Arch Linux

rwd

Member

Registered: 2009-02-08

Posts: 664

[solved]How to unlock LUKS using keyfile on usbdrive during boot?

Hi all,

I would like some advise for booting encrypted partitions using kefiles on a flashdrive. I'm setting up a Intel Atom based homeserver, and and want my data to be encrypted in case the server gets stolen. To save some encryption overhead I prefer to leave root unencrypted and only encrypt /home, and if this works, later on /var, /tmp and swap as well. My plan is to have a keyfile on a flash thumbdrive, and only have the thumbdrive plugged in while booting.

I have read the dm-crypt wiki page, but it assumes an encrypted root, and this approach won't work in my situation, where only non-root mountpoints are encrypted. If i put 'ASK' in /etc/crypttab I get prompted for the passphrase and the LUKS container unlocks and mounts fine. I can also unlock the LUKS container manually using the keyfile that I created. However when I put the path to the keyfile in /etc/crypttab instead of 'ASK', and let the usbdrive automount using an udev rule the unlock at boot fails. It seems that my udev rule is only executed when I plug in a drive after booting, not when it is already plugged in during boot. How would I accomplish this? Mount it with fstab and automatically unmount it after booting, or some entirely different way?

my /etc/fstab:

none /dev/pts devpts defaults 0 0
none  /dev/shm tmpfs defaults  0 0
/dev/sda1  / ext4 defaults 0 1
/dev/sda2 swap swap defaults 0 0
/dev/mapper/home     /home ext4  defaults 0 1

/etc/crypttab:

home        /dev/sda3        /media/usbhd-sdc1/keyfiles/arch_server_-_home.key

/etc/udev/rules.d/01.usbdrive_automount.rules (sdb is a second, currently unused harddisk):

KERNEL=="sd[b-z]", NAME:="%k", SYMLINK+="usbhd-%k", GROUP:="users", OPTIONS="last_rule"
ACTION=="add", KERNEL=="sd[c-z][0-9]", SYMLINK+="usbhd-%k", GROUP:="users", NAME:="%k"
ACTION=="add", KERNEL=="sd[c-z][0-9]", RUN+="/bin/mkdir -p /media/usbhd-%k"
ACTION=="add", KERNEL=="sd[c-z][0-9]", PROGRAM=="/sbin/blkid -t %N", RESULT=="vfat", RUN+="/bin/mount -t vfat -o rw,noauto,flush,dirsync,noexec,nodev,noatime,dmask=000,fmask=111 /dev/%k /media/usbhd-%k", OPTIONS="last_rule"
ACTION=="add", KERNEL=="sd[c-z][0-9]", RUN+="/bin/mount -t auto -o rw,noauto,async,dirsync,noexec,nodev,noatime /dev/%k /media/usbhd-%k", OPTIONS="last_rule"
ACTION=="remove", KERNEL=="sd[c-z][0-9]", RUN+="/bin/umount -l /media/usbhd-%k"
ACTION=="remove", KERNEL=="sd[c-z][0-9]", RUN+="/bin/rmdir /media/usbhd-%k", OPTIONS="last_rule"

<edit>
Okay I have found a solution. The trick was to make sure the usbstick gets mounted first, so the keyfile is available for the unlocking/mounting during boot. To do so I have added 'usb' to the hooks line in /etc/mkinitcpio.conf and recompiled the initramfs as described in the wiki link above.

Next I changed my /etc/udev/rules.d/01.usbdrive_automount.rules a little so that the mountpoint of the usbdrive stays after unplugging it:

KERNEL=="sd[b-z]", NAME:="%k", SYMLINK+="usbhd-%k", GROUP:="users", OPTIONS="last_rule"
ACTION=="add", KERNEL=="sd[c-z][0-9]", SYMLINK+="usbhd-%k", GROUP:="users", NAME:="%k"
ACTION=="add", KERNEL=="sd[c-z][0-9]", RUN+="/bin/mkdir -p /media/usbhd-%k"
ACTION=="add", KERNEL=="sd[c-z][0-9]", PROGRAM=="/sbin/blkid -t %N", RESULT=="vfat", RUN+="/bin/mount -t vfat -o rw,noauto,flush,dirsync,noexec,nodev,noatime,dmask=000,fmask=111 /dev/%k /media/usbhd-%k", OPTIONS="last_rule"
ACTION=="add", KERNEL=="sd[c-z][0-9]", RUN+="/bin/mount -t auto -o rw,noauto,async,dirsync,noexec,nodev,noatime /dev/%k /media/usbhd-%k", OPTIONS="last_rule"
ACTION=="remove", KERNEL=="sd[c-z][0-9]", RUN+="/bin/umount -l /media/usbhd-%k", OPTIONS="last_rule"

#ACTION=="remove", KERNEL=="sd[c-z][0-9]", RUN+="/bin/umount -l /media/usbhd-%k"
#ACTION=="remove", KERNEL=="sd[c-z][0-9]", RUN+="/bin/rmdir /media/usbhd-%k", OPTIONS="last_rule"

/etc/fstab:
The usbdrive is put above the encrypted partition to make it get mounted first:

none /dev/pts devpts defaults 0 0
none  /dev/shm tmpfs defaults  0 0
/dev/sdc1 /media/usbhd-sdc1 ext2 defaults 0 0
/dev/sda1  / ext4 defaults 0 1
/dev/sda2 swap swap defaults 0 0
/dev/mapper/home     /home ext4  defaults 0 1

/etc/crypttab:

home        /dev/sda3        /media/usbhd-sdc1/keyfiles/arch_server_-_luks.key

So now I plug in the flashdrive, turn on the server, unplug the flashdrive and udev automatically unmounts the flashdrive while leaving the mountpoint /media/usbhd-sdc1 for the next boot.
</edit>

Last edited by rwd (2009-12-04 19:36:14)