[dm-crypt] Using a keyfile with full disk encryption (saout: to exclusive)
saout.boxy at xoxy.net
Thu Oct 6 20:21:29 CEST 2016
This might do you:
On 10/04/2016 11:43 AM, Arno Wagner - arno at wagner.name wrote:
> Hi Tim,
> full disk encryption is provided by your distribution, usually
> by some mechanism in the initrd. This is out of scope for this
> mailing-list here.
> However I can tell you that I have personally done something
> similar to what you want.
> What you need to do is either drop to a shell in the initrd
> and mount the usb-key using that, or that you modify the
> code in the initrd to mount that USB-stick and read the passphrase
> from it. The other thing you could do with a remotely-accessible
> shell in the initrd is that you could use that to
> mount the encrypted volumes manually yourself and then
> continue the root process, on debian with something like this:
> exec switch_root /mnt/root /sbin/init
> You copuld also hardcode the passprase in the initrd and
> place initrd and kernel on that USB-key. That is what I have
> I can give you a bit of background about what a Debian initrd
> looks like, and Ubuntu may be similar. All action happens in
> /init, which on the initrd is a shell-script executed
> by busybox and hence pretty straight-forward to change. For
> testing, I just used the following "init". You can use something
> like this to find out what commands work. After that
> you can put in your custom init instead. You can also add
> binaries to teh initrd, but you must make sure they are
> either statically compiled or all libraries are there.
> export PATH=/sbin:/bin
> [ -d /sys ] || mkdir /sys
> [ -d /proc ] || mkdir /proc
> [ -d /tmp ] || mkdir /tmp
> mount -t sysfs -o nodev,noexec,nosuid sysfs /sys
> mount -t proc -o nodev,noexec,nosuid proc /proc
> echo "initrd is running"
> echo "Using BusyBox..."
> exec /bin/ash --login
> Now, how do you create or modify an initrd? Best reference I
> have is this one here:
> On Tue, Oct 04, 2016 at 10:37:36 CEST, Tim Kerby wrote:
>> I've enabled full disk encryption on a recent server install of Ubuntu
>> (using the checkbox in the installer). This is there mainly for security
>> when disks are replaced
>> Unfortunately, we've had a few power failures and the requirement to enter
>> the passphrase for LUKS at the physical terminal is an issue.
>> I'd be happy to keep a keyfile on a USB key or SD card as I could mount
>> these internal to the server which is physically secured
>> Is there a method to ensure the USB key is mounted prior to the password
>> prompt and adding the keyfile as an additional method at startup?
>> dm-crypt mailing list
>> dm-crypt at saout.de
More information about the dm-crypt