You are not logged in.
- Topics: Active | Unanswered
#1 2014-11-06 20:57:29
- float
- Member
- Registered: 2012-10-05
- Posts: 23
[SOLVED] Missing support for LUKS keyscript option for encrypted root.
Hi all,
I tried to setup a two-factor encrypted root using LUKS/dm-crypt after reading e.g. masarlabs.com/article/two-factor-luks-decription.
This Arch wiki article says crypttab cannot be used to unlock root.
Is the whole keyscript thing specific to Debian/Ubuntu or is there any way to get this done running Arch?
Someone asked the same (or at least a very similar thing) four years ago, but didn't get any replies.
Thanks!
Last edited by float (2014-11-19 17:30:59)
Offline
#2 2014-11-09 12:06:11
- Strike0
- Member
- From: Germany
- Registered: 2011-09-05
- Posts: 1,487
Re: [SOLVED] Missing support for LUKS keyscript option for encrypted root.
Yes, the "keyscript" is from debian patches to dm-crypt/cryptsetup. You cannot use it here.
But you can patch mkinitcpio, the wiki has some examples. Also a pointer is eworm's yubikey package: https://aur.archlinux.org/packages/mkinitcpio-ykfde/
Offline
#3 2014-11-19 17:30:44
- float
- Member
- Registered: 2012-10-05
- Posts: 23
Re: [SOLVED] Missing support for LUKS keyscript option for encrypted root.
Thanks for the hint!
This post kind of solves the problem.
Detaching the LUKS header results in two factor authentication so I don't need the keyfile anymore.
Actually it's even better because a detached LUKS header allows deniability.
Offline
#4 2014-11-21 00:06:25
- teateawhy
- Member
- From: GER
- Registered: 2012-03-05
- Posts: 1,138
- Website
Re: [SOLVED] Missing support for LUKS keyscript option for encrypted root.
Did you find this wiki page? https://wiki.archlinux.org/index.php/Dm … UKS_header
I have used it to success.
Offline
#5 2014-11-21 08:18:51
- float
- Member
- Registered: 2012-10-05
- Posts: 23
Re: [SOLVED] Missing support for LUKS keyscript option for encrypted root.
I used a slightly different approach because I didn't like the hard-coded path (/boot/header.img) in the encrypt hook.
The problem was also discussed in this thread in the meantime.
Based on the answers I filed a feature request and supplied a patch.
If you like it please vote for it so it gets some attention.
Offline