[dm-crypt] Decrypt a volume without user intervention
Carlos E. R.
robin.listas at telefonica.net
Tue Aug 22 17:09:28 CEST 2017
On 2017-08-22 15:00, Marco Cavallini wrote:
> I'd like to use something like a keyfile instead of a passphrase for
> my encrypted volume.
> My goal is to decrypt my volume without user intervention.
> For example I can read the UUID of a disk partition and use that as password.
> The easiest place where to add my code seems crypt_get_key() function
> in lib/utils_crypt.c
> Maybe someone already came across this problem and I am trying to
> re-invent the wheel, for this reason I'm asking advice to the dm-crypt
> Comment and hints will ve greatly appreciated.
> Thank you
I'm not a guru, but I do that easily.
cr_home /dev/disk/by-id/something-part5 none none
cr_two /dev/disk/by-uuid/someuuid /home/cer/Keys/the_two_keyfile auto
/dev/mapper/cr_home /home xfs lazytime,,nofail 0 2
/dev/mapper/cr_two /data/two xfs user,lazytime,exec,nofail 1 3
"/data/two" is mounted automatically without asking for the passphrase, after home is mounted.
You should not have the key file available on a non-encrypted mount, of course. Or not one that is always available on the computer, or the thieves will open your files.
The key file is a random generated file of 4096 bytes.
The second device is encrypted normally, with a password. Later you create the key file (on another device), then add it:
time dd iflag=fullblock if=/dev/random of=the_two_keyfile bs=512 count=8
cryptsetup luksAddKey /dev/sdd1 /home/cer/Keys/the_two_keyfile
cryptsetup luksOpen --key-file=/home/cer/Keys/the_two_keyfile /dev/sdd1 cr_two
Cheers / Saludos,
Carlos E. R.
(from 42.2 x86_64 "Malachite" at Telcontar)
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 181 bytes
Desc: OpenPGP digital signature
More information about the dm-crypt