You are not logged in.

Pages: 1

#1 2016-01-31 11:40:11

robjh
Member
Registered: 2016-01-31
Posts: 3

[SOLVED] Custom mkinitcpio hooks. (trying to add 2-factor auth)

Hi all.

I've gone with whole disk encryption and I'm booting my system with a usb stick. When I turn on my PC it prompts me for my passphrase and boots the system. I've also got a working keyfile which when placed in the right place in the initcpio file will automatically boot the system.
I'm trying to combine the two approaches. When the usb stick boots it first tries to unlock a luks container stored on the usb stick. The keyfile is stored in the container. On success it should copy the keyfile from the container to /crypto_keyfile.bin, where the encrypt hook is expecting to find it.

I've had some limited success in creating my own hooks, and I think it's nearly doing what i want it to do. The problem im having is that when i try to unlock the container at boot time i get an error;

Cannot find a free loopback device.


Here are the files I've changed/created so far. I based the keyunlock files on the encrypt hook files. I think the encrypt hook might be doing something extra that i missed. But I cannot tell what.
I'm looking forward to hearing everyones input on this smile

  • /etc/mkinitcpio.conf

    MODULES="dm_mod dm_crypt aes_x86_64 raid0 vfio vfio_iommu_type1 vfio_pci vfio_virqfd tun"

BINARIES=""

FILES="/opt/keystore.luks"

HOOKS="base udev autodetect modconf block mdadm_udev keyunlock encrypt lvm2 filesystems keyboard fsck"

  • /usr/lib/initcpio/install/keyunlock

    #!/bin/bash

build() {
    add_runscript
}

  • /usr/lib/initcpio/hooks/keyunlock

    #!/usr/bin/ash

run_hook() {
    modprobe -a -q dm-crypt >/dev/null 2>&1
    modprobe loop

    echo "A password is required to access the keystore:"

    #loop until we get a real password
    while ! eval cryptsetup open --type luks /opt/keystore.luks keystore >/dev/null; do
        sleep 2;
    done

    if [ -e "/dev/mapper/keystore" ]; then
        mkdir -p /mnt/keystore
        mount -o ro /dev/mapper/keystore /mnt/keystore
        cp /mnt/keystore/crypto_keyfile.bin /crypto_keyfile.bin
        umount /mnt/keystore
        cryptsetup luksClose /dev/mapper/keystore
    else
        err "Password succeeded, but keystore creation failed, aborting..."
        exit 1
    fi

    rm -f /opt/keystore.luks
}

~robjh

Last edited by robjh (2016-02-01 20:52:09)

Offline

#2 2016-02-01 20:51:37

robjh
Member
Registered: 2016-01-31
Posts: 3

Re: [SOLVED] Custom mkinitcpio hooks. (trying to add 2-factor auth)

I figured it out! big_smile

All I was missing was I forgot to add the loop module to the install file. /usr/lib/initcpio/install/keyunlock becomes this;

#!/bin/bash

build() {
    add_module loop
    add_runscript
}

Now, in order to boot into my computer you need a very specific usb stick. Or to know where ive hidden the recovery codes.
It occured to me yesterday that I could probably achieve the same thing by installing grub on an encrypted partition on the usb stick, and that'd give me the advantage of having an encrypted kernel. That's probably the better thing to do for anyone looking to do something similar.

Oh well. thanks all.

Offline

#3 2016-02-09 23:17:50

spookykid
Member
From: Portugal
Registered: 2006-07-23
Posts: 141

Re: [SOLVED] Custom mkinitcpio hooks. (trying to add 2-factor auth)

Hi robjh,

glad you were able to sort things out for yourself, maybe you could come up with a tutorial for this? I'd be interested in setting up my system like that also.

Thanks,
AG

There is no knowledge that is not power!

Offline

#4 2016-11-03 16:15:30

robjh
Member
Registered: 2016-01-31
Posts: 3

Re: [SOLVED] Custom mkinitcpio hooks. (trying to add 2-factor auth)

Hi spookyKid. I didn't get notified about your reply, sorry for the delay in getting back to you.

I'd be happy to help you set this up on your own system, Would you like a tutorial on adding custom hooks, or on using a passphrase to unlock a keyfile? Because if its the latter you seek, it'd be easier to setup and more secure if you put luks on a usb stick and installed grub to that.

You'd do something similar to this, only with a usb stick instead of a hard disk partition:
https://wiki.archlinux.org/index.php/Dm … .28GRUB.29

After that you'd just need to follow the instructions here to boot the encrypted root partition form a key file on your usb stick:
https://wiki.archlinux.org/index.php/Dm … on_at_boot


Please let me know if this is sufficient, or if you need a tutorial on what i did instead.

regards,
~rob

Offline

Pages: 1

Board footer

Powered by FluxBB