[SOLVED]LUKS dm-crypt:unlock multiple volumes by one password at boot?

stabele · 2009-03-26 23:32:02

I am usink dm-crypt with LUKS. I do not want to encrypt entire root, co I created multiple LVM2 volumes (swap,tmp,var,/home,/root,/srv). My goal is to enter just want password at boot to open all these encrypted volumes. Because I do not want to encrypt whole root filesystem, I do not follow the way from arch wiki article about dm-crypt and LUKS which stores passwords for volumes in /etc/crypttab.

What I tried: Instead password store link to keyfile at boot partition in /etc/crypttab. (Later I wanted to store keyfile at small encrypted partition). But at boot system first "::Activating LVM2 groups" than it starts "::Unlocking encrypted volumes", but it never finds keyfiles. It seems I am completely wrong, that at this time volumes aren't mounted yet.

Last edited by stabele (2009-03-27 08:50:16)

Ranguvar · 2009-03-27 00:28:08

I understand what you're trying to do, not entirely sure I understand where you are so far, but is lvm2 before encrypt in mkinitcpio.conf, and LVM enabled in rc.conf?

stabele · 2009-03-27 02:12:40

is lvm2 before encrypt in mkinitcpio.conf, and LVM enabled in rc.conf?

Yes to both.

not entirely sure I understand where you are so far

Idea was: have one special LVM encrypted volume, store there keyfile, at boot time unlock this volume by password and then set in crypttab all others volumes to by unlocked by this keyfile (rather than by passwords stored in crypttab). I now seems completely wrong because first system activate LVM than unlocks encrypted volumes and then proceed mounting according fstab - isn't it so? Arch wiki article about LUKS and dm-crypt describes using keyfiles:

Then add the following information to the /etc/crypttab file for automounting:
home /dev/sda4 /etc/home.key

but maybe it works only for passwords stored at root partition which is maybe treaded specially.

bender02 · 2009-03-27 06:53:02

The thing is that at that point of initscripts, the only mounted partition is the root partition.

I have more-less the same setup that you want (unencrypted root, multiple encrypted partitions, want to enter only one password on boot). What I've done is that I modified the rc.sysinit initscript in a way that just before it tries to unlock the encrypted partitions, it mounts (luks encrypted, so asks for a password) a small loop partition (stored as a file in /etc) with keys to the other partitions; and after unlocking it unmounts it.

If you are interested, here's the patch for rc.sysinit:

--- rc.sysinit.old      2009-02-26 08:21:28.440585809 +0100
+++ rc.sysinit  2009-02-26 08:29:20.620905572 +0100
@@ -150,6 +150,11 @@ if [ "$USELVM" = "yes" -o "$USELVM" = "Y
        fi
 fi
 
+# by js: mount keys
+stat_busy "Mounting keys"
+/etc/mountkeys
+stat_done
+
 # Set up non-root encrypted partition mappings
 if [ -f /etc/crypttab -a -n "$(/bin/grep -v ^# /etc/crypttab | /bin/grep -v ^$)" ];
        /sbin/modprobe -q dm-mod 2>/dev/null
@@ -225,6 +230,11 @@ if [ -f /etc/crypttab -a -n "$(/bin/grep
        fi
 fi
 
+# by js: unmount keys
+stat_busy "Unmounting keys"
+/etc/umountkeys
+stat_done
+
 status "Mounting Root Read-only" /bin/mount -n -o remount,ro /
 
 FORCEFSCK=

and here's a script that does the mounting (/etc/mountkeys):

#!/bin/dash
KEYSFILE=/etc/keys
MOUNTPOINT=/mnt/keys
LOOPDEV=7
/sbin/losetup /dev/loop/${LOOPDEV} ${KEYSFILE}
/sbin/cryptsetup.static luksOpen /dev/loop/${LOOPDEV} keys
/bin/mount -o ro /dev/mapper/keys ${MOUNTPOINT}

Finally, the script that does the unmounting (/etc/umountkeys):

#!/bin/dash
KEYSFILE=/etc/keys
MOUNTPOINT=/mnt/keys
LOOPDEV=7
/bin/umount ${MOUNTPOINT}
/sbin/cryptsetup.static luksClose keys
/sbin/losetup -d /dev/loop/${LOOPDEV}

Note that no error checking is done; also every update of initscripts overwrites rc.sysinit, so another patching is necessary.

Last edited by bender02 (2009-03-27 06:54:38)

stabele · 2009-03-27 08:46:59

Thanks a lot for a detailed solution! And to store keyfile in encrypted file is IMHO better way, saves one LVM volume and makes it easier to backup. I am thinking even not to unmout it immediatelly, I will set up auto-login for default (non-root) user and I can store there also SSH keys, load them to the agent and then unmount it. It is a bit unclean, but saves one more password entering at startup.

Last edited by stabele (2009-03-27 08:58:04)

byte · 2009-03-27 13:08:46

bender02 wrote:

Note that no error checking is done; also every update of initscripts overwrites rc.sysinit, so another patching is necessary.

NoUpgrade = etc/rc.sysinit

... in pacman.conf should help with that. I think there will still be an rc.sysinit.pacnew createdm so you could merge the changes, if any.

Arch Linux

#1 2009-03-26 23:32:02

[SOLVED]LUKS dm-crypt:unlock multiple volumes by one password at boot?

#2 2009-03-27 00:28:08

Re: [SOLVED]LUKS dm-crypt:unlock multiple volumes by one password at boot?

#3 2009-03-27 02:12:40

Re: [SOLVED]LUKS dm-crypt:unlock multiple volumes by one password at boot?

#4 2009-03-27 06:53:02

Re: [SOLVED]LUKS dm-crypt:unlock multiple volumes by one password at boot?

#5 2009-03-27 08:46:59

Re: [SOLVED]LUKS dm-crypt:unlock multiple volumes by one password at boot?

#6 2009-03-27 13:08:46

Re: [SOLVED]LUKS dm-crypt:unlock multiple volumes by one password at boot?

Board footer