[dm-crypt] Using a keyfile with full disk encryption

Arno Wagner arno at wagner.name
Tue Oct 4 17:43:34 CEST 2016

Hi Tim,

full disk encryption is provided by your distribution, usually
by some mechanism in the initrd. This is out of scope for this
mailing-list here.

However I can tell you that I have personally done something 
similar to what you want.

What you need to do is either drop to a shell in the initrd
and mount the usb-key using that, or that you modify the 
code in the initrd to mount that USB-stick and read the passphrase
from it. The other thing you could do with a remotely-accessible 
shell in the initrd is that you could use that to 
mount the encrypted volumes manually yourself and then 
continue the root process, on debian with something like this:

    exec switch_root /mnt/root /sbin/init

You copuld also hardcode the passprase in the initrd and
place initrd and kernel on that USB-key. That is what I have 

I can give you a bit of background about what a Debian initrd 
looks like, and Ubuntu may be similar. All action happens in
/init, which on the initrd is a shell-script executed
by busybox and hence pretty straight-forward to change. For
testing, I just used the following "init". You can use something 
like this to find out what commands work. After that
you can put in your custom init instead. You can also add
binaries to teh initrd, but you must make sure they are
either statically compiled or all libraries are there.


export PATH=/sbin:/bin
[ -d /sys ] || mkdir /sys
[ -d /proc ] || mkdir /proc
[ -d /tmp ] || mkdir /tmp
mount -t sysfs -o nodev,noexec,nosuid sysfs /sys
mount -t proc -o nodev,noexec,nosuid proc /proc

echo "initrd is running"
echo "Using BusyBox..."
exec /bin/ash --login

Now, how do you create or modify an initrd? Best reference I 
have is this one here: 



On Tue, Oct 04, 2016 at 10:37:36 CEST, Tim Kerby wrote:
> I've enabled full disk encryption on a recent server install of Ubuntu
> (using the checkbox in the installer).  This is there mainly for security
> when disks are replaced
> Unfortunately, we've had a few power failures and the requirement to enter
> the passphrase for LUKS at the physical terminal is an issue.
> I'd be happy to keep a keyfile on a USB key or SD card as I could mount
> these internal to the server which is physically secured
> Is there a method to ensure the USB key is mounted prior to the password
> prompt and adding the keyfile as an additional method at startup?
> Thanks
> Tim
> _______________________________________________
> dm-crypt mailing list
> dm-crypt at saout.de
> http://www.saout.de/mailman/listinfo/dm-crypt

Arno Wagner,     Dr. sc. techn., Dipl. Inform.,    Email: arno at wagner.name
GnuPG: ID: CB5D9718  FP: 12D6 C03B 1B30 33BB 13CF  B774 E35C 5FA1 CB5D 9718
A good decision is based on knowledge and not on numbers. -- Plato

If it's in the news, don't worry about it.  The very definition of 
"news" is "something that hardly ever happens." -- Bruce Schneier

More information about the dm-crypt mailing list