You are not logged in.

#1 2013-07-03 07:59:17

jrussell
Member
From: Cape Town, South Africa
Registered: 2012-08-16
Posts: 510

LUKS question about logic

So recently I've been fiddling with LUKS and I've come up with a scenario which seems to make sense to me and I have not come across a way of doing this.

Say you have a hard drive with 2 partitions, one for /boot which would be unencrypted and one for / which would be encrypted.
So this hardrive can boot and it has arch on it.

I imagined something like this:
When the hardrive is being used to boot arch which is installed on it, LUKS/dm-crypt would use a key file stored on the encrypted partition to allow it to boot to login screen, and so no interaction would be required from boot, you are then relying on strong passwords to protect your data I guess

Then, if that hardrive were to be plugged into another computer say as an external drive, it would not be accessible unless you provided a password or another key file, as it would not read the key file stored on the encrypted partition.

Is this possible at all to setup? I've done a bit of googling, found nothing.
I think what I've written makes sense


bitcoin: 1G62YGRFkMDwhGr5T5YGovfsxLx44eZo7U

Offline

#2 2013-07-03 10:28:56

R00KIE
Forum Moderator
From: Between a computer and a chair
Registered: 2008-09-14
Posts: 3,366

Re: LUKS question about logic

Not that I know of. The key must be in an unencrypted medium so it can be read in order to unlock the encrypted volume.


R00KIE
Tm90aGluZyB0byBzZWUgaGVyZSwgbW92ZSBhbG9uZy4K

Offline

#3 2013-07-03 11:06:25

andrewturner
Member
Registered: 2013-03-12
Posts: 2

Re: LUKS question about logic

You could put the keyfile on an unencrypted sd card or usb stick for example. Then it would, in a more literal sense, be a 'key' which you plugged-in so that your computer would boot.

Offline

#4 2013-07-03 11:36:55

jrussell
Member
From: Cape Town, South Africa
Registered: 2012-08-16
Posts: 510

Re: LUKS question about logic

R00KIE wrote:

Not that I know of. The key must be in an unencrypted medium so it can be read in order to unlock the encrypted volume.

This is what I forgot


bitcoin: 1G62YGRFkMDwhGr5T5YGovfsxLx44eZo7U

Offline

#5 2013-07-03 21:12:43

Strike0
Member
From: Germany
Registered: 2011-09-05
Posts: 1,277

Re: LUKS question about logic

R00KIE wrote:

Not that I know of. The key must be in an unencrypted medium so it can be read in order to unlock the encrypted volume.

There is one way you can do something like that, if your machine has a TPM chip. There is an extension for cryptsetup which stores the luks-key in the TPM chip. On boot the passphrase unlocks it and thereby the partition. If you take the drive out the machine, it is useless/encrypted.
You find it here: https://github.com/shpedoikal/tpm-luks
It is linked to from the cryptsetup FAQ too btw. I wanted to try it myself sometime actually (to use  that tpm chip at least once..), but did not get to it yet.

Apart from that the Arch wiki has links to threads about encrypting the key-file itself. So while you might have to keep it on an unencrypted medium, you still need a passphrase to use the key.

Offline

#6 2013-07-03 23:10:09

R00KIE
Forum Moderator
From: Between a computer and a chair
Registered: 2008-09-14
Posts: 3,366

Re: LUKS question about logic

I see a potential problem with that, what happens if the machine breaks and you need to move the disk to another machine to extract the data?


R00KIE
Tm90aGluZyB0byBzZWUgaGVyZSwgbW92ZSBhbG9uZy4K

Offline

#7 2013-07-04 18:27:55

Strike0
Member
From: Germany
Registered: 2011-09-05
Posts: 1,277

Re: LUKS question about logic

Any breakage creates a problem and encrypted backups are always more difficult to manage. If you read the link I posted to the end, you will see the proposed backup procedure.

edit: funny you asking that though; I remember asking myself the same when reading it the first time and skipping the fedora instructions in there.

Last edited by Strike0 (2013-07-06 12:42:10)

Offline

Board footer

Powered by FluxBB