[dm-crypt] Using a keyfile with full disk encryption (saout: to exclusive)

Diagon saout.boxy at xoxy.net
Thu Oct 6 20:21:29 CEST 2016


This might do you:
http://grub.johnlane.ie/

/D

On 10/04/2016 11:43 AM, Arno Wagner - arno at wagner.name wrote:
> Hi Tim,
> 
> full disk encryption is provided by your distribution, usually
> by some mechanism in the initrd. This is out of scope for this
> mailing-list here.
> 
> However I can tell you that I have personally done something 
> similar to what you want.
> 
> What you need to do is either drop to a shell in the initrd
> and mount the usb-key using that, or that you modify the 
> code in the initrd to mount that USB-stick and read the passphrase
> from it. The other thing you could do with a remotely-accessible 
> shell in the initrd is that you could use that to 
> mount the encrypted volumes manually yourself and then 
> continue the root process, on debian with something like this:
> 
>     exec switch_root /mnt/root /sbin/init
> 
> You copuld also hardcode the passprase in the initrd and
> place initrd and kernel on that USB-key. That is what I have 
> done.
> 
> I can give you a bit of background about what a Debian initrd 
> looks like, and Ubuntu may be similar. All action happens in
> /init, which on the initrd is a shell-script executed
> by busybox and hence pretty straight-forward to change. For
> testing, I just used the following "init". You can use something 
> like this to find out what commands work. After that
> you can put in your custom init instead. You can also add
> binaries to teh initrd, but you must make sure they are
> either statically compiled or all libraries are there.
> 
> ----
> #!/bin/sh
> 
> export PATH=/sbin:/bin
> [ -d /sys ] || mkdir /sys
> [ -d /proc ] || mkdir /proc
> [ -d /tmp ] || mkdir /tmp
> mount -t sysfs -o nodev,noexec,nosuid sysfs /sys
> mount -t proc -o nodev,noexec,nosuid proc /proc
> 
> echo
> echo "initrd is running"
> echo "Using BusyBox..."
> echo
> exec /bin/ash --login
> ----
> 
> Now, how do you create or modify an initrd? Best reference I 
> have is this one here: 
> 
> http://www.thegeekstuff.com/2009/07/how-to-view-modify-and-recreate-initrd-img/
> 
> Regards,
> Arno
> 
> 
> 
> 
> On Tue, Oct 04, 2016 at 10:37:36 CEST, Tim Kerby wrote:
>> I've enabled full disk encryption on a recent server install of Ubuntu
>> (using the checkbox in the installer).  This is there mainly for security
>> when disks are replaced
>>
>> Unfortunately, we've had a few power failures and the requirement to enter
>> the passphrase for LUKS at the physical terminal is an issue.
>>
>> I'd be happy to keep a keyfile on a USB key or SD card as I could mount
>> these internal to the server which is physically secured
>>
>> Is there a method to ensure the USB key is mounted prior to the password
>> prompt and adding the keyfile as an additional method at startup?
>>
>> Thanks
>>
>> Tim
>>
>> _______________________________________________
>> dm-crypt mailing list
>> dm-crypt at saout.de
>> http://www.saout.de/mailman/listinfo/dm-crypt
> 



More information about the dm-crypt mailing list