[dm-crypt] Using a keyfile with full disk encryption

[dm-crypt] Using a keyfile with full disk encryption

[Tim Kerby]

I've enabled full disk encryption on a recent server install of Ubuntu (using the checkbox in the installer). This is there mainly for security when disks are replaced

Unfortunately, we've had a few power failures and the requirement to enter the passphrase for LUKS at the physical terminal is an issue. 

I'd be happy to keep a keyfile on a USB key or SD card as I could mount these internal to the server which is physically secured

Is there a method to ensure the USB key is mounted prior to the password prompt and adding the keyfile as an additional method at startup?

Thanks

Tim

Re: [dm-crypt] Using a keyfile with full disk encryption

[Arno Wagner]

Hi Tim,

full disk encryption is provided by your distribution, usually
by some mechanism in the initrd. This is out of scope for this
mailing-list here.

However I can tell you that I have personally done something 
similar to what you want.

What you need to do is either drop to a shell in the initrd
and mount the usb-key using that, or that you modify the 
code in the initrd to mount that USB-stick and read the passphrase
from it. The other thing you could do with a remotely-accessible 
shell in the initrd is that you could use that to 
mount the encrypted volumes manually yourself and then 
continue the root process, on debian with something like this:

    exec switch_root /mnt/root /sbin/init

You copuld also hardcode the passprase in the initrd and
place initrd and kernel on that USB-key. That is what I have 
done.

I can give you a bit of background about what a Debian initrd 
looks like, and Ubuntu may be similar. All action happens in
/init, which on the initrd is a shell-script executed
by busybox and hence pretty straight-forward to change. For
testing, I just used the following "init". You can use something 
like this to find out what commands work. After that
you can put in your custom init instead. You can also add
binaries to teh initrd, but you must make sure they are
either statically compiled or all libraries are there.

----
#!/bin/sh

export PATH=/sbin:/bin
[ -d /sys ] || mkdir /sys
[ -d /proc ] || mkdir /proc
[ -d /tmp ] || mkdir /tmp
mount -t sysfs -o nodev,noexec,nosuid sysfs /sys
mount -t proc -o nodev,noexec,nosuid proc /proc

echo
echo "initrd is running"
echo "Using BusyBox..."
echo
exec /bin/ash --login
----

Now, how do you create or modify an initrd? Best reference I 
have is this one here: 

http://www.thegeekstuff.com/2009/07/how-to-view-modify-and-recreate-initrd-img/

Regards,
Arno




On Tue, Oct 04, 2016 at 10:37:36 CEST, Tim Kerby wrote:
> I've enabled full disk encryption on a recent server install of Ubuntu
> (using the checkbox in the installer).  This is there mainly for security
> when disks are replaced
> 
> Unfortunately, we've had a few power failures and the requirement to enter
> the passphrase for LUKS at the physical terminal is an issue.
> 
> I'd be happy to keep a keyfile on a USB key or SD card as I could mount
> these internal to the server which is physically secured
> 
> Is there a method to ensure the USB key is mounted prior to the password
> prompt and adding the keyfile as an additional method at startup?
> 
> Thanks
> 
> Tim
> 
> _______________________________________________
> dm-crypt mailing list
> dm-crypt@saout.de
> http://www.saout.de/mailman/listinfo/dm-crypt

-- 
Arno Wagner,     Dr. sc. techn., Dipl. Inform.,    Email: arno@wagner.name
GnuPG: ID: CB5D9718  FP: 12D6 C03B 1B30 33BB 13CF  B774 E35C 5FA1 CB5D 9718
----
A good decision is based on knowledge and not on numbers. -- Plato

If it's in the news, don't worry about it.  The very definition of 
"news" is "something that hardly ever happens." -- Bruce Schneier

Re: [dm-crypt] Using a keyfile with full disk encryption (saout: to exclusive)

[Diagon]

This might do you:
http://grub.johnlane.ie/

/D

On 10/04/2016 11:43 AM, Arno Wagner - arno@wagner.name wrote:
> Hi Tim,
> 
> full disk encryption is provided by your distribution, usually
> by some mechanism in the initrd. This is out of scope for this
> mailing-list here.
> 
> However I can tell you that I have personally done something 
> similar to what you want.
> 
> What you need to do is either drop to a shell in the initrd
> and mount the usb-key using that, or that you modify the 
> code in the initrd to mount that USB-stick and read the passphrase
> from it. The other thing you could do with a remotely-accessible 
> shell in the initrd is that you could use that to 
> mount the encrypted volumes manually yourself and then 
> continue the root process, on debian with something like this:
> 
>     exec switch_root /mnt/root /sbin/init
> 
> You copuld also hardcode the passprase in the initrd and
> place initrd and kernel on that USB-key. That is what I have 
> done.
> 
> I can give you a bit of background about what a Debian initrd 
> looks like, and Ubuntu may be similar. All action happens in
> /init, which on the initrd is a shell-script executed
> by busybox and hence pretty straight-forward to change. For
> testing, I just used the following "init". You can use something 
> like this to find out what commands work. After that
> you can put in your custom init instead. You can also add
> binaries to teh initrd, but you must make sure they are
> either statically compiled or all libraries are there.
> 
> ----
> #!/bin/sh
> 
> export PATH=/sbin:/bin
> [ -d /sys ] || mkdir /sys
> [ -d /proc ] || mkdir /proc
> [ -d /tmp ] || mkdir /tmp
> mount -t sysfs -o nodev,noexec,nosuid sysfs /sys
> mount -t proc -o nodev,noexec,nosuid proc /proc
> 
> echo
> echo "initrd is running"
> echo "Using BusyBox..."
> echo
> exec /bin/ash --login
> ----
> 
> Now, how do you create or modify an initrd? Best reference I 
> have is this one here: 
> 
> http://www.thegeekstuff.com/2009/07/how-to-view-modify-and-recreate-initrd-img/
> 
> Regards,
> Arno
> 
> 
> 
> 
> On Tue, Oct 04, 2016 at 10:37:36 CEST, Tim Kerby wrote:
>> I've enabled full disk encryption on a recent server install of Ubuntu
>> (using the checkbox in the installer).  This is there mainly for security
>> when disks are replaced
>>
>> Unfortunately, we've had a few power failures and the requirement to enter
>> the passphrase for LUKS at the physical terminal is an issue.
>>
>> I'd be happy to keep a keyfile on a USB key or SD card as I could mount
>> these internal to the server which is physically secured
>>
>> Is there a method to ensure the USB key is mounted prior to the password
>> prompt and adding the keyfile as an additional method at startup?
>>
>> Thanks
>>
>> Tim
>>
>> _______________________________________________
>> dm-crypt mailing list
>> dm-crypt@saout.de
>> http://www.saout.de/mailman/listinfo/dm-crypt
> 

[dm-crypt] Using a keyfile with full disk encryption

[Tim Kerby]

I've enabled full disk encryption on a recent server install of Ubuntu (using the checkbox in the installer). This is there mainly for security when disks are replaced

Unfortunately, we've had a few power failures and the requirement to enter the passphrase for LUKS at the physical terminal is an issue. 

I'd be happy to keep a keyfile on a USB key or SD card as I could mount these internal to the server which is physically secured

Is there a method to ensure the USB key is mounted prior to the password prompt and adding the keyfile as an additional method at startup?

Thanks

Tim