Automatically unlock LUKS partition using a key on an USB drive on Debian Jessie

4

0

I am trying to have the encrypted root partition be unlocked on boot automatically using a connected USB drive on a fresh installation of Debian Jessie (no non-systemd upgrade). After following a couple of tutorials on the web, I am stuck, as it still asks for the passphrase right after boot. This is what I've done so far:

Created the key on the USB drive:

root@fls:~# dd if=/dev/urandom of=/dev/sdc bs=512 seek=1 count=60

Copied the appropriate part as the key into a temp file:

root@fls:~# dd if=/dev/sdc bs=512 skip=1 count=4 > tempKeyFile.bin

Added that key to the encrypted partition config:

root@fls:~# cryptsetup luksAddKey /dev/md1 --key-file=- tempKeyFile.bin

Found out the ID of the USB drive:

root@fls:~# ls -l /dev/disk/by-id/ | grep sdc
lrwxrwxrwx 1 root root  9 usb-0_USB_DRIVE_00000000000165A3-0:0 -> ../../sdc
lrwxrwxrwx 1 root root 10 usb-0_USB_DRIVE_00000000000165A3-0:0-part1 -> ../../sdc1

Changed /etc/crypttab like that:

#md1_crypt UUID=e53fc075-0afa-4018-b187-912f8f355699 none luks
md1_crypt UUID=ED04-17F5 /dev/disk/by-id/usb-0_USB_DRIVE_00000000000165A3-0:0 luks,tries=3,keyfile-size=2048,keyfile-offset=512

Updated the systemd generator files:

systemctl --system daemon-reload

I am not sure whether that UUID= entry is correct, as it is actually the UUID of /dev/sdc1 and apparently there will not be a UUID for /dev/sdc, so what do I have to enter there?

Also, did I miss anything else that would prevent the key on the USB drive to unlock the partition? When I do cryptsetup luksDump /dev/md1 it does show two Key Slots, so the key is properly configured, I guess.

Any ideas?

mcnesium

Posted 2015-05-26T16:01:52.373

Reputation: 489

Answers

1

I think you are almost correct. I used your instructions to setup automatic unlock of LUKS partitions here, but not /. ;-)

What seems wrong to me, is the UUID you use. You seems to confuse the UUID with the setup of the keyfile on USB. the UUID points to the uuid of the LUKS partition you want to unlock. So you don't want to change it from the line above, unless I have misunderstood.

I would use in /etc/crypttab instead:

md1_crypt UUID=e53fc075-0afa-4018-b187-912f8f355699 /dev/disk/by-id/usb-0_USB_DRIVE_00000000000165A3-0:0 luks,tries=3,keyfile-size=2048,keyfile-offset=512

One important step is to add the needed modules to the initramfs/initcpio so that the kernel can read the USB key.

On Ubuntu, I have changed /etc/initramfs-tools/modules with rtsx_usb{_ms,_sdmmc,} and memstick because I use the SD card reader instead. But for the USB key, you will need usb_storage, usbhid (?), hid_generic (?), hid (?), memstick and may be others.

then run

sudo update-initramfs -u

and reboot. It should work

solsTiCe

Posted 2015-05-26T16:01:52.373

Reputation: 113

-1

re-create the key AFTER mounting the usb to somewhere that essentially did a cat > /dev/null 

   # sudo mount /dev/sdc /cryptusb
   # dd if=/dev/urandom of=/cryptusb/keyfile bs=512 seek=1 count=60
   #  dd if=/cryptusb/keyfile bs=512 skip=1 count=4 > tempKeyFile.bin

OR 

   # cat  /cryptusb/keyfile > /tmp/keyfile.bin

THEN use the 'PARTUUID' from blkid to inject into "/etc/crypttab'

linuxdev2013

Posted 2015-05-26T16:01:52.373

Reputation: 1 051

Asked: 2015-05-26T16:01:52.373

Viewed: 5 282 times

Active: 2018-06-16T19:19:42.367