Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
how to decrypt system disk with keyfile & password
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Installing Gentoo
View previous topic :: View next topic  
Author Message
SarahS93
Guru
Guru


Joined: 21 Nov 2013
Posts: 543

PostPosted: Thu Jan 23, 2020 10:27 pm    Post subject: how to decrypt system disk with keyfile & password Reply with quote

sda1 is the kernel and initrd
sda2 is the root system
at the system boot i entered the password
all fine, luks decryption are working

now i have create a key file on an usb drive
dd if=/dev/urandom of=/mnt/usbstick/key123 bs=4k count=1

and add these to the grub config file
root_keydev=sdb1 \
root_key=key123\
key_timeout=5 \

the system starts up perfectly if with the connected usb key
if the usb key are not connected, the system does not start and wait and wait and wait again for the key....

if i remove
root_keydev=sdb1 \
root_key=key123\
key_timeout=5 \
all is fine, the system start booting and aks me for the password

cryptsetup luksDump /dev/sda2 shows me
Key Slot 0: ENABLED
Key Slot 1: ENABLED

how do i configure it that i have both option, usb key and password?
Back to top
View user's profile Send private message
SarahS93
Guru
Guru


Joined: 21 Nov 2013
Posts: 543

PostPosted: Sat Jan 25, 2020 9:01 pm    Post subject: Reply with quote

....any ideas?!?
Back to top
View user's profile Send private message
Budoka
l33t
l33t


Joined: 03 Jun 2012
Posts: 741
Location: Tokyo, Japan

PostPosted: Sat Jan 25, 2020 9:36 pm    Post subject: Reply with quote

SarahS93 wrote:
....any ideas?!?

Unfortunately, I can't help you. But I am following this thread closely because I was planning on setting up my new box the same way.
Back to top
View user's profile Send private message
SarahS93
Guru
Guru


Joined: 21 Nov 2013
Posts: 543

PostPosted: Sat Jan 25, 2020 9:54 pm    Post subject: Reply with quote

at the moment, i have two lines in grub.
one, the default one, boots with the key file.
if the key not there, i must reboot and select the second line in grub.
the second line is that i enter my password by hand.
not the best way, but for the moment it is oke.
Back to top
View user's profile Send private message
etnull
Guru
Guru


Joined: 26 Mar 2019
Posts: 330

PostPosted: Sat Jan 25, 2020 9:57 pm    Post subject: Reply with quote

first of all if you put your keyfile on a usb drive without encryption that's very insecure and defeat the whole purpose of encryption. do you want for both the keyfile and the password to decrypt (applied at the same time)? or either of them? I don't think you can make a 'multi sig' decryption with multi-keys, but I may be wrong, never tried it before. As for situation in which you use either of them, if you configure your initrd properly it should work either way, either decrypting your system with a usb flash, or asking for password in case your usb isn't present. But again it's not secure to put your key on a usb like that. Most common setup would be to pot a keyfile instide an encrypted partition, and make a password for that partition, then during boot you enter the password for your USB, it decrypts the partition and then provides the keyfile to all of the remaining drives. Everything is configured in initramfs, the only thing your would have for grub is something like this:
Code:
GRUB_DEVICE=/dev/ram0
GRUB_ENABLE_CRYPTODISK=y
GRUB_PRELOAD_MODULES="luks crypto cryptodisk part_gpt part_msdos"
GRUB_CMDLINE_LINUX="crypt_root=PARTUUID=*** rootfstype=ext4 real_root=UUID=***"
Back to top
View user's profile Send private message
Syl20
Guru
Guru


Joined: 04 Aug 2005
Posts: 568
Location: France

PostPosted: Wed Feb 05, 2020 4:56 pm    Post subject: Reply with quote

etnull wrote:
first of all if you put your keyfile on a usb drive without encryption that's very insecure and defeat the whole purpose of encryption.

Yes, if you keep the USB drive near the machine. But that isn't the case, normally.

My "own" solution is, via a custom initramfs, to try to mount a specific USB key (the FS UUID is the restriction) several times (I arbitrarily chose 30 times, and to wait 2 seconds between two tries, to have enough time to find this f@#! key :lol: ), and to prompt for a password if the mount routine fails.
Largely inspired from https://wiki.gentoo.org/wiki/Custom_Initramfs/Examples, so I don't paste the whole script, to save space.

Code:
# cat /usr/src/build_initramfs.sh
#!/bin/bash
#set -x

# default values
CRYPT_ROOT="UUID=xxx"
CRYPT_CLEF="UUID=yyy"
CRYPT_FICC="my_path/my_fic.bin"
ROOT="/dev/mapper/vg_root"
DELAI_ESSAIS=2
MAX_ESSAIS=30

(snip)

# set hardcoded default values
crypt_root_uuid="${CRYPT_ROOT}"
crypt_clef_uuid="${CRYPT_CLEF}"
crypt_clef_fic="${CRYPT_FICC}"
root_uuid="${ROOT}"
mount_ro_rw='ro'

(snip)

# decrypt
#  convert UUID or LABEL to device node
crypt_root="\$(findfs "\${crypt_root_uuid}")"

ESSAI=0
while [ \${ESSAI} -lt ${MAX_ESSAIS} ]
do
       crypt_clef="\$(findfs "\${crypt_clef_uuid}")"
        [ -n "\${crypt_clef}" ] && mount "\${crypt_clef}" /mnt/usb >/dev/null 2>&1 && break
        ESSAI=\$((\${ESSAI}+1))
        sleep ${DELAI_ESSAIS}
done

#  decryption is first tried using the key file /crypto_key.bin
#  if this fails, prompt for a password
if [ -f "/mnt/usb/\${crypt_clef_fic}" ]
then
        cryptsetup open "\${crypt_root}" lvm --type luks --key-file "/mnt/usb/\${crypt_clef_fic}" || \
          cryptsetup open "\${crypt_root}" lvm --type luks || \
          arret "Déchiffrement."
else
        echo ""
        cryptsetup open "\${crypt_root}" lvm --type luks || \
          arret "Déchiffrement."
fi

(snip)
Back to top
View user's profile Send private message
Budoka
l33t
l33t


Joined: 03 Jun 2012
Posts: 741
Location: Tokyo, Japan

PostPosted: Sun Mar 08, 2020 7:00 am    Post subject: Reply with quote

SarahS93 I don't know if this ever got this to work for you but I stumbled upon this Wiki doing research for myself. It is quite nicely written. Unfortunately, it doesn't help me because I am looking to do the same with a hardware key like Yubikey, Titan, etc.

https://wiki.gentoo.org/wiki/Sakaki%27s_EFI_Install_Guide/Preparing_the_LUKS-LVM_Filesystem_and_Boot_USB_Key
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Installing Gentoo All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum