Page 1 of 1
Unlock LUKS with USB Key
Posted: 2022-05-07 17:11
by datapath
Preamble: I have researched online and read manual pages, specifically that of crypttab. I think I'm almost there but may still be missing something that I'm not getting through researching the topic. Any help would be appreciated. Thank you.
Objective: Unlock a LUKS partition with keyfile located on USB drive, with password fallback.
Context:
- All system partitions are on /dev/sda
Method
Step 1: Created a key file in FAT partition (partition name
P1) of the USB drive
Code: Select all
dd if=/dev/random of=/keyfile bs=512 count=15
Step 2: Edit the /etc/crypttab file.
Step 3: Replace fields 3 and 4 "none luks" with:
Code: Select all
/keyfile:LABEL=P1 luks,keyfile-timeout=5s
Step 4: Add keyfile to LUKS keyring.
Code: Select all
sudo cryptsetup luksAddKey /dev/sdax ./keyfile
Step 5: Update your boot process
Step 6: Reboot....
Re: Unlock LUKS with USB Key
Posted: 2022-05-08 08:40
by p.H
datapath wrote: ↑2022-05-07 17:11
Step 1: Created a key file in FAT partition (partition name P1) of the USB drive
Code: Select all
dd if=/dev/random of=/keyfile bs=512 count=15
This command creates the key file in the root filesystem, not on the USB drive.
datapath wrote: ↑2022-05-07 17:11
Step 3: Replace fields 3 and 4 "none luks" with:
Code: Select all
/keyfile:LABEL=P1 luks,keyfile-timeout=5s
Note that the keyfile:device notation and the keyfile-timeout option are supported only by systemd cryptsetup helper, not by the initramfs helper, so they cannot be used if the encrypted volume must be unlocked by the initramfs (e.g. if it contains the / or /usr filesystem or the hibernation swap area). Also step 5 is pointless.
datapath wrote: ↑2022-05-07 17:11
Step 4: Add keyfile to LUKS keyring.
Code: Select all
sudo cryptsetup luksAddKey /dev/sdax ./keyfile
This command adds the key from the current directory, not the USB drive.
datapath wrote: ↑2022-05-07 17:11
Step 5: Update your boot process
Required only if the encrypted volume must be unlocked by the initramfs (see above).
Re: Unlock LUKS with USB Key
Posted: 2022-05-08 18:47
by datapath
Thank you for your reply p.H. I agree with your points and would be grateful for a little further clarification around the configuration of the crypttab file (Step 3).
Note that the keyfile:device notation and the keyfile-timeout option are supported only by systemd cryptsetup helper, not by the initramfs helper, so they cannot be used if the encrypted volume must be unlocked by the initramfs (e.g. if it contains the / or /usr filesystem or the hibernation swap area). Also step 5 is pointless.
Yes you are correct that the volume for decryption is root (/).
Question: If the notation is only systemd and not initramfs.
What would be the notation for initramfs to look at the USB for a key file to decrypt a root file system? (As I said in my initial post, I'm happy to read the manual but please be specific as to which part)
Re: Unlock LUKS with USB Key
Posted: 2022-05-17 15:42
by p.H
I guess the only option is to use a keyscript.