cryptsetup/LUKS/dm-crypt configuration

[Uptorn]

I am regretting not taking notes when I was looking over some README.Debian.gz involving disk encryption, because I can no longer locate it. The documentation described automatic self-unlocking disk encryption.

The closest I am able to find is at /usr/share/doc/cryptsetup/README.Debian.gz which details remote unlocking by ssh but not by self-unlocking with stored keys.

Just throwing this out there in case somebody knows.

[CwF]

I think 'dracut' has that functionality. I thought there was a way to script some hardware id's into a keyslot to auto decrypt if on the right hardware... I lost track of the idea and stopped using LUKS for the OS a few years back.

[pbear]

A quick search for luks keyfile turns up a bunch of hits. In a nutshell, you create the keyfile and save it somewhere inside the primary encrypted partition (the one you open with a password). The /root folder seems to me the logical place, but can be anywhere. Then you add the keyfile as an additional key to any partitions you wish to open with it. Add the partitions to crypttab and fstab. Update initramfs.

Disclaimer: I don't use FDE and don't recommend it. That summary is based on a review of notes from a couple years ago, when I played with setting up FDE manually out of curiosity. I don't feel qualified to give step-by-step instructions.

[rolf3945]

What exactly are you after? Automatic decryption during boot from a USB key? Or from an internal keyfile for a device that does not involve /? I have some notes for various ways to decrypt a luks device.

[Uptorn]

What exactly are you after?

Trying to figure out how to best encrypt drive contents of a remote device which is configured with unattended-upgrades to self-restart periodically. It therefore doesn't make sense to use the documentation's recommended dropbear SSH server in initramfs (which requires remote operator presence to supply the decryption key over SSH).

It might also be simpler for me to just secure the device at the remote site with old-school lock & key. Has anybody else had to manage a device like this?

[Aki]

Hello,

Never personally tested before, but it might be done in a computer equipped with a tpm (to store the cypher key in it).

Hope this helps.

[rolf3945]

Sorry, above my paygrade. Never dealt with such a scenario.

[Aki]

Hello,

Trying to figure out how to best encrypt drive contents of a remote device which is configured with unattended-upgrades to self-restart periodically.

In a previous post about a tpm error [1], I reported some documentations about tpm usage with GNU Linux/Debian.

Your use case is provided in the documentation using the systemd-cryptsetup package, that is currently available for:

Code: Select all

rmadison systemd-cryptsetup -a amd64
systemd-cryptsetup | 257-2         | testing         | amd64
systemd-cryptsetup | 257.1-3       | buildd-unstable | amd64
systemd-cryptsetup | 257.1-3       | unstable        | amd64

A tpm must be available in the computer at hardware level, of course.

The tpm can also be software emulated in a virtual environment (VM), but its secrets could be exposed on the host side of the VM.

Hope this helps.

--
[1] [Testing - Trixie] [SOLVED] systemd-tpm2-setup 0x000009a2 error