Unlocking LUKS with USB key - method - seeking help to improve - Page 2
FedoraForum.org - Fedora Support Forums and Community
Page 2 of 4 FirstFirst 1 2 3 4 LastLast
Results 16 to 30 of 51
  1. #16
    Join Date
    Aug 2009
    Location
    Waldorf, Maryland
    Posts
    7,345

    Re: Unlocking LUKS with USB key - method - seeking help to improve

    You might check the initrd filesystem and see if the USB driver is in there...

    It would have to be loaded first - if it is there, make sure it is active (modprobe and
    get it loaded ?). This may need to be done in the script as part of obtaining the USB
    key.

  2. #17
    Join Date
    Jun 2005
    Location
    Westminster, Colorado
    Posts
    2,306

    Re: Unlocking LUKS with USB key - method - seeking help to improve

    My first guess would be that the ramdisk kernel might not understand the filesystem on the USB key or not have USB support enabled.
    Registered Linux User #4837
    411th in line to get sued by Micro$oft
    Basically, to learn Unix you learn to understand and apply a small set of key ideas and achieve expertise by expanding both the set of ideas and your ability to apply them - Paul Murphy

  3. #18
    Join Date
    Jun 2009
    Location
    Biggleswade, Bedfordshire, England
    Posts
    22

    Re: Unlocking LUKS with USB key - method - seeking help to improve

    I have continued to research my own dracut modifications, but chose not to post here until today. I did consider emailing the guys at Red Hat who wrote dracut, but chickened out! Not being a programmer, I cannot speak the same language!

    As the thread has been brought back from the dead I have updated my first post with the latest method I am using. I also have some further information to share:

    GOTCHAS: When upgrading Fedora versions, you must remove the key, reboot, then upgrade. This applies to the offline method with a DVD and the online method using Yum. You will not be able to run /sbin/grub-install /dev/sda as the blank USB key will be in the way and running /sbin/grub-install /dev/sdb will throw a BIOS error. You have been warned!

    Useful tip: Remember to take copies of your modifications as they will be wiped with updates to dracut.
    Last edited by gaztronics; 16th June 2010 at 11:31 PM.

  4. #19
    Join Date
    Jun 2010
    Posts
    2

    Re: Unlocking LUKS with USB key - method - seeking help to improve

    Ok, I have tried a few avenues and here is what I have discovered. All the appropriate modules appear to be present. The kernel detects the plug event when I put the drive in a USB slot. But there is a caveat. Apparently I wans't paying attention to the output of the command 'ls -l /dev/usbkey*' the I put at the top of the cryptroot-ask.sh script. This is the output I get using that command in the booted OS with the USB key I am trying to use:

    Code:
     lrwxrwxrwx. 1 root root      3 Jun 17 18:07 /dev/usbkey -> sdb
     lrwxrwxrwx. 1 root root     11 Jun 17 18:07 /dev/usbkey0 -> bsg/8:0:0:0
     lrwxrwxrwx. 1 root root      3 Jun 17 18:07 /dev/usbkey2 -> sg2
     lrwxrwxrwx. 1 root root     15 Jun 17 18:07 /dev/usbkey5 -> bus/usb/001/006
    OK, so far so good, but when I do that same command in the cryptroot-ask.sh script in the init ramdisk environment with the USB drive plugged in it gives me this answer:

    Code:
     lrwxrwxrwx. 1 root root     15 Jun 17 18:07 /dev/usbkey5 -> bus/usb/001/006
    As you can see the listing for the usbkey devices is a bit curtailed. I can't use /dev/usbkey5 for a luks key as it appears to just be a system tag for the bus it's on. The /dev/usbkey device never shows up no matter how long I wait or how many times I un/replug the thumb drive (as before, hitting escape re-runs the cryptroot-ask.sh script and gives me a new directory listing).

    In case you ask, the thumb drive I am trying to use is an older generic 64MB USB 2.0 key a friend received when getting Santa pictures for the kids at the local mall - yes, I know it's a bit old and a bit too cheap, but it seems appropriate to use this thumb drive as I can't really use it for anything else these days. I have a couple others I can try to use, but I haven't had the time to back up the data on them. Maybe I'll get time soon, but anyway I should be able to get this one to work as it works perfectly fine in the booted OS. In my mind that means it should not have a problem in the init ramdisk environment because it's all the same modules, kernel, and utilities in the system.

    ---------- Post added at 09:43 PM CDT ---------- Previous post was at 07:18 PM CDT ----------

    UPDATE: I just tried the entire procedure with a known good Kingston 1GB USB stick, and the exact same results occurred. The device is seen by the kernel when plugged in (USB messages are printed to the console when the event happens), but udev will not create the /dev/usbkey node, it only creates the bus pointer node of /dev/usbkey5 and stops there. The /dev/usbkey device node is correctly created when booted into the OS, but I have noticed watching the /dev directory the udev process takes about 5-6 seconds to create all the device nodes - /dev/usbkey5 is created practically instantly, and /dev/usbkey is created last. I am not sure how this ties in to the boot process, but it seems not to matter if I have a sleep command in the cryptroot-ask.sh or not. For the record, I am trying this procedure on an HP Pavillion a1710n with the ASUS A8M2N-LA (NodusM3) motherboard running the GeForce 6150 LE chipset. I have tried all the USB slots on the system with the same result, so it's not a one-bus-works-not-another issue.. I guess I'll have to give up on this method on this particular machine, not sure when I will get another.

  5. #20
    Join Date
    Jun 2009
    Location
    Biggleswade, Bedfordshire, England
    Posts
    22

    Re: Unlocking LUKS with USB key - method - seeking help to improve

    My server shows the same sort of USB devices:

    Code:
    lrwxrwxrwx 1 root root      3 Jun 16 09:54 /dev/usbkey -> sda
    lrwxrwxrwx 1 root root     11 Jun 16 09:54 /dev/usbkey0 -> bsg/0:0:0:0
    lrwxrwxrwx 1 root root      3 Jun 16 09:54 /dev/usbkey1 -> sg1
    lrwxrwxrwx 1 root root     15 Jun 16 09:54 /dev/usbkey6 -> bus/usb/001/003
    When I first started experimenting, I had to use kernel commands to put the boot process into debug so I could see what was going on. It has been a while, but I believe I used this process:

    At the grub screen, press 'a' and remove the "rhgb" and "quiet" from the kernel command line and replace them with "rdinitdebug rdshell". You will be able to follow the boot process with lots of verbose output. This should show you if the USB subsystem is taking a really long time to load. If the boot process fails, it will drop to a shell.

    This page lists the options: https://fedoraproject.org/wiki/Dracut/Debugging

    After getting it all to work on my laptop, I had another problem on my server where the RAID card took an age to detect. I ended up sleeping cryptroot-ask.sh for 10 seconds and adding a further sleep of 10 seconds to /sbin/dd-luks-unlock to allow the RAID array to become available. The last updates to udev and dracut before F13 fixed that and I could remove both sleeps. My laptop still needs a 10 second "time-out" to wait for the USB subsystem.

  6. #21
    Join Date
    Nov 2009
    Posts
    65

    Question Re: Unlocking LUKS with USB key - method - seeking help to improve

    Hi. I was trying your method. However I am hitting a big wall here. It looks like cryptroot-ask.sh never gets called at startup. I added some echo at the top and never see them. I googled a little bit and played with various parameters in grub.conf such as rd_NO_LUCKS and rd_LUCK_UUID but it did not help.

    Any hint on how to get cryptroot-ask.sh executed would be helpfull. Thanks.

  7. #22
    Join Date
    Jun 2009
    Location
    Biggleswade, Bedfordshire, England
    Posts
    22

    Re: Unlocking LUKS with USB key - method - seeking help to improve

    Are you modifying cryptroot-ask.sh in /usr/share/dracut/modules.d/50plymouth ?

    I found this file ran at boot by placing echo commands in it. Did you try rdinitdebug rdshell in grub.conf to watch the boot process? You will only see your echo command if you are outputting the debug information during boot.

  8. #23
    Join Date
    Nov 2009
    Posts
    65

    Re: Unlocking LUKS with USB key - method - seeking help to improve

    I already tried echo commands (with setting rdinit and rdshell) but do not see them. When are they supposed to be displayed? Also do they get logged in messsages?

  9. #24
    Join Date
    Jun 2009
    Location
    Biggleswade, Bedfordshire, England
    Posts
    22

    Re: Unlocking LUKS with USB key - method - seeking help to improve

    I used the debugging info posted earlier in the thread and there is this page as well:

    http://fedoraproject.org/wiki/How_to...racut_problems

    I think the logged output ends up in /tmp, but it was a while ago and I cannot remember exactly.

  10. #25
    Join Date
    Jun 2009
    Location
    Biggleswade, Bedfordshire, England
    Posts
    22

    Re: Unlocking LUKS with USB key - method - seeking help to improve

    Update to method for changes in Fedora 14

    The symlink to awk has been removed in the latest version of dracut, so I have modified the dd-luks-unlock script to use gawk instead (same app, no symlink):

    #!/bin/sh
    #
    # Script to unlock LUKS volume with USB key
    #
    # Gaztronics
    #
    # Last updated: 5th November 2010

    # Read in luks and UUID information
    #
    LUKS="`grep \"${HAL_PROP_VOLUME_UUID#*_uuid_}\" /etc/crypttab`"
    DEVICE="`echo $LUKS | gawk '{print $2}' | gawk -F= '{print $2}'`"
    MAPPER="`echo $LUKS | gawk '{print $1}'`"

    DEV="/dev/disk/by-uuid/$DEVICE"

    # Optional sleep if your system is slow to detect RAID volumes.
    # Remember to set /usr/share/dracut/modules.d/50plymouth/cryptroot-ask
    # to sleep for 20 seconds (instead of 10 if you set 10 here!).
    #
    #sleep 10

    # Open LUKS volume
    #
    dd if=/dev/usbkey bs=1 count=4096 | \
    cryptsetup luksOpen $DEV $MAPPER --key-file=- --key-slot 1

    # Clean up
    #
    unset DEV DEVICE MAPPER LUKS

    # We are done!
    #
    exit 0
    /usr/share/dracut/modules.d/50/plymouth/install has been changed to remove the "inst awk" line; "inst gawk" remains.

  11. #26
    Join Date
    Aug 2007
    Posts
    24

    Re: Unlocking LUKS with USB key - method - seeking help to improve

    What abut having the key-on-device functionality in the system scripts to minimize user work on this. I propose the following changes:
    • adding new timeout parameter into crypttab options that defines maximum time till the key file becomes available
    • modified cryptroot-ask and init.d/functions so they are aware of the new functionality
    • modifying them to make use of the 'size' parameter that really is used by the luksOpen (manual mentions this only in key-size description) so the number of bytes read from the key can be limited and block dev can be used directly
    • leaving for the user crypttab+fstab and two 1-line rules to write (so the symlink is created automatically)


    Example:
    1. Assume there is:
      • a swap luks partition with key slot using the key from file (and password in case of no keyfile)
      • usb key which has this key in the first bytes of its MBR
    2. Create /etc/udev/rules.d/10-unlocker.rules file in initramfs with:
      Code:
      ACTION=="add", KERNEL=="sd*[!0-9]" SUBSYSTEMS=="usb", DRIVERS=="usb", ATTRS{idVendor}=="_something_", ATTRS{idProduct}=="_something_", ATTRS{serial}=="_something_", SYMLINK+="unlocker"
    3. Create /etc/udev/rules.d/99-unlocker.rules in root filesystem with the same contents.
    4. Create /etc/crypttab e.g.:
      Code:
      luks-swap UUID=_luks_uuid_ /dev/unlocker size=256,tout=10
      luks-swap UUID=_luks_uuid_
      The second entry without the key will ask for password if the keyfile is not present.
    5. Of course /etc/fstab:
      Code:
      UUID=_filesystem_inside_luks_uuid_ swap swap defaults 0 0
    6. /etc/init.d/functions as attached (based on initscripts-9.20.1-1.fc14.x86_64)
    7. cryptroot-ask as attached (based on dracut-006-3.fc14.noarch)


    If anyone need the usb can also be luks-crypted and mentioned in crypttab, then the key could go into firs area of luks payload or if filesystem is created as a regular file so it have to be mounted prior to use - if it makes sense to have encrypted usb at all.

    Without changing original files it should still be possible to use this by:
    • writing custom luks.rules that would call attached file instead original one as RUN
    • blocking original rules with OPTIONS+="last_rule" added to the custom rules (I hope it works that way)
    Attached Files Attached Files

  12. #27
    Join Date
    Nov 2010
    Posts
    8

    Re: Unlocking LUKS with USB key - method - seeking help to improve

    I've added an additional disk to my system, which I've also encrypted. The problem with the original dd-luks-unlock script is that it does not cope with more than one entry in /etc/crypttab. So what is the best way to have it parse each line in /etc/crypttab in turn and parse appropriate entries, also ignoring those lines used for comments?

  13. #28
    Join Date
    Oct 2009
    Posts
    135

    Re: Unlocking LUKS with USB key - method - seeking help to improve

    Oi! I got a stupid question.
    Can this be done with a CD-ROM instead of a USB?
    I ask only because I have a laptop. The USB drive is in the back. I am careful to use a thumb drive and then remove it. I don't want to break anything by forgetting its there.
    The idea of having a CDROM with the key is appealing. And, it provides the reverse functionality--"lock it" by removing the disk (same thing is possible with a PCMCIA media adaptor). Thus I can leave the disk in for normal day to day use and take it out when I wish to lock it.

  14. #29
    Join Date
    Jun 2009
    Location
    Biggleswade, Bedfordshire, England
    Posts
    22

    Re: Unlocking LUKS with USB key - method - seeking help to improve

    Quote Originally Posted by xtian
    Oi! I got a stupid question.
    Can this be done with a CD-ROM instead of a USB?
    I ask only because I have a laptop. The USB drive is in the back. I am careful to use a thumb drive and then remove it. I don't want to break anything by forgetting it's there.
    The idea of having a CDROM with the key is appealing. And, it provides the reverse functionality--"lock it" by removing the disk (same thing is possible with a PCMCIA media adaptor). Thus I can leave the disk in for normal day to day use and take it out when I wish to lock it.
    In theory, yes. You would need to detect /dev/cdrom and read it - which would be quite a slow process compared to a USB flash drive or card reader.

    ---------- Post added at 04:52 PM ---------- Previous post was at 03:18 PM ----------

    Update for Fedora 15


    I stumbled across this method for Fedora 15 today. It is based on my original method and has some useful improvements. I have taken those and created a newer, simplified method for Fedora 15.

    Part 1 - Create key file.

    1.1 Fill a USB memory stick with random data:

    dd if=/dev/urandom of=/dev/sdb bs=1

    This assumes your memory stick is /dev/sdb. This method is best carried out on a laptop with lots of internal devices. This ensures a large entropy-pool of noise to generate random data.

    CAUTION: The 'dd' command will happily wipe your hard drive if you set the wrong /dev/sd?.

    1.2 Extract a "key" from the random data on the USB stick:

    dd if=/dev/sdb of=luks-secret.key bs=1 count=4096

    The above line will extract 4096 bytes of random data from the USB stick. Adjust to your own needs and remember to adjust the scripts detailed below.

    1.3 Add the key to your LUKS partition:

    cryptsetup luksAddKey /dev/sda2 luks-secret.key --key-slot 1

    The command above adds the newly generated key to slot 1 (assuming slot 0 contains your LUKS passphrase) of your LUKS partition.
    It is assumed your encrypted partition is on /dev/sda2.

    You will be prompted for your usual LUKS passphrase before the key is added.

    You can check the key has been added to slot 1 with the following command:

    cryptsetup luksDump /dev/sda2

    1.4 Delete the key from your file system:

    shred --remove --zero luks-secret.key


    Part 2 - modify dracut.

    Fedora 15 uses a system called dracut to create the initramfs that plymouth uses to boot the kernel. Dracut builds the 'initramfs' from modules which can be modified to carry your own customisations.

    2.1 Locate the "by-id" name of your USB key with the following command:

    ls -l /dev/disk/by-id | grep usb

    You will see something like this: usb-LaCie_iamaKey_60f2f4441dc104-0:0 -> ../../sdb

    Keep a note of this and remember to escape the : when you add the ID to the script in 2.2.

    2.2 Modify cryptroot-ask.sh in /usr/share/dracut/modules.d/90crypt

    Replace the text near the end of the file:

    Code:
    { flock -s 9;
        /bin/plymouth ask-for-password \
            --prompt "$prompt" \
            --command="/sbin/cryptsetup luksOpen -T1 $device $luksname"
    } 9>/.console.lock
    with:

    Code:
    { flock -s 9; 
        usbkey=/dev/disk/by-id/usb-LaCie_iamaKey_60f2f4441dc104-0\:0
        if [ -e $usbkey ]; then
         ask=0
         echo "USB Key detected - unlocking partition $device ..."
         dd if=$usbkey bs=1 count=4096 | cryptsetup luksOpen $device $luksname --key-file=-
        else
         /bin/plymouth ask-for-password \
           --prompt "$prompt" --number-of-tries=5 \
           --command="/sbin/cryptsetup luksOpen -T1 $device $luksname"
         fi
    } 9>/.console.lock
    2.3 Add the following sleep to cryptrootask.sh after the first three lines of text if your USB devices are not detected in time. You may experiment and reduce/increase this time to suit your hardware.

    #!/bin/sh
    # -*- mode: shell-script; indent-tabs-mode: nil; sh-basic-offset: 4; -*-
    # ex: ts=8 sw=4 sts=4 et filetype=sh

    # Optional sleep if USB devices take time to detect.
    #
    echo "Sleeping for 5 seconds to wait for devices..."
    sleep 5



    Part 3 - Create new initramfs

    Use the following command to create a new initramfs:

    /usr/libexec/plymouth/plymouth-update-initrd


    Part 4 - Reboot

    With the key in place, the LUKS volume should automatically unlock. Without the key, the system will still prompt for the passphrase.


    Debugging

    If you experience problems, press the 'a' key during the grub screen and modify the start-up. Remove rhgb quiet and replace them with rdinitdebug rdshell. This will offer a more verbose boot sequence which can be analysed via dmesg.

  15. #30
    Join Date
    Feb 2009
    Posts
    24

    Re: Unlocking LUKS with USB key - method - seeking help to improve

    Currently I'm running Fedora 15 and here has been my solution:

    1. Create key files for root, home, storage called 'system-key-root', 'system-key-home' and 'system-key-storage. I copy the files to a usb key and leave a copy in root with only root read access. In addition on the root of my system I use 'chattr' command to set the following flags ' s i d e'. (use man chattr to see why). The USB key fob I make a normal ext3/4 filesystem and label it as 'SystemKeys'.

    2. Placed necessary random key information into each keyfile (this is left as an exercise for the user).

    3. setup cryptloop devices for each respective filesystem using the appropriate keyfile.

    4. Setup OS and necessary filesystems. With a normal '/boot' partition.

    When booting I plug the USB key in and use the following grub arguments (also in /boot/grub/grub.conf):

    kernel /vmlinuz-XXXX ro root=UUID=XXXX-XXXX-XXXX rd_LVM_LV=vg_vol01/LVRoot rd.luks.key=/system-key-root:LABEL=SystemKeys LANG=en_US.UTF-8 SYSFONT=latarcyrheb-sun16 KEYTABLE=us quiet

    When the USB key is pulled, on boot up you are prompted for a normal password, if the USB key is plugged in, the system boots.

Page 2 of 4 FirstFirst 1 2 3 4 LastLast

Similar Threads

  1. help unlocking a folder to all users
    By DeadPark121 in forum Using Fedora
    Replies: 11
    Last Post: 7th October 2008, 05:03 PM
  2. Locking and unlocking screen, please help!
    By Impact4ever in forum Using Fedora
    Replies: 3
    Last Post: 31st August 2005, 03:30 AM

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •