Scheduled Maintenance: We are aware of an issue with Google, AOL, and Yahoo services as email providers which are blocking new registrations. We are trying to fix the issue and we have several internal and external support tickets in process to resolve the issue. Please see: viewtopic.php?t=158230

 

 

 

Unlock LUKS with USB Key

User discussion about Debian Development, Debian Project News and Announcements. Not for support questions.
Post Reply
Message
Author
datapath
Posts: 3
Joined: 2013-10-28 20:39

Unlock LUKS with USB Key

#1 Post by datapath »

Preamble: I have researched online and read manual pages, specifically that of crypttab. I think I'm almost there but may still be missing something that I'm not getting through researching the topic. Any help would be appreciated. Thank you.

Objective: Unlock a LUKS partition with keyfile located on USB drive, with password fallback.

Context:
  • OS: Debian 11
  • All system partitions are on /dev/sda
Method
Step 1: Created a key file in FAT partition (partition name P1) of the USB drive

Code: Select all

 dd if=/dev/random of=/keyfile bs=512 count=15
Step 2: Edit the /etc/crypttab file.

Code: Select all

sudo vim /etc/crypttab
Step 3: Replace fields 3 and 4 "none luks" with:

Code: Select all

/keyfile:LABEL=P1 luks,keyfile-timeout=5s
Step 4: Add keyfile to LUKS keyring.

Code: Select all

sudo cryptsetup luksAddKey /dev/sdax ./keyfile
Step 5: Update your boot process

Code: Select all

update-initramfs -u
Step 6: Reboot....

p.H
Global Moderator
Global Moderator
Posts: 3049
Joined: 2017-09-17 07:12
Has thanked: 5 times
Been thanked: 132 times

Re: Unlock LUKS with USB Key

#2 Post by p.H »

datapath wrote: 2022-05-07 17:11 Step 1: Created a key file in FAT partition (partition name P1) of the USB drive

Code: Select all

dd if=/dev/random of=/keyfile bs=512 count=15
This command creates the key file in the root filesystem, not on the USB drive.
datapath wrote: 2022-05-07 17:11 Step 3: Replace fields 3 and 4 "none luks" with:

Code: Select all

/keyfile:LABEL=P1 luks,keyfile-timeout=5s
Note that the keyfile:device notation and the keyfile-timeout option are supported only by systemd cryptsetup helper, not by the initramfs helper, so they cannot be used if the encrypted volume must be unlocked by the initramfs (e.g. if it contains the / or /usr filesystem or the hibernation swap area). Also step 5 is pointless.
datapath wrote: 2022-05-07 17:11 Step 4: Add keyfile to LUKS keyring.

Code: Select all

sudo cryptsetup luksAddKey /dev/sdax ./keyfile
This command adds the key from the current directory, not the USB drive.
datapath wrote: 2022-05-07 17:11 Step 5: Update your boot process

Code: Select all

update-initramfs -u
Required only if the encrypted volume must be unlocked by the initramfs (see above).

datapath
Posts: 3
Joined: 2013-10-28 20:39

Re: Unlock LUKS with USB Key

#3 Post by datapath »

Thank you for your reply p.H. I agree with your points and would be grateful for a little further clarification around the configuration of the crypttab file (Step 3).
Note that the keyfile:device notation and the keyfile-timeout option are supported only by systemd cryptsetup helper, not by the initramfs helper, so they cannot be used if the encrypted volume must be unlocked by the initramfs (e.g. if it contains the / or /usr filesystem or the hibernation swap area). Also step 5 is pointless.
Yes you are correct that the volume for decryption is root (/).
Question: If the notation is only systemd and not initramfs. What would be the notation for initramfs to look at the USB for a key file to decrypt a root file system? (As I said in my initial post, I'm happy to read the manual but please be specific as to which part)

p.H
Global Moderator
Global Moderator
Posts: 3049
Joined: 2017-09-17 07:12
Has thanked: 5 times
Been thanked: 132 times

Re: Unlock LUKS with USB Key

#4 Post by p.H »

I guess the only option is to use a keyscript.

Post Reply