fedora 28 luks keyfile with systemd
FedoraForum.org - Fedora Support Forums and Community
Results 1 to 3 of 3
  1. #1
    Join Date
    Feb 2012
    Location
    Michigan
    Posts
    22
    Unknown Firefox 60.0

    fedora 28 luks keyfile with systemd

    How do I use a luks keyfile on USB? Systemd does not honor rd.luks.key kernel parameter. Removing systemd from initrd is no longer possible since systemd-initrd module for dracut will fail. I have FDE with lvm on luks. Swap is on lvm.

    I want the machine to not ask for password if the right USB drive is inserted at boot time.

    In addition if possible, resume would be from lvm swap as well.

    Thoughts?

  2. #2
    Join Date
    Nov 2018
    Location
    Ldk
    Posts
    2
    Linux (Fedora) Firefox 63.0

    Re: fedora 28 luks keyfile with systemd

    Quote Originally Posted by x53sv
    How do I use a luks keyfile on USB? Systemd does not honor rd.luks.key kernel parameter. Removing systemd from initrd is no longer possible since systemd-initrd module for dracut will fail. I have FDE with lvm on luks. Swap is on lvm.

    I want the machine to not ask for password if the right USB drive is inserted at boot time.

    In addition if possible, resume would be from lvm swap as well.

    Thoughts?
    Try this module for dracut https://github.com/raffaeleflorio/luks-2fa-dracut. It was written specifically because rd.luks.key isn't handled with dracut+systemd.
    The module requires another device with a keyfile, if the latter isn't inserted in time (the timeout is configurable) systemd will fallback to the normal passphrase asking.
    Last edited by fcuser; 18th November 2018 at 11:16 AM.

  3. #3
    Join Date
    Feb 2012
    Location
    Michigan
    Posts
    22
    Linux (Fedora) Firefox 63.0

    Re: fedora 28 luks keyfile with systemd

    Not sure how this helps. If I have a second key that requires a password, I've not managed to bypass the password typing requirement. The requirement is:
    1. Physical media inserted, drive automatically decrypts
    2. Physical media not inserted, drive does not automatically decrypt

    Your solution only helps you avoid having to drill holes in your hard drive. It does not help the use case where you are home and the computer should auto unlock and when you are not home, the computer will not autounlock.

    Alternately, it would be helpful to have the computer look for a specific file to be downloaded via SSH and security key from a machine that is locked within the current physical firewall and network, without intervention.

    Or alternatively, look for a service that provides the necessary key to a well-known IP address with a specific signature that can be turned off for remote booting of secured computer.

    Thanks.

Similar Threads

  1. [SOLVED]
    Can't upgrade to Fedora 17, because encryped volume uses keyfile.
    By charlweed in forum Installation, Upgrades and Live Media
    Replies: 2
    Last Post: 30th December 2012, 09:47 PM
  2. Auto-unlocking LUKS with keyfile from CD-ROM
    By CoffeeNKeyboard in forum Using Fedora
    Replies: 0
    Last Post: 3rd July 2012, 01:07 AM
  3. Decrypt during boot using luks keyfile on usb drive
    By geofft in forum Security and Privacy
    Replies: 6
    Last Post: 20th October 2009, 02:53 AM
  4. cryptsetup luks max keyfile support
    By fleshm in forum Security and Privacy
    Replies: 0
    Last Post: 22nd July 2009, 09:45 AM
  5. mounting encrypted luks partition with keyfile
    By gnapp in forum Using Fedora
    Replies: 0
    Last Post: 27th March 2009, 08:27 AM

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •