Installation with LVM and gpg-encrypted key, what to tell Grub

iarumas · 2012-12-05 17:32:00

Hi,

after years of using Gentoo Linux I grew tired of the compilation effort, so I decided to give Arch Linux a shot. I like the idea of a basic system which I can fit to my needs instead of a bloated distribution.

I want to encrypt my disk and did this with the following tutorials:

Official Arch Linux Install Guide
DM Crypt with LUKS
Basic Cryptsetup
Gentoo DM-Crypt with LUKS

So far, the installation worked well, but I'm stuck with this problem:

I have a gpg encrypted key stored on a SD-Card.

My mkinitcpio.conf has the hook line:

HOOKS="base udev autodetect pata scsi sata mmc usbinput fsck keymap encrypt lvm2 filesystems

/etc/default/grub contains:

GRUB_CMDLINE_LINUX="cryptdevice=/dev/sda6:vg root=/dev-mapper/vg-root ro cryptkey=/dev/mmcblk0p1:jfs:/Key.gpg"

However, if I am booting, there are the following outputs:

No key available with this passphrase.
Invalid keyfile. Reverting to passphrase.

A password is required to access the vg volume:
Enter passphrase for /dev/sda6:

So, obviously, he isn't able to gpg-decrypt the key, or am I missing something?

I do really need some help at this point.

Stebalien · 2012-12-05 22:06:38

That won't work; cryptsetup knows nothing about GPG. If you want to encrypt your keyfile, you'll have to add some GPG decryption logic to your encrypt hook. However, I recommend that you don't use GPG. You really want symmetric encryption, not asymmetric, so you should be using some other algorithm.

You should also note that your 'Key' file is not actually the key for your drive; it's a keyfile used to decrypt your master key that is stored on your drive. If you don't need to store your key on an external medium, just use a passphrase.

iarumas · 2012-12-05 22:37:23

On my gentoo installation, I had to tell cryptsetup to use the decrypted key as password for the new key. In fact

gpg -q -d <GPG-Keyfile> | cryptsetup luksOpen /dev/<encryptedPartition> <cryptContainer>

did exactly what I wanted.

I wanted to have my system highly secured, so a password-protected keyfile on an extern medium was the best choice.

Edit: There has been another tutorial: System encryption with gpg encrypted keys, but it's out of date.

Last edited by iarumas (2012-12-05 22:50:34)

Stebalien · 2012-12-05 22:51:15

That's doable but you'll have to patch the mkinitcpio encrypt hook/install files in the cryptsetup package. Also, it turns out that GPG can do symmetric encryption so my point about not using GPG is moot (just remember to encrypt with --symmetric).

iarumas · 2012-12-05 22:55:34

Yes, thought so about the doability (is it even a word?). I used symmetric ciphers, of course.

But I think, I will take a step back and use a plaintext keyfile on the external card. Still like a steelcase for letters. And I won't have to type in a password, which is quite nice.

Thank you for your ideas.

hunterthomson · 2012-12-10 11:58:26

I looked into doing this before. At that time I figured the easier way to go would be to make a LUKS/dm-crypt encrypted file that you loop mount and read the key file from to decrypt the disk. This way you do not need to add support for gpg or anything. The initramfs already has what is needed to mount a dm-crypt encrypted loop mounted file.

Arch Linux

#1 2012-12-05 17:32:00

Installation with LVM and gpg-encrypted key, what to tell Grub

#2 2012-12-05 22:06:38

Re: Installation with LVM and gpg-encrypted key, what to tell Grub

#3 2012-12-05 22:37:23

Re: Installation with LVM and gpg-encrypted key, what to tell Grub

#4 2012-12-05 22:51:15

Re: Installation with LVM and gpg-encrypted key, what to tell Grub

#5 2012-12-05 22:55:34

Re: Installation with LVM and gpg-encrypted key, what to tell Grub

#6 2012-12-10 11:58:26

Re: Installation with LVM and gpg-encrypted key, what to tell Grub

Board footer