[dm-crypt] Decrypt a volume without user intervention

Carlos E. R. robin.listas at telefonica.net
Tue Aug 22 17:09:28 CEST 2017


On 2017-08-22 15:00, Marco Cavallini wrote:
> Hi,
> I'd like to use something like a keyfile instead of a passphrase for
> my encrypted volume.
> My goal is to decrypt my volume without user intervention.
> For example I can read the UUID of a disk partition and use that as password.
> The easiest place where to add my code seems crypt_get_key() function
> in lib/utils_crypt.c
> 
> Maybe someone already came across this problem and I am trying to
> re-invent the wheel, for this reason I'm asking advice to the dm-crypt
> gurus.
> 
> Comment and hints will ve greatly appreciated.
> Thank you

I'm not a guru, but I do that easily.

/etc/crypttab:

cr_home     /dev/disk/by-id/something-part5 none       none
cr_two      /dev/disk/by-uuid/someuuid     /home/cer/Keys/the_two_keyfile    auto

/etc/fstab:

/dev/mapper/cr_home  /home        xfs     lazytime,,nofail                0 2 
/dev/mapper/cr_two   /data/two    xfs     user,lazytime,exec,nofail       1 3



"/data/two" is mounted automatically without asking for the passphrase, after home is mounted.
You should not have the key file available on a non-encrypted mount, of course. Or not one that is always available on the computer, or the thieves will open your files.

The key file is a random generated file of 4096 bytes.

The second device is encrypted normally, with a password. Later you create the key file (on another device), then add it:


time dd iflag=fullblock if=/dev/random of=the_two_keyfile bs=512 count=8

cryptsetup luksAddKey /dev/sdd1 /home/cer/Keys/the_two_keyfile
crypto_unmap cr_two
cryptsetup luksOpen --key-file=/home/cer/Keys/the_two_keyfile /dev/sdd1 cr_two


HTH

-- 
Cheers / Saludos,

		Carlos E. R.
		(from 42.2 x86_64 "Malachite" at Telcontar)

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 181 bytes
Desc: OpenPGP digital signature
URL: <http://www.saout.de/pipermail/dm-crypt/attachments/20170822/b456dfb3/attachment.asc>


More information about the dm-crypt mailing list