Unlocking LUKS with USB key - method - seeking help to improve - Page 4
FedoraForum.org - Fedora Support Forums and Community
Page 4 of 4 FirstFirst ... 2 3 4
Results 46 to 51 of 51
  1. #46
    Join Date
    Aug 2007
    Posts
    24

    Re: Unlocking LUKS with USB key - method - seeking help to improve

    Moving to Fedora 26.

    Prerequisites
    1. No /boot encryption
      The great patches for grub from the following links would solve all the problems, but sadly they are not included in distribution:
      http://grub.johnlane.ie/
      https://github.com/johnlane/grub

    2. FAT sdcard/usb with luks 'unlocker.key' file in its root dirctory
      Code:
      UUID=1111-1111
    3. Hdd with / and swap as LVM volumes, both on the same luks
      Code:
      --------------------------------------------------------------------------
      LVM volume vg-fedora-lv-os | LVM volume vg-fedora-lv-swap (UUID:33333333-3333-3333-3333-333333333333)
      --------------------------------------------------------------------------
      LVM group vg-fedora
      --------------------------------------------------------------------------
      luks UUID:22222222-2222-2222-2222-222222222222
      --------------------------------------------------------------------------
      hdd partition
      --------------------------------------------------------------------------


    Unlocking the system using the luks key on external device (or fallback to passphrase if no key device), also allows resuming from swap hibernation

    1. Directory created /mnt/unlocker

    2. Entries in /etc/crypttab
      Code:
      luks-22222222-2222-2222-2222-222222222222 UUID=22222222-2222-2222-2222-222222222222 /tmp/unlocker.key
    3. Entries /etc/fstab
      Code:
      /dev/mapper/vg-fedora-lv-os /                       ext4    <rest of the options>
      /dev/mapper/vg-fedora-lv-swap swap                    swap    <rest of the options>
      UUID=1111-1111 /mnt/unlocker vfat ro,umask=0277,x-systemd.device-timeout=5,noauto 0 0
    4. File
      cat /etc/dracut.conf.d/luks-workaround.conf
      Code:
      # file in /etc/dracut.conf.d/
      
      # Use fstab for discovering mount options
      use_fstab="yes"
      
      # Define initramfs fstab entry for luks key device.
      # A timeout defines time after which fallback to password request is used if the device is not present/inserted
      # This line is actually a copy of the same entry from /etc/fstab
      fstab_lines+=("UUID=1111-1111 /mnt/unlocker vfat ro,umask=0277,x-systemd.device-timeout=5,noauto 0 0")
      
      # Include workaround for systemd to fallback to passphrase request for resume partition if no luks key device is present
      install_items+=" /etc/systemd/system/systemd-cryptsetup@.service.d/luks-key-device.conf"
      
      # This allows resume device to use a mount for the device with luks key.
      # This automatically adds the dependency for resume device, so the 'resume=' entry in kernel command line is not needed
      # Note: The original file /usr/lib/systemd/system/systemd-hibernate-resume@.service has Before= dependency on local-fs-pre.target
      #       which means the device with luks key cannot be mounted (so only keyboard password can be used).
      #       The runtime generator creating link in sysinit.target.wants/ ignores priority files in /etc/systemd/
      #       and is hardcoded to link to files in /usr/lib/systemd/, thus the file in /etc/systemd/ must already be
      #       created manually. Moreover, it cannot ba a file but must be a symlink.
      #       That is why both following files must be areated, first is a modified file from /usr/lib/systemd/,
      #       the second is a symlink to it.
      # Note: The kernel command line 'reume=' is only used by the generator to create the symlink in sysinit.target.wants/,
      #       as the symlink below already exists the command line entry is not needed.
      install_items+=" /etc/systemd/system/systemd-hibernate-resume@.service"
      install_items+=" /etc/systemd/system/sysinit.target.wants/systemd-hibernate-resume@dev-disk-by\x2duuid-33333333\x2d3333\x2d3333\x2d3333\x2d333333333333.service"
      
      # Include workaround for systemd to mount luks key device again in OS, which was just mounted in initramfs
      install_items+=" /etc/systemd/system/mnt-unlocker.mount.d/umount-initramfs.conf"
    5. File
      cat /etc/systemd/system/mnt-unlocker.mount.d/umount-initramfs.conf
      Code:
      # Starting with Fedora 21, when a device is mounted in initramfs,
      # its .mount systemd unit is set to inactive when leaving initramfs,
      # but it cannot be started again immediately after that in OS.
      # Maybe the reason is that switch root is no-block.
      # Anyway this file makes this possible.
      # Note: not verified if still needed in fedora 26
      
      [Unit]
      Conflicts=initrd-cleanup.service

    6. File
      cat /etc/systemd/system/systemd-cryptsetup@.service.d/luks-key-device.conf
      Code:
      # This is a workaround for systemd not able to ask for a luks password
      # if the device with luks key file is not available (e.g. USB not inserted).
      # Bugzilla 905683 "rd.luks.key is ignored"
      
      [Unit]
      Description=Bugzilla 905683 Cryptography Setup for %I
      Documentation=https://bugzilla.redhat.com/show_bug.cgi?id=905683 http://forums.fedoraforum.org/showpost.php?p=1696031&postcount=45
      After=mnt-unlocker.mount
      Wants=mnt-unlocker.mount
      RequiresMountsFor=/tmp/unlocker.key
      
      [Service]
      ExecStartPre=-/usr/bin/ln -s /mnt/unlocker/unlocker.key /tmp/unlocker.key

    7. Symlink
      ls -al ls -al /etc/systemd/system/sysinit.target.wants/systemd-hibernate-resume@dev-disk-by\\x2duuid-33333333\\x2d3333\\x2d3333\\x2d3333\\x2d3333333333 33.service
      Code:
      /etc/systemd/system/sysinit.target.wants/systemd-hibernate-resume@dev-disk-by\x2duuid-33333333\x2d3333\x2d3333\x2d3333\x2d333333333333.service' -> /etc/systemd/system/systemd-hibernate-resume@.service
    8. File
      cat /etc/systemd/system/systemd-hibernate-resume@.service
      Code:
      #  This file takes priority over generated file.
      #  It changes defauld dependency on local-fs-pre.target so resume device can be used
      #  AFTER the device with luks key is mounted.
      #  This file must be symlinked from sysinit.target.wants/ with a symlink
      #  having a resume device encoded in its name.
      
      [Unit]
      Description=Resume from hibernation using LUKS device %f
      Documentation=man:systemd-hibernate-resume@.service(8)
      DefaultDependencies=no
      BindsTo=%i.device
      Wants=local-fs.target
      After=%i.device
      Before=local-fs.target
      ConditionPathExists=/etc/initrd-release
      
      [Service]
      Type=oneshot
      ExecStart=/usr/lib/systemd/systemd-hibernate-resume %f
    Last edited by prudy; 4th November 2017 at 06:07 PM.

  2. #47
    Join Date
    Mar 2018
    Location
    Sofia
    Posts
    8
    Linux Chrome 71.0.3578.98

    Re: Unlocking LUKS with USB key - method - seeking help to improve

    Hi @prudy
    I'm trying to modify this for slightly different case. Only /home is encrypted and I want to use small 4KiB partition as keyfile on sd card and/or usb keyfob.

    Do I get it right that I only have to edit crypttab nd regenerate initrd?

  3. #48
    Join Date
    Aug 2007
    Posts
    24
    Linux (Fedora) Firefox 64.0

    Re: Unlocking LUKS with USB key - method - seeking help to improve

    Quote Originally Posted by Yasen6275
    Hi @prudy
    I'm trying to modify this for slightly different case. Only /home is encrypted and I want to use small 4KiB partition as keyfile on sd card and/or usb keyfob.
    Do I get it right that I only have to edit crypttab nd regenerate initrd?
    Hi,
    If nothing changed in systemd in Fedora 29 then sadly you have to go through steps 1..6 (you may omit 'hibernate' entries in step 4).
    If you don't want auto fallback to passphrase when usb/sd is physically removed only then you can stick to crypttab only.

  4. #49
    Join Date
    Mar 2018
    Location
    Sofia
    Posts
    8
    Linux Chrome 71.0.3578.98

    Re: Unlocking LUKS with USB key - method - seeking help to improve

    I'm using the small partition as a file, not as a file sistem. So there is no point of making fstab entries neither in normal fstab nor in intitrd, right?
    I'm not using hibernation so I'm skipping that.
    Because I'm not mounting a file system the umount-initramfs.conf is not needed, right?
    So the only thing left in /etc/dracut.conf.d/luks-workaround.conf
    Code:
    # Include workaround for systemd to fallback to passphrase request for resume partition if no luks key device is present
    install_items+=" /etc/systemd/system/systemd-cryptsetup@.service.d/luks-key-device.conf"
    and
    /etc/systemd/system/systemd-cryptsetup@.service.d/luks-key-device.conf
    Code:
    # This is a workaround for systemd not able to ask for a luks password
    # if the device with luks key file is not available (e.g. USB not inserted).
    # Bugzilla 905683 "rd.luks.key is ignored"
    
    [Unit]
    Description=Bugzilla 905683 Cryptography Setup for %I
    Documentation=https://bugzilla.redhat.com/show_bug.cgi?id=905683 http://forums.fedoraforum.org/showpo...1&postcount=45
    After=mnt-unlocker.mount
    Wants=mnt-unlocker.mount
    RequiresMountsFor=/tmp/unlocker.key
    
    [Service]
    ExecStartPre=-/usr/bin/ln -s /mnt/unlocker/unlocker.key /tmp/unlocker.key
    The second one is just making a symlink for keyfile in /tmp. How this helps with the fall back to password?

  5. #50
    Join Date
    Aug 2007
    Posts
    24
    Linux (Fedora) Firefox 64.0

    Re: Unlocking LUKS with USB key - method - seeking help to improve

    Quote Originally Posted by Yasen6275
    I'm using the small partition as a file, not as a file sistem.
    Here I'm not sure if the key can be taken from a block device instead of a file (as the whole content is read). But please verify.
    You still might hit a problem with not existing key if the device with partition is removed.

    Quote Originally Posted by Yasen6275
    Because I'm not mounting a file system the umount-initramfs.conf is not needed, right?
    I think it's not needed.

    Quote Originally Posted by Yasen6275
    So the only thing left in /etc/dracut.conf.d/luks-workaround.conf and
    /etc/systemd/system/systemd-cryptsetup@.service.d/luks-key-device.conf
    The second one is just making a symlink for keyfile in /tmp. How this helps with the fall back to password?
    This is actually the main point of all of this.
    The passphrase fallback already exists in the crypt service, but it behaves as follows (unless changed over years):
    • key file exists with valid content - crypt container is opened
    • key file exists with invalid content - crypt service asks for the passphrase
    • key file is missing (e.g. no device inserted) - crypt service is not even started

    The symlink changes this behaviour to this:
    • symlink to valid content - crypt container is opened
    • symlink to invalid content - crypt service asks for the passphrase
    • symlink to the missing key file (e.g. no device inserted but the symlink exists) - crypt service asks for the passphrase

  6. #51
    Join Date
    Mar 2018
    Location
    Sofia
    Posts
    8
    Linux Chrome 71.0.3578.98

    Re: Unlocking LUKS with USB key - method - seeking help to improve

    Quote Originally Posted by prudy
    Here I'm not sure if the key can be taken from a block device instead of a file (as the whole content is read). But please verify.
    Direct reading from /dev/sd?? works ok. Will try in a few min with symlink.
    Quote Originally Posted by prudy
    ...This is actually the main point of all of this.
    The passphrase fallback already exists in the crypt service, but it behaves as follows (unless changed over years):
    • key file exists with valid content - crypt container is opened
    • key file exists with invalid content - crypt service asks for the passphrase
    • key file is missing (e.g. no device inserted) - crypt service is not even started

    The symlink changes this behaviour to this:
    • symlink to valid content - crypt container is opened
    • symlink to invalid content - crypt service asks for the passphrase
    • symlink to the missing key file (e.g. no device inserted but the symlink exists) - crypt service asks for the passphrase
    That makes it crystal clear why just editing crypttab is not enough. Thank you very much for the clarification. Also if the card/key is changed with one that have the same (as dev name) partition but with much bigger size, boot might be quite slow. To prevent that, one must add option to crypttab like this:
    Code:
    luks-22222222-2222-2222-2222-222222222222 UUID=22222222-2222-2222-2222-222222222222 /dev/sd?? {other options if any,}keyfile-size={size in bytes}

Page 4 of 4 FirstFirst ... 2 3 4

Similar Threads

  1. help unlocking a folder to all users
    By DeadPark121 in forum Using Fedora
    Replies: 11
    Last Post: 7th October 2008, 05:03 PM
  2. Locking and unlocking screen, please help!
    By Impact4ever in forum Using Fedora
    Replies: 3
    Last Post: 31st August 2005, 03:30 AM

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •