You are not logged in.
- Topics: Active | Unanswered
#1 2016-09-27 12:04:51
- PlqnctoN
- Member
- From: Lyon, France
- Registered: 2015-07-29
- Posts: 8
[SOLVED] Question regarding the use of keyfile with LVM on LUKS
Hello!
I'm planning on reinstalling Arch on my PC, this time using full disk encryption with the help of dm-crypt/LUKS. I will be using LVM on LUKS.
Because I have two disks (SSD & HDD) I'm planning on using a keyfile to unlock the HDD as soon as I unlock my SSD with a passphrase.
Can I create a LUKS container with a passphrase and later add a keyfile to automatically unlock it? Or do I need to specify the keyfile during the creation of the container?
I think both solutions are valid because I've seen them used but I just wanted to be sure.
Also, where is the best place for the keyfile to be? I've seen tutorial saying to place it in /root, others in /etc, others in /etc/keys so I think the difference between them is not that important but I wanted to know the best pratice or if there is a standard.
Lastly, do I need to "chown root" and "chmod 0400" the keyfile ?
Thanks for taking time to read my post.
Last edited by PlqnctoN (2016-09-28 12:05:31)
Offline
#2 2016-09-27 16:13:21
- Awebb
- Member
- Registered: 2010-05-06
- Posts: 6,286
Re: [SOLVED] Question regarding the use of keyfile with LVM on LUKS
Lastly, do I need to "chown root" and "chmod 0400" the keyfile ?
The keyfile should only ever be read by the process using it. While it's not required for the keyfile to do its job, imagine some random script being able to read the content of that file.
Offline
#3 2016-09-27 16:18:14
- frostschutz
- Member
- Registered: 2013-11-15
- Posts: 1,418
Re: [SOLVED] Question regarding the use of keyfile with LVM on LUKS
You can change LUKS passphrases / keys any time you like - careful not to lock yourself out in the process.
See cryptsetup luksChangeKey/AddKey/RemoveKey. Up to 8 keys are supported.
I also use keyfiles to open several containers at once; I put them as LUKS encrypted keyfiles in the initramfs. So the passphrase I enter is actually a passphrase for the keyfiles which in turn unlock all the LUKS containers.
These LUKS containers also have their own passphrases (in case the USB stick / initramfs / keyfile container is ever lost).
I use a simple keyfile (stored in /root/ with 0400 permissions) for the external backup disk.
Offline
#4 2016-09-28 11:24:58
- PlqnctoN
- Member
- From: Lyon, France
- Registered: 2015-07-29
- Posts: 8
Re: [SOLVED] Question regarding the use of keyfile with LVM on LUKS
The keyfile should only ever be read by the process using it. While it's not required for the keyfile to do its job, imagine some random script being able to read the content of that file.
That's what I thought, thanks for the clarification!
You can change LUKS passphrases / keys any time you like - careful not to lock yourself out in the process.
See cryptsetup luksChangeKey/AddKey/RemoveKey. Up to 8 keys are supported.
These LUKS containers also have their own passphrases (in case the USB stick / initramfs / keyfile container is ever lost).
I see, so in my use case the keyfile will just be a convenient way of unlocking a container, I can still use the passphrase to do it otherwise.
I also use keyfiles to open several containers at once; I put them as LUKS encrypted keyfiles in the initramfs. So the passphrase I enter is actually a passphrase for the keyfiles which in turn unlock all the LUKS containers.
You can do that even if you don't encrypt your boot partition? Or you need to encrypt it and use GRUB? (Or maybe I'm dumb and didn't understood what you are saying...)
I use a simple keyfile (stored in /root/ with 0400 permissions) for the external backup disk.
Ok, I'm gonna do that to. Thank you for your answer!
Offline