Difference between revisions of "Encrypting root partition with decryption key on USB thumb drive"
From froelix.com - Wiki
| Line 14: | Line 14: | ||
cat /usb/.keys/my.key | cat /usb/.keys/my.key | ||
umount /usb 1>&2 | umount /usb 1>&2 | ||
| − | + | * Add the following lines to ''/etc/initramfs-tools/modules'': | |
| + | ext3 | ||
| + | ehci-hcd | ||
| + | usb-storage | ||
| + | nls_cp437 | ||
| + | nls_iso8859_1 | ||
| + | vfat | ||
| + | * Adapt the ''/etc/crypttab'' to use the script which gets the key: | ||
| + | sda1_crypt UUID=24ef106a-6ed3-4d28-8355-e58c6621e9c1 none luks,keyscript=/root/getkey.sh | ||
'''Note:''' | '''Note:''' | ||
* More details can be found at [http://www.andreas-janssen.de/cryptodisk.html http://www.andreas-janssen.de/cryptodisk.html] | * More details can be found at [http://www.andreas-janssen.de/cryptodisk.html http://www.andreas-janssen.de/cryptodisk.html] | ||
Revision as of 18:30, 10 March 2013
Problem:
- Your root partition of Debian Linux is encrypted with DM-Crypt + LUKS.
- On each boot process you have to enter the password to decrypt the root partition.
- This description explains how to atomatically decrypt the root partition using a decryption key on a USB thumb drive.
Solution:
- Create a bash script (e.g. /root/getkey.sh) which mount the USB thumb drive and reads the key:
#!/bin/sh modprobe usb-storage 1>&2 modprobe ehci-hcd 1>&2 sleep 1 mkdir /usb 1>&2 mount /dev/disk/by-label/mypartitionlabel -t ext3 -o ro /usb 1>&2 cat /usb/.keys/my.key umount /usb 1>&2
- Add the following lines to /etc/initramfs-tools/modules:
ext3 ehci-hcd usb-storage nls_cp437 nls_iso8859_1 vfat
- Adapt the /etc/crypttab to use the script which gets the key:
sda1_crypt UUID=24ef106a-6ed3-4d28-8355-e58c6621e9c1 none luks,keyscript=/root/getkey.sh
Note:
- More details can be found at http://www.andreas-janssen.de/cryptodisk.html
