Encrypting root partition with decryption key on USB thumb drive

From froelix.com - Wiki

Revision as of 18:36, 10 March 2013 by Froelix (Talk | contribs)

(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)

Jump to: navigation, search

Problem:

Your root partition of Debian Linux is encrypted with DM-Crypt + LUKS.
On each boot process you have to enter the password to decrypt the root partition.
This description explains how to atomatically decrypt the root partition using a decryption key on a USB thumb drive.

Solution:

Create a bash script (e.g. /root/getkey.sh) which mount the USB thumb drive and reads the key:

#!/bin/sh
modprobe usb-storage 1>&2
modprobe ehci-hcd 1>&2
sleep 1
mkdir /usb 1>&2
mount /dev/disk/by-label/mypartitionlabel -t ext3 -o ro /usb 1>&2
cat /usb/.keys/my.key
umount /usb 1>&2

Add the following lines to /etc/initramfs-tools/modules:

ext3
ehci-hcd
usb-storage
nls_cp437
nls_iso8859_1
vfat

Adapt the /etc/crypttab to use the script which gets the key:

sda1_crypt UUID=24ef106a-6ed3-4d28-8355-e58c6621e9c1 none luks,keyscript=/root/getkey.sh
...

Make a backup of the old initrd to be able to boot using the password as well:

cp /boot/initrd.img-3.2.0-4-amd64 /boot/initrd.img-3.2.0-4-amd64-password

Update the initrd to use the key-script:

update-initramfs -u

Note:

More details can be found at http://www.andreas-janssen.de/cryptodisk.html

Retrieved from "https://www.wiki.froelix.com/index.php?title=Encrypting_root_partition_with_decryption_key_on_USB_thumb_drive&oldid=73"