You are not logged in.
Hi all,
I would like some advise for booting encrypted partitions using kefiles on a flashdrive. I'm setting up a Intel Atom based homeserver, and and want my data to be encrypted in case the server gets stolen. To save some encryption overhead I prefer to leave root unencrypted and only encrypt /home, and if this works, later on /var, /tmp and swap as well. My plan is to have a keyfile on a flash thumbdrive, and only have the thumbdrive plugged in while booting.
I have read the dm-crypt wiki page, but it assumes an encrypted root, and this approach won't work in my situation, where only non-root mountpoints are encrypted. If i put 'ASK' in /etc/crypttab I get prompted for the passphrase and the LUKS container unlocks and mounts fine. I can also unlock the LUKS container manually using the keyfile that I created. However when I put the path to the keyfile in /etc/crypttab instead of 'ASK', and let the usbdrive automount using an udev rule the unlock at boot fails. It seems that my udev rule is only executed when I plug in a drive after booting, not when it is already plugged in during boot. How would I accomplish this? Mount it with fstab and automatically unmount it after booting, or some entirely different way?
my /etc/fstab:
none /dev/pts devpts defaults 0 0
none /dev/shm tmpfs defaults 0 0
/dev/sda1 / ext4 defaults 0 1
/dev/sda2 swap swap defaults 0 0
/dev/mapper/home /home ext4 defaults 0 1
/etc/crypttab:
home /dev/sda3 /media/usbhd-sdc1/keyfiles/arch_server_-_home.key
/etc/udev/rules.d/01.usbdrive_automount.rules (sdb is a second, currently unused harddisk):
KERNEL=="sd[b-z]", NAME:="%k", SYMLINK+="usbhd-%k", GROUP:="users", OPTIONS="last_rule"
ACTION=="add", KERNEL=="sd[c-z][0-9]", SYMLINK+="usbhd-%k", GROUP:="users", NAME:="%k"
ACTION=="add", KERNEL=="sd[c-z][0-9]", RUN+="/bin/mkdir -p /media/usbhd-%k"
ACTION=="add", KERNEL=="sd[c-z][0-9]", PROGRAM=="/sbin/blkid -t %N", RESULT=="vfat", RUN+="/bin/mount -t vfat -o rw,noauto,flush,dirsync,noexec,nodev,noatime,dmask=000,fmask=111 /dev/%k /media/usbhd-%k", OPTIONS="last_rule"
ACTION=="add", KERNEL=="sd[c-z][0-9]", RUN+="/bin/mount -t auto -o rw,noauto,async,dirsync,noexec,nodev,noatime /dev/%k /media/usbhd-%k", OPTIONS="last_rule"
ACTION=="remove", KERNEL=="sd[c-z][0-9]", RUN+="/bin/umount -l /media/usbhd-%k"
ACTION=="remove", KERNEL=="sd[c-z][0-9]", RUN+="/bin/rmdir /media/usbhd-%k", OPTIONS="last_rule"
<edit>
Okay I have found a solution. The trick was to make sure the usbstick gets mounted first, so the keyfile is available for the unlocking/mounting during boot. To do so I have added 'usb' to the hooks line in /etc/mkinitcpio.conf and recompiled the initramfs as described in the wiki link above.
Next I changed my /etc/udev/rules.d/01.usbdrive_automount.rules a little so that the mountpoint of the usbdrive stays after unplugging it:
KERNEL=="sd[b-z]", NAME:="%k", SYMLINK+="usbhd-%k", GROUP:="users", OPTIONS="last_rule"
ACTION=="add", KERNEL=="sd[c-z][0-9]", SYMLINK+="usbhd-%k", GROUP:="users", NAME:="%k"
ACTION=="add", KERNEL=="sd[c-z][0-9]", RUN+="/bin/mkdir -p /media/usbhd-%k"
ACTION=="add", KERNEL=="sd[c-z][0-9]", PROGRAM=="/sbin/blkid -t %N", RESULT=="vfat", RUN+="/bin/mount -t vfat -o rw,noauto,flush,dirsync,noexec,nodev,noatime,dmask=000,fmask=111 /dev/%k /media/usbhd-%k", OPTIONS="last_rule"
ACTION=="add", KERNEL=="sd[c-z][0-9]", RUN+="/bin/mount -t auto -o rw,noauto,async,dirsync,noexec,nodev,noatime /dev/%k /media/usbhd-%k", OPTIONS="last_rule"
ACTION=="remove", KERNEL=="sd[c-z][0-9]", RUN+="/bin/umount -l /media/usbhd-%k", OPTIONS="last_rule"
#ACTION=="remove", KERNEL=="sd[c-z][0-9]", RUN+="/bin/umount -l /media/usbhd-%k"
#ACTION=="remove", KERNEL=="sd[c-z][0-9]", RUN+="/bin/rmdir /media/usbhd-%k", OPTIONS="last_rule"
/etc/fstab:
The usbdrive is put above the encrypted partition to make it get mounted first:
none /dev/pts devpts defaults 0 0
none /dev/shm tmpfs defaults 0 0
/dev/sdc1 /media/usbhd-sdc1 ext2 defaults 0 0
/dev/sda1 / ext4 defaults 0 1
/dev/sda2 swap swap defaults 0 0
/dev/mapper/home /home ext4 defaults 0 1
/etc/crypttab:
home /dev/sda3 /media/usbhd-sdc1/keyfiles/arch_server_-_luks.key
So now I plug in the flashdrive, turn on the server, unplug the flashdrive and udev automatically unmounts the flashdrive while leaving the mountpoint /media/usbhd-sdc1 for the next boot.
</edit>
Last edited by rwd (2009-12-04 19:36:14)
Offline