Encrypting root partition with decryption key on USB thumb drive
From froelix.com - Wiki
Problem:
- Your root partition of Debian Linux is encrypted with DM-Crypt + LUKS.
- On each boot process you have to enter the password to decrypt the root partition.
- This description explains how to atomatically decrypt the root partition using a decryption key on a USB thumb drive.
Solution:
- Prepare a USB thumb drive with an ext3 or a vfat partition and label the partition. In this example mypartitionlabel is used as label.
- Create a key file on the USB thumb drive which will be later used to decrypt the root partition:
dd if=/dev/urandom of=/media/usb/.keys/my.key bs=4k count=1
- Add the new created key to the LUKS partition (in this example the root partition is /dev/sda1) that it can be used to decrypt it:
cryptsetup luksAddKey /dev/sda1 /media/usb/.keys/my.key
- Create a bash script (e.g. /root/getkey.sh) which mounts the USB thumb drive and reads the key:
#!/bin/sh modprobe usb-storage 1>&2 modprobe ehci-hcd 1>&2 sleep 1 mkdir /usb 1>&2 mount /dev/disk/by-label/mypartitionlabel -t ext3 -o ro /usb 1>&2 cat /usb/.keys/my.key umount /usb 1>&2
- Add the following lines to /etc/initramfs-tools/modules:
ext3 ehci-hcd usb-storage nls_cp437 nls_iso8859_1 vfat
- Adapt the /etc/crypttab to use the script which gets the key:
sda1_crypt UUID=24ef106a-6ed3-4d28-8355-e58c6621e9c1 none luks,keyscript=/root/getkey.sh ...
- Make a backup of the old initrd to be able to boot using the password as well:
cp /boot/initrd.img-3.2.0-4-amd64 /boot/initrd.img-3.2.0-4-amd64-password
- Update the initrd to use the key-script:
update-initramfs -u
- Update the grub bootloader to add the initrd backup to the bootmenu:
update-grub
- Reeboot and see if it works... ;-)
Note:
- More details can be found at http://www.andreas-janssen.de/cryptodisk.html
