You are not logged in.

#1 2012-12-05 17:32:00

iarumas
Member
Registered: 2012-12-05
Posts: 4

Installation with LVM and gpg-encrypted key, what to tell Grub

Hi,

after years of using Gentoo Linux I grew tired of the compilation effort, so I decided to give Arch Linux a shot. I like the idea of a basic system which I can fit to my needs instead of a bloated distribution.

I want to encrypt my disk and did this with the following tutorials:

Official Arch Linux Install Guide
DM Crypt with LUKS
Basic Cryptsetup
Gentoo DM-Crypt with LUKS

So far, the installation worked well, but I'm stuck with this problem:

I have a gpg encrypted key stored on a SD-Card.

My mkinitcpio.conf has the hook line:

HOOKS="base udev autodetect pata scsi sata mmc usbinput fsck keymap encrypt lvm2 filesystems

/etc/default/grub contains:

GRUB_CMDLINE_LINUX="cryptdevice=/dev/sda6:vg root=/dev-mapper/vg-root ro cryptkey=/dev/mmcblk0p1:jfs:/Key.gpg"

However, if I am booting, there are the following outputs:

No key available with this passphrase.
Invalid keyfile. Reverting to passphrase.

A password is required to access the vg volume:
Enter passphrase for /dev/sda6: 

So, obviously, he isn't able to gpg-decrypt the key, or am I missing something?

I do really need some help at this point.

Offline

#2 2012-12-05 22:06:38

Stebalien
Member
Registered: 2010-04-27
Posts: 1,237
Website

Re: Installation with LVM and gpg-encrypted key, what to tell Grub

That won't work; cryptsetup knows nothing about GPG. If you want to encrypt your keyfile, you'll have to add some GPG decryption logic to your encrypt hook. However, I recommend that you don't use GPG. You really want symmetric encryption, not asymmetric, so you should be using some other algorithm.

You should also note that your 'Key' file is not actually the key for your drive; it's a keyfile used to decrypt your master key that is stored on your drive. If you don't need to store your key on an external medium, just use a passphrase.


Steven [ web : git ]
GPG:  327B 20CE 21EA 68CF A7748675 7C92 3221 5899 410C
Do not email: honeypot@stebalien.com

Offline

#3 2012-12-05 22:37:23

iarumas
Member
Registered: 2012-12-05
Posts: 4

Re: Installation with LVM and gpg-encrypted key, what to tell Grub

On my gentoo installation, I had to tell cryptsetup to use the decrypted key as password for the new key. In fact

gpg -q -d <GPG-Keyfile> | cryptsetup luksOpen /dev/<encryptedPartition> <cryptContainer>

did exactly what I wanted.

I wanted to have my system highly secured, so a password-protected keyfile on an extern medium was the best choice.

Edit: There has been another tutorial: System encryption with gpg encrypted keys, but it's out of date.

Last edited by iarumas (2012-12-05 22:50:34)

Offline

#4 2012-12-05 22:51:15

Stebalien
Member
Registered: 2010-04-27
Posts: 1,237
Website

Re: Installation with LVM and gpg-encrypted key, what to tell Grub

That's doable but you'll have to patch the mkinitcpio encrypt hook/install files in the cryptsetup package. Also, it turns out that GPG can do symmetric encryption so my point about not using GPG is moot (just remember to encrypt with --symmetric).


Steven [ web : git ]
GPG:  327B 20CE 21EA 68CF A7748675 7C92 3221 5899 410C
Do not email: honeypot@stebalien.com

Offline

#5 2012-12-05 22:55:34

iarumas
Member
Registered: 2012-12-05
Posts: 4

Re: Installation with LVM and gpg-encrypted key, what to tell Grub

Yes, thought so about the doability (is it even a word?). I used symmetric ciphers, of course.

But I think, I will take a step back and use a plaintext keyfile on the external card. Still like a steelcase for letters. And I won't have to type in a password, which is quite nice.

Thank you for your ideas.

Offline

#6 2012-12-10 11:58:26

hunterthomson
Member
Registered: 2008-06-22
Posts: 794
Website

Re: Installation with LVM and gpg-encrypted key, what to tell Grub

I looked into doing this before. At that time I figured the easier way to go would be to make a LUKS/dm-crypt encrypted file that you loop mount and read the key file from to decrypt the disk. This way you do not need to add support for gpg or anything. The initramfs already has what is needed to mount a dm-crypt encrypted loop mounted file.


OpenBSD-current Thinkpad X230, i7-3520M, 16GB CL9 Kingston, Samsung 830 256GB
Contributor: linux-grsec

Offline

Board footer

Powered by FluxBB