How to configure LVM & LUKS to autodecrypt partition?

lvm encryption luks

I have recently installed ubuntu server 11.04 with the full lvm encryption(installed from the setup) . I wish now to use a key file to do automatic unlock. I have tried to follow this guide http://ubuntuforums.org/showthread.php?t=837416

I generated a key with this command: sudo dd if=/dev/urandom of=/boot/grub/keyfile bs=1024 count=4

i putted it in /boot/grub because i think that it's not encrypted . When i try to add the key with this commad sudo cryptsetup luksAddKey /dev/sdX /boot/grub/keyfile it asks me for the passphrase and when i put it nothing happen , nothing is printed to the screen ! I ignore it and continue the others steps and reboot but nothing happened and it ask for the passphrase .

Thanks for the help .


Solution 1:

I've just been through this on my new home server, it took a lot of googling and guessing, but I've got it working. I'll attempt to reproduce the steps here. I'm using Ubuntu Server 11.10, and started with a pretty much standard install using encrypted LVM, so I'll just relate the changes I made from there.

Setup:

  • /dev/sda1 is my unencrypted /boot partition
  • /dev/sda5 is my lvm partition which contains everything else -- root, swap, and home
  • /dev/sdc1 is the partition on my USB flash drive where I'll store the keyfile

First, I created a keyfile, just in my home directory:

dd if=/dev/urandom of=keyfile bs=512 count=4

(you can use a larger blocksize or count for a larger key)

Tell cryptsetup the new key (it's the contents that are important, not the filename):

sudo cryptsetup luksAddKey /dev/sda5 keyfile

Then, I formatted my USB flash drive with ext2 and gave it a label. I used a label, so that later I can mount it by label, and replace the USB flash drive in case something goes wrong with it.

sudo mkfs -t ext2 /dev/sdc1
sudo e2label /dev/sdc1 KEYS

(of course, your device will vary)

Now, copy the keyfile to the USB flash drive, owned by root mode 400:

mkdir KEYS
sudo mount /dev/sdc1 KEYS
sudo cp keyfile KEYS
sudo chown root KEYS/keyfile
sudo chmod 400 KEYS/keyfile

Modify /etc/crypttab. Mine originally contained

sd5_crypt UUID=(...) none luks

which I changed to

sd5_crypt UUID=(...) /dev/disk/by-label/KEYS:/keyfile luks,keyscript=/lib/cryptsetup/scripts/passdev

Finally, update the initramfs:

sudo update-initramfs -uv

It now boots using the keyfile on the USB flash drive. If I remove the flash drive (say, when I go on holiday) it doesn't boot and my data is secure.

If anyone knows how to get it to ask for the passphrase if the USB flash drive is missing, that would be handy as a fallback. Hope this helps, any additions or corrections would be more than welcome!

Solution 2:

Improving Randy Orrison's answer, here is a small script I created, that will make system fallback to asking user for password if it fails to find the keyfile.

#!/bin/sh

ask_for_password () {
    cryptkey="Unlocking the disk $cryptsource ($crypttarget)\nEnter passphrase: "
    if [ -x /bin/plymouth ] && plymouth --ping; then
        cryptkeyscript="plymouth ask-for-password --prompt"
        cryptkey=$(printf "$cryptkey")
    else
        cryptkeyscript="/lib/cryptsetup/askpass"
    fi
    $cryptkeyscript "$cryptkey"
}

device=$(echo $1 | cut -d: -f1)
filepath=$(echo $1 | cut -d: -f2)

# Ask for password if device doesn't exist
if [ ! -b $device ]; then
    ask_for_password
    exit
fi

mkdir /tmp/auto_unlocker
mount $device /tmp/auto_unlocker

# Again ask for password if device exist but file doesn't exist
if [ ! -e /tmp/auto_unlocker$filepath ]; then
    ask_for_password
else
    cat /tmp/auto_unlocker$filepath
fi

umount /tmp/auto_unlocker

Save it and replace keyscript=/lib/cryptsetup/scripts/passdev in /etc/crypttab with the path to this file and run sudo update-initramfs -uv and you are done.

Solution 3:

These instructions from howtoforge.com got me up and running with an automatically decrypting volume.

How to: Automatically Unlock LUKS Encrypted Drives With A Keyfile

Step 1: Create a random keyfile

sudo dd if=/dev/urandom of=/root/keyfile bs=1024 count=4

Step 2: Make the keyfile read-only to root

sudo chmod 0400 /root/keyfile

That will make the keyfile readable only by root. If someone get access to this keyfile, then you have a bigger problem on your computer anyway.

Alternatively chown your desired keyfile to root:root and move it into the /root folder

Step 3: Add the keyfile to LUKS

LUKS/dm_crypt enabled devices may hold up to 10 different keyfiles/passwords. So, next to having the already setup password we're going to add this keyfile as additional authorization method.

sudo cryptsetup luksAddKey /dev/sdX /root/keyfile

sdX is of course your LUKS device.

First you'll be prompted to enter an (existing) password to unlock the drive. If everything works well, you should get an output like this:

Enter any LUKS passphrase:
key slot 0 unlocked.
Command successful.

Step 4: Create a mapper

LUKS devices need to create a mapper that can then be referenced in the fstab. Open /etc/crypttab

sudo nano /etc/crypttab

and add then a line like this:

sdX_crypt      /dev/sdX  /root/keyfile  luks

or you can use the UUID of the device:

sdX_crypt      /dev/disk/by-uuid/247ad289-dbe5-4419-9965-e3cd30f0b080  /root/keyfile  luks

sdX_crypt is the name of the mapper that is being created. You can use here any name e.g. "music" or "movies" or "sfdsfawe" ....

Save and close the file by issuing ctrl-x, enter, enter. Ctrl-x closes nano but first it asks to save the file [yes = enter] and what the name shall be [same name = enter].

What we have done there actually is telling that /root/keyfile shall be used instead of password entry to unlock the drive.

Step 5: Mount the device in fstab

Now, we have an unlocked device (well, not yet but when the system is being booted up) and we just need to mount it now. Open /etc/fstab:

sudo nano /etc/fstab

and add a new entry like:

/dev/mapper/sdX_crypt  /media/sdX     ext3    defaults        0       2

Make sure you have the correct mapper name that you added in step 4. Also make sure that the mount point/folder exists. After having added it, save again the file and close it (ctrl-x, enter, enter).

Step 6: Reboot or remount

That's it. Now you can reboot and the additional devices should be auto-unlocked and mounted. You can also test it by remounting all devices:

sudo mount -a

Solution 4:

@deitch I had the same setup like @Randy Orrison and ran into the same issue as you and it turns out is a bug of systemd which tries to mount the / filesystem again as it finds the corresponding entry in /etc/crypttab.

To resolve this i just removed the entry for sda5_crypt from /etc/crypttab once the update-initramfs -uv command was ran.

Reeboot and everything works fine as intended.

Related

How can I encrypt data in cloud storage services like Dropbox?
Adding Disks With LVM
How to track the total network data in a month [duplicate]
how to stop apache2, mysql from starting automatically as computer starts?
How does Mac Mail's "unsubscribe" feature work?
Can I distribute Xcode at my company internally through configuration management scripts?
How can I install a whole new key (keycap, hinge, membrane) on a 2019 MBP?
How to remove Preview.app on-screen navigation toolbar?
How to make Apple Watch Stop SMS/Message Notifications from Unknown Senders?
How do I have both custom show tv art and custom episode thumbnails?
Is there a quick way to “flatten” an image in iOS
Dual SIM: How to choose phone number when replying to SMS message in Messages