You are not logged in.
I have been looking into the use of a keyfile for my LUKS partition (/home). However, during boot, if it can't find the keyfile it just pukes and drops me to the recovery shell.
Can it be set up to look for the keyfile, and prompt for passphrase if it can't be found? I don't want to HAVE to plug in the usb stick containing the keyfile if it's not available at the time...
Last edited by speed145a (2010-12-08 23:07:34)
ARCH x86_64 ZEN
Offline
Is it something that can be modified in the rc.sysinit?
ARCH x86_64 ZEN
Offline
I found this in pastebin today: http://pastebin.com/59J3JRj3
Looks pretty promising, but I'm not sure what to do with it...
Is it a replacement "crypt" hook? an rc file?
Anyone want to help me make it work?
ARCH x86_64 ZEN
Offline
I'd still like to know if this can be done. Should I have posted this in another forum?
ARCH x86_64 ZEN
Offline
I'm sure its possible, by modifying the encrypt hook and rebuilding initrd. You can have many luks keys on any given device. I unlock via crypttab with a keyfile but also have another passphrase key incase the keyfile gets damaged. You lose that usb, it gets washed, stepped on, .... you're toast, you'll never get that data back.
As for an actual solution, i has none. IIRC there was an awesome gentoo howto on modifying the encrypt unlock hooks that i cant unfortunately find ATM. I also believe pam_mount will do this as well if not easier , as it uses fallbacks by default but ive never played with it.
Offline
Just looked at the default encrypt hook. It looks like this is already a feature?
if poll_device "${cryptdev}" ${rootdelay}; then
if /sbin/cryptsetup isLuks ${cryptdev} >/dev/null 2>&1; then
[ ${DEPRECATED_CRYPT} -eq 1 ] && warn_deprecated
dopassphrase=1
# If keyfile exists, try to use that
if [ -f ${ckeyfile} ]; then
if eval /sbin/cryptsetup --key-file ${ckeyfile} luksOpen ${cryptdev} ${cryptname} ${CSQUIET}; then
dopassphrase=0
else
echo "Invalid keyfile. Reverting to passphrase."
fi
fi
# Ask for a passphrase
if [ ${dopassphrase} -gt 0 ]; then
echo ""
echo "A password is required to access the ${cryptname} volume:"
#loop until we get a real password
while ! eval /sbin/cryptsetup luksOpen ${cryptdev} ${cryptname} ${CSQUIET}; do
sleep 2;
done
fi
if [ -e "/dev/mapper/${cryptname}" ]; then
if [ ${DEPRECATED_CRYPT} -eq 1 ]; then
export root="/dev/mapper/root"
fi
else
err "Password succeeded, but ${cryptname} creation failed, aborting..."
exit 1
fi
Im assuming you use luks/dm-crypt. If you haven't yet, add a second key to your partition with a passphrase. Do this but a passphrase instead - https://wiki.archlinux.org/index.php/Sy … _Partition
Offline
OK.... perhaps I'm missing something more fundamental...
I have not been successful at getting my home partition to unlock during boot using a keyfile. Do I need to regenerate my initrd with the crypt hook even on non-root partitions?
ARCH x86_64 ZEN
Offline
Yes. Then take a look at /etc/crypttab and add your /home accordingly. You might want to look here https://wiki.archlinux.org/index.php/Mkinitcpio
If it still gives you trouble, try the encrypt hook before the filesystems hook in the list. Also you might need the usb hook if it doesnt autodetect your stick properly.
These are the examples from crypttab. This will set the primary suthentication routuine to unlock the drive, then in fstab to actually mount it
# NAME SOURCE DEVICE PASSWORD OPTIONS
#home /dev/hda4 mypassword
#data1 /dev/hda3 "my \"password\""
#data2 /dev/hda5 /etc/cryptfs.key
So if its your home partition , fstab will mount from /dev/mapper/home
/dev/mapper/home /home reiserfs defaults 0 0
or whatever your fs is.
Offline