how do I use USB key to decrypt LUKS automatically on boot
FedoraForum.org - Fedora Support Forums and Community
Results 1 to 11 of 11
  1. #1
    Join Date
    Jul 2018
    Location
    Indiana
    Posts
    5
    Mac OS X 10.13 Firefox 60.0

    how do I use USB key to decrypt LUKS automatically on boot

    I'm testing switching over from Ubuntu to Fedora. I cannot find a solution for this in Fedora.

    I want to have a usb key that will unlock my LUKS encrypted lvm partition automatically on boot. If the key is not present, I want to be asked for the pass phrase.

    I've found some places that talk about using a script in dracut, but then they tell me you have to disable the systemd module. If I do this, dracut says it needs systemd to do things and the system doesn't boot.

    Is there a way to unlock the drive with a USB key automatically on boot, but use a pass phrase when it's not found?

    Using Fedora Core Server 28, EFI.

    Thanks.

  2. #2
    Join Date
    Jan 2015
    Location
    Al Ain, UAE
    Posts
    830
    Mac OS X 10.13 Firefox 60.0

    Re: how do I use USB key to decrypt LUKS automatically on boot

    Hmm, I think one would do it exactly the same way on almost any distribution, since it has to happen before anything that is particularly distribution specific starts.

    You need to mount the key with fstab and then read it with an entry in crypttab and that should be it.

    https://wiki.archlinux.org/index.php..._entire_system

    https://www.linuxquestions.org/quest...ce-4175599442/
    --
    Have fun!
    http://www.aeronetworks.ca

  3. #3
    Join Date
    Jul 2018
    Location
    Indiana
    Posts
    5
    Windows NT 10.0 Chrome 67.0.3396.99

    Re: how do I use USB key to decrypt LUKS automatically on boot

    Yes, that's what I would have thought, too, until I realized that every distribution has a different system for building an initramfs. There are also variants between systemd and non-systemd initramfs.

    Fedora uses dracut with systemd now. I don't know if there are other options. I only know that this is the default, and I don't know how to modify its behavior.
    Arch uses mkinitcpio, which is very easy to hook into, at least in the busybox version. Haven't tried the systemd version. I can make this work on Arch.
    Ubuntu (and probably debian, too, though I haven't tried this), both use update-initramfs; not sure if that's what the system is called or just the program. It seems to be a non-systemd initramfs.

    Ubuntu and Debian still have the luksscript argument in /etc/crypttab. update-initramfs uses this to place a script into the initrd that can do whatever you need it to. It was easy enough to get this working there. Arch doesn't have that script, but it was pretty easy to make a hook that does the same thing.

    RHEL/CentOS 6 and 7 use dracut, but maybe a non-systemd version (6 definitely). So the guides I've read on CentOS say to not use systemd in dracut. Trying to do that in Fedora seems to break the entire initramfs.

    So, no, it's actually quite distro specific.

  4. #4
    Join Date
    Jul 2018
    Location
    Indiana
    Posts
    5
    Windows NT 10.0 Chrome 67.0.3396.99

    Re: how do I use USB key to decrypt LUKS automatically on boot

    I found a solution, though I don't quite understand the consequences of what I've done.

    https://www.gaztronics.net/howtos/luks.php

    So I followed this guide, mostly. I had to move the location of the USB key check to after fedora sets the ask for passphrase variable to 1, or it would still ask for the phrase after the drive was unlocked. I also had to blacklist many more systemd modules than in CentOS 7. I don't understand what the systemd dracut modules are doing, other than forcing me to choose between passphrase and key file, and I have no idea what blacklisting them is doing. The system still boots, and the only purpose of the initramfs (to my knowledge) is to find the root partition and hand over control to the real init system.

    omit_dracutmodules+="systemd systemd-initrd systemd-networkd dracut-systemd"

    I also don't know how long this fix will work. If systemd is supposed to handle this, and I'm removing systemd, how long until upstream removes this module from dracut?

  5. #5
    Join Date
    Jan 2015
    Location
    Al Ain, UAE
    Posts
    830
    Linux (Fedora) Firefox 38.0

    Re: how do I use USB key to decrypt LUKS automatically on boot

    Seriously, all you should need to do is edit fstab and crypttab.
    --
    Have fun!
    http://www.aeronetworks.ca

  6. #6
    Join Date
    Jul 2018
    Location
    Indiana
    Posts
    5
    Windows NT 10.0 Chrome 67.0.3396.99

    Re: how do I use USB key to decrypt LUKS automatically on boot

    I don't understand how it reads these files before it boots, or what edits to make. If you have this information, I'd very much appreciate it.

  7. #7
    Join Date
    Dec 2012
    Location
    santa barbara, CA
    Posts
    956
    Linux (Fedora) Firefox 61.0

    Re: how do I use USB key to decrypt LUKS automatically on boot

    my $0.02:

    never have any laptop ask you for any password on boot or otherwise, when passing through airports.
    Ergo, I encrypt all my stuff, but it's only decrypted proactively, i.e. nobody even knows the encrypted stuff is there.
    This will avoid lenghty jail sentences when trying to protect your wife's cooking recipies !
    "monsters John ... monsters from the ID..."
    "ma vule teva maar gul nol naya"

  8. #8
    Join Date
    Jan 2015
    Location
    Al Ain, UAE
    Posts
    830
    Mac OS X 10.13 Firefox 60.0

    Re: how do I use USB key to decrypt LUKS automatically on boot

    "I don't understand how it reads these files before it boots"
    On a 'whole disk' encrypted system, /boot is actually not encrypted. The whole Linux kernel is stored in plain text on /boot.
    However, everything in the rest of the system is encrypted, including fstab and crypttab.

    So, yes, you are perfectly correct, one has to modify the initrd system in /boot to get it to read a keyfile from a USB widget.

    You have to set the system up to use a keyfile and copy the file onto a raw USB key then use the device name as the keyfile name /dev/sdb for example.

    This guide looks about right to me: https://www.len.ro/work/luks-disk-en...-ubuntu-14-04/
    --
    Have fun!
    http://www.aeronetworks.ca

  9. #9
    Join Date
    Jul 2018
    Location
    Indiana
    Posts
    5
    Windows NT 10.0 Chrome 67.0.3396.99

    Re: how do I use USB key to decrypt LUKS automatically on boot

    Quote Originally Posted by flyingdutchman
    "I don't understand how it reads these files before it boots"
    On a 'whole disk' encrypted system, /boot is actually not encrypted. The whole Linux kernel is stored in plain text on /boot.
    However, everything in the rest of the system is encrypted, including fstab and crypttab.

    So, yes, you are perfectly correct, one has to modify the initrd system in /boot to get it to read a keyfile from a USB widget.

    You have to set the system up to use a keyfile and copy the file onto a raw USB key then use the device name as the keyfile name /dev/sdb for example.

    This guide looks about right to me: https://www.len.ro/work/luks-disk-en...-ubuntu-14-04/
    Yes, I've seen that guide. It discusses things that you can't do in Fedora, like use a keyscript. That parameter does not exist in Fedora 28. update-initramfs (also not in Fedora) will take that script and embed it into the initramfs for you. Dracut uses modules that accomplish the same task, but in a different manner. There is a crypt module, which may have been used in non-systemd initramfs. I don't know about that. What I do know is that systemd tries to decrypt the device very early in the boot process, either with a key (if you specify one in the crypttab) or with a password. From the dracut mailing list, I'm told that systemd cannot try one then the other. It's not capable of that. So based on the advice of the guide I posted, I removed the systemd modules from the initramfs. I had to modify the directions, because they were for CentOS 6 and 7, and there have been many changes to Fedora since CentOS 7 was released. There are more systemd modules in dracut.

    So, if I could use a keyscript, I agree that all I would need to do is modify /etc/crypttab, because update-initramfs has an explicit hook for that. Fedora 28 (and Arch, not that it really matters) does not have that parameter. Since that isn't an option in Fedora 28, I'm stuck to wondering what I took out by disabling systemd modules from dracut. Maybe all I lost was the decryption of the drive, which I don't want anyways, because it can't handle in the manner I want. The system still works, but it would be nice to know the consequences of my actions.

  10. #10
    Join Date
    Aug 2007
    Posts
    309
    Linux Firefox 52.0

    Re: how do I use USB key to decrypt LUKS automatically on boot

    Using Fedora Core Server 28, EFI.
    There is no "Fedora Core" anymore it's just Fedora since Fedora 7 released on 2007-05-31 over 11 years ago.

  11. #11
    Join Date
    Nov 2018
    Location
    Ldk
    Posts
    2
    Linux (Fedora) Firefox 63.0

    Re: how do I use USB key to decrypt LUKS automatically on boot

    Quote Originally Posted by jdratlif
    I found a solution, though I don't quite understand the consequences of what I've done.

    https://www.gaztronics.net/howtos/luks.php

    So I followed this guide, mostly. I had to move the location of the USB key check to after fedora sets the ask for passphrase variable to 1, or it would still ask for the phrase after the drive was unlocked. I also had to blacklist many more systemd modules than in CentOS 7. I don't understand what the systemd dracut modules are doing, other than forcing me to choose between passphrase and key file, and I have no idea what blacklisting them is doing. The system still boots, and the only purpose of the initramfs (to my knowledge) is to find the root partition and hand over control to the real init system.

    omit_dracutmodules+="systemd systemd-initrd systemd-networkd dracut-systemd"

    I also don't know how long this fix will work. If systemd is supposed to handle this, and I'm removing systemd, how long until upstream removes this module from dracut?
    This module for dracut is compatible with systemd: https://github.com/raffaeleflorio/luks-2fa-dracut. So it's compatible in the future with dracut+systemd.
    It was written specifically to unlock *an* encrypted volume using another device. If the latter isn't present in time (the timeout is configurable) systemd automatically ask the passphrase for the former.
    Last edited by fcuser; 18th November 2018 at 11:13 AM.

Similar Threads

  1. Replies: 5
    Last Post: 29th January 2018, 01:14 AM
  2. [SOLVED]
    Can installer automatically create LUKS encrypted Fedora dual boot
    By FelliniHat in forum Installation, Upgrades and Live Media
    Replies: 4
    Last Post: 7th September 2017, 09:06 AM
  3. Replies: 0
    Last Post: 13th May 2012, 12:15 PM
  4. Decrypt during boot using luks keyfile on usb drive
    By geofft in forum Security and Privacy
    Replies: 6
    Last Post: 20th October 2009, 02:53 AM
  5. LUKS and mount at boot for /dev/sdb
    By loleary in forum Hardware & Laptops
    Replies: 0
    Last Post: 13th June 2008, 04:46 AM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •