You are not logged in.

#1 2020-08-07 08:30:30

mouseman
Member
From: Outta nowhere
Registered: 2014-04-04
Posts: 291

[answered] unlock options with encrypted boot and root

My home server is currently setup with an encrypted boot and lvm on luks for the root filesysystem and other OS related filesystems (var, log, swap, etc). The setup for configuring grub and including the keys in initramfs follows the arch wiki using sd-encrypt to the letter.

So basically, grub prompts me to unlock the boot partion and the rest gets unlocked with the key from initramfs. There are 2 things I would like to change in this setup.

The first thing is that I would like to add an extra unlock option with a usb key. Is it possible to have grub first look for the key on usb, and if that is not found, ask for the passphrase?

The second thing is I would like a re-prompt when I fail to type in the correct password at grub. Is grub able to ask me 2 or 3 times before failing?

Thanks!

Last edited by mouseman (2020-08-07 14:38:14)

Offline

#2 2020-08-07 09:36:43

mouseman
Member
From: Outta nowhere
Registered: 2014-04-04
Posts: 291

Re: [answered] unlock options with encrypted boot and root

The first question I kind of accidently found an answer to in the wiki below rd.luks.options because I was looking how to enable trim:
https://wiki.archlinux.org/index.php/Dm … ks.options

I'll try that out, second question is still open.

Edit: sorry this isn't for grub, its for the initramfs hooks.

Last edited by mouseman (2020-08-07 10:05:58)

Offline

#3 2020-08-07 11:31:48

progandy
Member
Registered: 2012-05-17
Posts: 5,184

Re: [answered] unlock options with encrypted boot and root

As far as I know, cryptomount in grub does not support any of the features you want. There are some patches from 2018 that implement that: http://grub.johnlane.ie/

A possible alternative would be SecureBoot with custom keys, a signed unified kernel image[1] in the unencrypted EFI partition, and the rest of your system encrypted with LUKS that can use initramfs hooks. There is a tool called sbctl[2] to streamline that process.

[1]: https://systemd.io/BOOT_LOADER_SPECIFICATION/
[2]: https://github.com/Foxboron/sbctl

In addition you could try to add an additional luks key that is sealed to the TPM. That should work best with systemd-boot I think since it hashes the kernel commandline. (Or you could embed the commandline in the kernel image to make it immutable)

https://github.com/electrickite/luks-tpm2
https://github.com/grawity/tpm_futurepcr
https://github.com/mxre/sealkey
https://aur.archlinux.org/packages/?K=luks+tpm2

Last edited by progandy (2020-08-07 11:39:54)


| alias CUTF='LANG=en_XX.UTF-8@POSIX ' |

Offline

#4 2020-08-07 11:45:19

frostschutz
Member
Registered: 2013-11-15
Posts: 1,409

Re: [answered] unlock options with encrypted boot and root

I guess you could easily change Grub code to ask for passphrase more than once (make a loop around recover_key in cryptodisk.c::scan_device_real or something the like)

The USB key is a lot harder to implement unless it's a Yubikey or similar device that pretends to be a keyboard rather than a storage device.

Grub might not even be able to access unrelated USB sticks. You can test that if you go into the interactive Grub shell when booting. Grub is not an operating system and it does not have USB drivers, it just uses whatever bios provides. So drives may or may not be there.

If you want to do crazy things you have to do them in Initramfs. Which would require unencrypted /boot. Which you can put on an USB stick...

Offline

#5 2020-08-07 14:37:49

mouseman
Member
From: Outta nowhere
Registered: 2014-04-04
Posts: 291

Re: [answered] unlock options with encrypted boot and root

Thanks both, appreciate the suggestions but I'm not looking to go all crazy over this, its not worth that much to me. I'm quite familiar with how things work at the moment and I am confident I can get into my system with just a default Arch installer USB key and the encryption keys / passphrases.

So if its not possible with grub settings or some minor tweaking then its oke. I just found https://aur.archlinux.org/packages/grub-luks-keyfile/ and https://github.com/johnlane/grub but it doesn't seem alive very much anymore. I'm reluctant and rather stick with official Arch packages. It's a crying shame his work didn't make it upstream (seems like he just got ignored or something).

Anyway, thanks again for the suggestions!

Offline

#6 2020-08-07 15:07:56

progandy
Member
Registered: 2012-05-17
Posts: 5,184

Re: [answered] unlock options with encrypted boot and root

mouseman wrote:

It's a crying shame his work didn't make it upstream (seems like he just got ignored or something).

It looks like the patches were not perfect and he just gave up and never sent a new patch version. This year someone else is trying to get the patches merged and they seem to be in a good state now.
https://lists.nongnu.org/archive/html/g … 00050.html
except: https://lists.nongnu.org/archive/html/g … 00002.html

Currently there are also efforts to add support for luks2 and that has delayed the patches for multiple password attempts:
https://lists.nongnu.org/archive/html/g … 00133.html

Last edited by progandy (2020-08-07 15:13:31)


| alias CUTF='LANG=en_XX.UTF-8@POSIX ' |

Offline

#7 2020-08-07 15:17:54

mouseman
Member
From: Outta nowhere
Registered: 2014-04-04
Posts: 291

Re: [answered] unlock options with encrypted boot and root

Ah cool I'll be keeping an eye on that, thanks!

Offline

Board footer

Powered by FluxBB