatically when you boot the system?

[CwF]

I looked in my notes and found a blank page, crap. I can't remember... but, a few years ago I got into setting up a usb key to unlock the system LUKS and it was very involved since it included a few fallbacks. First, this was for the lack of a keyboard and served as a physical key. Your quest is more akin to gluing the key in the lock. In any case your unencrypted partition on the system drive I suppose is equivalent to the usb part, however I think I remember the usb was itself encrypted and there was another step... I think I remember the LUKS key needs to be in a secure path, hence the extra step. So the open partition held the open key for the usb, which was then a secure path for the LUKS key...On the other hand I have no idea what your trying to accomplish since it offers no protection at the cost of extraneous cpu activity? So far, your plan allows the disk to be mounted and booted totally unprotected. If that's fine then why waste the effort and simply run unencrypted?

From your link, this is a transient next reboot only or persistent?

I hope I can find my notes on this, thanks for the reminder!

Also you can add hardware references so that your attempted solution would protect the drive if booted in a different machine...

looking for the notes...?

[SystemUser]

WTF is the point of having an encrypted volume that decrypts automatically when you boot the system?

Right now it's just to get working example on vm.

From your link, this is a transient next reboot only or persistent?

You mean cryptsetup failed, bad password or options? It happens every boot so basically I am no loner able to boot that OS after doing this passwordless tutorial.

[CwF]

My question is this operation will allow ONE reboot, or you are setting it up for a cold boot? In the later case there is no real world use case. period.

If you're learning and playing and finding right and wrong ways...some hints:

Set up your VM to use a backing file on top of a suitable LUKS image. Then when you bork it, and you can't get in, just recreate a new layer on the still unchanged backing file. Alternatively, make a copy of that first install if you'd rather not use backing files. Then you bork it, and just copy over the backup and continue.

Setup your VM to have a USB. This will emulate a real world scenario. The usb could be passed and real or entirely virtual. You can add the usb just like any other interface, ide, sata, virtio, etc. This usb device takes the place of your unencrypted partition on the primary disk.

Understand that the answer to your quest is it can't be done, hopefully... ie system disk holding key in the clear. I'm pretty sure you need the LUKS key in an encrypted path, that's secondary to the primary key which unlocks the usb key which assumed to be a physical device, that key can be in the clear, read from your boot disk root.

Additionally, a real world use case would likely include fall back to kb console input if the key fails.

[debiman]

WTF is the point of having an encrypted volume that decrypts automatically when you boot the system?

Right now it's just to get working example on vm.

this justification makes just as little sense.

[CwF]

Hi!.

I saw the post SystemUser. Humorous I thought. On point even. But he is right.

And now we know.