Howto: Decrypt LUKS partition with Keyfile OR password

June 9th, 2010 | Tags: , , , , , , , ,

You don’t want to enter your password for a partition (e.g. root partition) every time
the computer starts? Then you should use a key file on an USB stick or something similar.
But wait… you want to be able to unlock the partition as well with your password when you don’t
have your USB stick with you? Or your USB stick does not have the same device identifier (e.g. /dev/sdc1)
OK, then do it like this (I AM NOT RESPONSIBLE IF YOU BRICK YOUR SYSTEM! Make sure you have a live CD for rescueing if you make a mistake ;-) ).

  • copy the script to /usr/local/sbin/

# cp crypto-usb-key.sh /usr/local/sbin/

  • make sure the script is executable

# chmod 755 /usr/local/sbin/crypto-usb-key.sh

  • edit your /etc/crypttab as follows:

# vi /etc/crypttab
before (may be not the same as yours, but similar):

crypt_root /dev/sda5 none luks,retry=1,cipher=aes-cbc-essiv:sha256

after:

crypt_root /dev/sda5 fancy_keyfile_name.key luks,keyscript=/usr/local/sbin/crypto-usb-key.sh

Where “fancy_keyfile_name.key” will be the name of the file on your USB stick containing the key.
Make sure to change the device (/dev/sda5) to fit your needs.

  • create the keyfile:

# head -c 256 /dev/urandom > fancy_keyfile_name.key

  • check the number of used key slots of the drive (you can leave this step out)

# cryptsetup luksDump /dev/sda5

(do not leave out the following step ;-) )

  • add the key file to the LUKS partition

# cryptsetup luksAddKey /dev/sda5 fancy_keyfile_name.key

You have to enter a valid password (two times) and afterwards, the key file is accepted.
Now you can check, if one more key slot is used (should be the case)

# cryptsetup luksDump /dev/sda5

  • update initrd

# update-initramfs -u -k `uname -r`
You could replace `uname -r` with “all” to update for all kernels you have installed, but if you do it like this, you may have an
other fallback possibility than a live CD.

  • reboot the system

# reboot

Now if you plug in your USB stick containing the key file, the system will find it and continue to boot. If you remove the stick (or the
key file is not in the root of the stick) you will be asked to enter the password for the partition.

Tested on Ubuntu Lucid Lynx 10.04 64 bit.

Just in case everything goes wrong:

- boot the live system from CD
- open a terminal

- decrypt your root partition
# cryptsetup luksOpen /dev/sda5 crypt_root

- mount it
# mkdir /media/root && mount /dev/mapper/crypt_root /media/root

- mount boot partition
# mount /dev/sda2 /media/root/boot

- mount system directories
# mount -o bin /dev /media/root/dev
# mount -t sysfs /sys /media/root/sys
# mount -t proc /proc /media/root/proc

- chroot in your system
# chroot /media/root/

- edit /etc/crypttab
# vi /etc/crypttab

change the things like they were before you inserted the use for the keyscript (see above)

- update your initramfs and reboot
# update-initramfs -u -k all
# reboot

Now everything is like before you began.

Leave a comment
Comments are closed.