Automatically unlock your root (/) encrypted system - Turn off Luks

gabriel-del · 2020-03-26 19:56:54

Motivation

You have Luks encrypted root partition, and want deactivate it for a while, maybe you are doing some tests or restarting a lot.

Or like me, you want to learn more about luks but doesn't have patient to put the password every boot.

Prerequisites

A Luks encrypted root partition.
Program dracut

Infos about the system
My partition is /dev/sda3 with name r00t
You can found out executing lsblk and/or blkid

Steps

Backup Images on /boot

mv /boot/initramfs-linux.img /boot/initramfs-linux.img.backup
mv /boot/initramfs-linux-fallback.img /boot/initramfs-linux-fallback.img.backup

Create a password on a file

echo -n "123" > /etc/mypassword

Edit file /etc/crypttab and put the following:

r00t /dev/sda3 /etc/mypassword luks

Make Luks accept your new password file

cryptsetup -v luksAddKey /dev/sda3 /etc/mypassword

Make Dracut decrypt it on boot time

echo 'install_items="/etc/mypassword /etc/crypttab"' > /etc/dracut.conf.d/99-mypassword.conf

Run Dracut to generate the new images

dracut -f /boot/initramfs-linux.img
dracut -f -N /boot/initramfs-linux-fallback.img

Reboot the system

reboot

OBS.:It takes a little time to boot

Best Sources

ayekat · 2020-03-26 20:41:07

Silly question, but does this not undo the benefits of encryption (i.e. security of on-disk-data at rest), as anyone with access to the disk is now able to access the data anyway?

--edit:

gabriel-del wrote:

[…] maybe you are doing some tests […]

I guess that would be a reasonable reason to shortcut the security mechanism.

Alternatively, storing the initramfs on an external, removal device (e.g. a USB thumb drive), would also work, as a sort of poor man's 2FA…? :-}

Last edited by ayekat (2020-03-26 20:44:54)

gabriel-del · 2020-03-26 23:00:39

Yes, it's undo the benefits of encryption, but it can be useful if you are learning to setup a virtual machine to later configure a server, or as I pretend to use:

Just encrypt when I am in vacation. Because of the risk of stealing on the plane or hotel.

Use a removal device also works but I don't want to use it in home where I spend the most part of the time

schard · 2020-03-27 08:18:09

I wonder where your self-made utility for this is. So far I only read a set of instructions that can easily be obtained from the dracut documentation and the Arch Wiki.

gabriel-del · 2020-03-27 13:54:46

Do you think It shoud be on other category? It's my first post here, I didn't find a better place to publish.

Even if Ithere are instructions from the documentation, the aren't instructions directly with this purpose, principally for Arch.

frostschutz · 2020-03-27 14:08:20

two comments/suggestions:

1) it would be better to store in /root/mypassword instead of /etc/mypassword, or at least make sure the file in /etc is really not readable by regular users and stays that way.

2) even after rolling this back and deleting the initramfs files, the old initramfs files with mypassword file inside might still be recoverable, since these files are not overwritten in a secure manner.

consider not putting your real passphrase in the mypassword file but a temporary one, which you luksAddKey when you want to use it, and luksRemoveKey when you don't want it to work (and make it a new one every time you turn this on and off again)

Last edited by frostschutz (2020-03-27 14:08:51)

gabriel-del · 2020-03-27 14:45:46

Good advice, thank you!

whhone · 2022-07-23 23:26:41

This method requires changing the initramfs generation from the default mkinitcpio to dracut.

For example, that might not work after a system upgrade, which generates new initramfs.

Instead, there are ways to do the same with the default mkinitcpio. See https://wiki.archlinux.org/title/dm-cry … on_at_boot.

Arch Linux

#1 2020-03-26 19:56:54