Can LUKS use keyfile and fall back to passphrase?

speed145a · 2010-12-06 18:07:16

I have been looking into the use of a keyfile for my LUKS partition (/home). However, during boot, if it can't find the keyfile it just pukes and drops me to the recovery shell.

Can it be set up to look for the keyfile, and prompt for passphrase if it can't be found? I don't want to HAVE to plug in the usb stick containing the keyfile if it's not available at the time...

Last edited by speed145a (2010-12-08 23:07:34)

speed145a · 2010-12-07 21:52:59

Is it something that can be modified in the rc.sysinit?

speed145a · 2010-12-08 23:08:00

I found this in pastebin today: http://pastebin.com/59J3JRj3
Looks pretty promising, but I'm not sure what to do with it...

Is it a replacement "crypt" hook? an rc file?

Anyone want to help me make it work?

speed145a · 2011-01-25 17:29:07

I'd still like to know if this can be done. Should I have posted this in another forum?

zippy · 2011-01-27 06:37:02

I'm sure its possible, by modifying the encrypt hook and rebuilding initrd. You can have many luks keys on any given device. I unlock via crypttab with a keyfile but also have another passphrase key incase the keyfile gets damaged. You lose that usb, it gets washed, stepped on, .... you're toast, you'll never get that data back.

As for an actual solution, i has none. IIRC there was an awesome gentoo howto on modifying the encrypt unlock hooks that i cant unfortunately find ATM. I also believe pam_mount will do this as well if not easier , as it uses fallbacks by default but ive never played with it.

zippy · 2011-01-27 06:57:03

Just looked at the default encrypt hook. It looks like this is already a feature?

        if  poll_device "${cryptdev}" ${rootdelay}; then
            if /sbin/cryptsetup isLuks ${cryptdev} >/dev/null 2>&1; then
                [ ${DEPRECATED_CRYPT} -eq 1 ] && warn_deprecated
                dopassphrase=1
                # If keyfile exists, try to use that
                if [ -f ${ckeyfile} ]; then
                    if eval /sbin/cryptsetup --key-file ${ckeyfile} luksOpen ${cryptdev} ${cryptname} ${CSQUIET}; then
                        dopassphrase=0
                    else
                        echo "Invalid keyfile. Reverting to passphrase."
                    fi
                fi
                # Ask for a passphrase
                if [ ${dopassphrase} -gt 0 ]; then
                    echo ""
                    echo "A password is required to access the ${cryptname} volume:"

                    #loop until we get a real password
                    while ! eval /sbin/cryptsetup luksOpen ${cryptdev} ${cryptname} ${CSQUIET}; do
                        sleep 2;
                    done
                fi
                if [ -e "/dev/mapper/${cryptname}" ]; then
                    if [ ${DEPRECATED_CRYPT} -eq 1 ]; then
                        export root="/dev/mapper/root"
                    fi
                else
                    err "Password succeeded, but ${cryptname} creation failed, aborting..."
                    exit 1
                fi

Im assuming you use luks/dm-crypt. If you haven't yet, add a second key to your partition with a passphrase. Do this but a passphrase instead - https://wiki.archlinux.org/index.php/Sy … _Partition

speed145a · 2011-01-27 17:47:15

OK.... perhaps I'm missing something more fundamental...

I have not been successful at getting my home partition to unlock during boot using a keyfile. Do I need to regenerate my initrd with the crypt hook even on non-root partitions?

zippy · 2011-01-27 18:28:44

Yes. Then take a look at /etc/crypttab and add your /home accordingly. You might want to look here https://wiki.archlinux.org/index.php/Mkinitcpio

If it still gives you trouble, try the encrypt hook before the filesystems hook in the list. Also you might need the usb hook if it doesnt autodetect your stick properly.

These are the examples from crypttab. This will set the primary suthentication routuine to unlock the drive, then in fstab to actually mount it

# NAME        SOURCE DEVICE        PASSWORD        OPTIONS
#home        /dev/hda4        mypassword
#data1        /dev/hda3        "my \"password\""
#data2        /dev/hda5        /etc/cryptfs.key

So if its your home partition , fstab will mount from /dev/mapper/home

/dev/mapper/home        /home   reiserfs        defaults        0       0

or whatever your fs is.

Arch Linux

#1 2010-12-06 18:07:16

Can LUKS use keyfile and fall back to passphrase?

#2 2010-12-07 21:52:59

Re: Can LUKS use keyfile and fall back to passphrase?

#3 2010-12-08 23:08:00

Re: Can LUKS use keyfile and fall back to passphrase?

#4 2011-01-25 17:29:07

Re: Can LUKS use keyfile and fall back to passphrase?

#5 2011-01-27 06:37:02

Re: Can LUKS use keyfile and fall back to passphrase?

#6 2011-01-27 06:57:03

Re: Can LUKS use keyfile and fall back to passphrase?

#7 2011-01-27 17:47:15

Re: Can LUKS use keyfile and fall back to passphrase?

#8 2011-01-27 18:28:44

Re: Can LUKS use keyfile and fall back to passphrase?

Board footer