I am slowly migrating my system over to partitions encrypted with dm-crypt/LUKS. I am working on /var now. I would like to have the keyfile for /var created each time during boot based off my specific hardware and stored to /tmp (the exact same keyfile would be created each time since my hardware will not be changing). /var would automatically unlock from this keyfile. The idea is that, unless someone has my login credentials they will not be able to read /var while my computer is on. If someone tries to read the hard drive in another computer, they will never find the keyfile. And if the thief is smart enough to know what's going on, they will have a hard time figuring out how the keyfile is created.
So, I'm thinking I need a boot order as follows:
Mount / and /tmp
Delete keyfile from /tmp
Continue with rest of boot
Is it possible to hack systemd to do this? Any tips on how to do it? I can write a shell script to create the file and mount /var (since /etc/fstab would have already been read) but I'm not sure how to make it run at the right time in systemd.
Why would someone steal your hard drive and not your computer? Hard drives aren't that valuable. And if they stole your computer, and your root wasn't encrypted, they would be able to figure out how to decrypt your /var fairly easily. If your root is encrypted, then any old keyfile would work, as they couldn't access it unless they decrypted your root. So your scheme would only work in the odd scenario where a person steals your hard drive and not your computer. Taking out your hard drive would take a decent amount of time; it wouldn't just be a snatch and grab. So if a thief is going to take that much time to steal your hard drive only (leaving your computer behind), then they would probably have enough time to use a livecd to check if your hard drive is encrypted, and how. If your root is encrypted, they might do the evil maid attack. And if a person invests THAT much time into stealing your data, they would probably check to see if they could decrypt the rest of your data before they yanked your drives and ran.
Honestly, I don't think your scheme would secure your system any more than a basic full disk encryption would. There is a far better chance of an attack coming from the net than someone trying to break your encryption. Your encryption can't stop those attacks.
If you are really worried about security, a full disk encryption (I prefer LVM on LUKS) is generally more than enough. If anything, store the key file on external media (such as a USB drive), so that the external media has to be present at boot to unlock the LUKS container.