You are not logged in.

#1 2018-03-13 15:40:25

boojum
Member
From: /dev/null
Registered: 2013-09-23
Posts: 43
Website

cryptsetup: embedding key in initramfs to avoid both password prompts?

Yes, I'm aware that automatically opening encrypted drive (with a key file stored on it) defeats the whole purpose of disk encryption. Save your keystrokes by not pointing it out. With that out of the way, here's my problem.

Fresh Arch install, encrypted root (with boot). I want to embed luks key in initramfs to avoid two password prompts. I did follow the wiki, and it did work... partially. The prompt for / is gone (yay!) but GRUB is still insisting on asking for one. This occurs during the initial boot, the "Welcome to GRUB!" screen. Here's are the exact steps I'm taking:

# partitioning
parted -s /dev/sda mklabel msdos
parted -s /dev/sda mkpart primary btrfs 1MB 100%

# cryptsetup
echo -en "password" | cryptsetup -q luksFormat /dev/sda1
echo -en "password" | cryptsetup -q open /dev/sda1 toor

# filesystem & mounts
mkfs.btrfs /dev/mapper/toor
mount /dev/mapper/toor /mnt

# base & chroot
pacstrap /mnt base grub
genfstab -Up /mnt >> /mnt/etc/fstab
arch-chroot /mnt

# crypttab
echo -en "toor\tUUID=$(blkid /dev/sda1 -s UUID -o value)\t/crypto_keyfile.bin\tluks" >> /etc/crypttab.initramfs

# keyfile
dd bs=512 count=4 if=/dev/urandom of=/crypto_keyfile.bin
chmod 000 /crypto_keyfile.bin
chmod 600 /boot/initramfs-linux*
echo -en "password" | cryptsetup luksAddKey /dev/sda1 /crypto_keyfile.bin

# mkinitcpio.conf
sed -i "s#^FILES=.*#FILES=(/usr/bin/btrfs /crypto_keyfile.bin)#g" /etc/mkinitcpio.conf
sed -i "s#^HOOKS=.*#HOOKS=(base systemd autodetect keyboard modconf block sd-encrypt filesystems btrfs)#g" /etc/mkinitcpio.conf
mkinitcpio -p linux

# grub
echo -en "GRUB_ENABLE_CRYPTODISK=y" >> /etc/default/grub
sed -i "s#^GRUB_CMDLINE_LINUX=.*#GRUB_CMDLINE_LINUX=\"rd.luks.uuid=$(blkid /dev/sda1 -s UUID -o value) rd.luks.key=/crypto_keyfile.bin\"#g" /etc/default/grub
grub-install --target=i386-pc --recheck /dev/sda
grub-mkconfig -o /boot/grub/grub.cfg

How can I shush GRUB? Make it obediently take the key instead of insisting on asking for password?

Offline

#2 2018-03-13 22:04:17

jjacky
Member
Registered: 2011-11-09
Posts: 345
Website

Re: cryptsetup: embedding key in initramfs to avoid both password prompts?

So you have a single, encrypted, partition, right? Then you expect GRUB to somehow open it how exactly, if it doesn't ask for the passphrase? Before you say "use the keyfile" think about where that file would be...

Offline

#3 2018-03-13 22:28:21

R00KIE
Forum Moderator
From: Between a computer and a chair
Registered: 2008-09-14
Posts: 4,732

Re: cryptsetup: embedding key in initramfs to avoid both password prompts?

boojum wrote:

Yes, I'm aware that automatically opening encrypted drive (with a key file stored on it) defeats the whole purpose of disk encryption.

Yes it does. The analogy is having a safe and leaving a piece of paper on the outside with the combination written on it.

At best what you are trying to accomplish is security through obscurity. You're going to invest more work to get it to work than the security gain you're going to get out of it.


R00KIE
Tm90aGluZyB0byBzZWUgaGVyZSwgbW92ZSBhbG9uZy4K

Offline

Board footer

Powered by FluxBB