I'd like to add multiple external HDDs as file storage. These HDDs should be encrypted. The server should be running headless (as in no monitor or keyboard attached), and I'd like the encrypted HDDs be unlocked at boot without having to manually entering a password. So a keyfile then, but I don't want the keyfile to reside unprotected on the machine. So a keyfile on a USB pendrive, which I can remove after boot while still having access to the files on the external HDDs.
My setup at the moment on a clean Debian installation (on VirtualBox) is outlined below, /dev/sdb is the external drive and /dev/sdb1, the USB pendrive has a label of "TEST" and the keyfile is located at /test-key.key on this device. I've made the following changes/additions:
Code: Select all
$> cat /etc/fstab
UUID=<sda1> / ext4 errors=remount-ro 0 1
UUID=<sda2> /home ext4 defaults 0 2
UUID=<sda3> /tmp ext4 defaults 0 2
UUID=<sda4> /var ext4 defaults 0 2
/dev/mapper/crypthdd /ext_1 auto defaults,x-systemd.device-timeout=30,timeout=30,nofail 0 0
$> cat /etc/crypttab
crypthdd UUID=<sdb1's uuid> /dev/disk/by-label/TEST:/test-key.key:5 luks,initramfs,keyscript=/lib/cryptsetup/scripts/passdev,tries=2,nofail
Code: Select all
$> cp /usr/share/initramfs-tools/hooks/cryptroot /etc/initramfs-tools/hooks/
$> cp /usr/share/initramfs-tools/hooks/cryptpassdev /etc/initramfs-tools/hooks/
Code: Select all
$> cat /etc/initramfs-tools/hooks/add_cryptsetup
#!/bin/sh
PREREQ=""
prereqs()
{
echo "$PREREQ"
}
case $1 in
prereqs)
prereqs
exit 0
;;
esac
. /usr/share/initramfs-tools/hook-functions
copy_exec /sbin/cryptsetup
Code: Select all
$> cat /etc/initramfs-tools/modules
dm-crypt
nls_cp437
nls_ascii
Code: Select all
$> touch /etc/systemd/system/systemd-cryptsetup@crypthdd.service
$> update-initramfs -u
$> update-grub
Code: Select all
device-mapper: table ioctl on crypthdd failed: No such device or address
Command failed
cryptsetup: WARNING: failed to determine cipher modules to load for crypthdd
device-mapper: table ioctl on crypthdd failed: No such device or address
Command failed
cryptsetup: WARNING: failed to determine cipher modules to load for crypthdd
Code: Select all
cryptsetup (crypthdd): lvm is not avaliable
cryptsetup (crypthdd): lvm is not avaliable
cryptsetup (crypthdd): lvm is not avaliable
cryptsetup (crypthdd): lvm is not avaliable
...
Where this error comes from and what it means?
How do I configure my system to ignore mounting a crypttab entry if the encrypted device is not present?