Re: Many LUKS partitions
Salvatore Iovene (<salvatore@iovene.com>) wrote:
> I have more than one encrypted partition (using dm-crypt), and so, at
> boot time, I'm propted for all of their passphrases.
>
> Is there a way to set a sort of master passphrase so that I'll only
> input it once?
Yes and no. What you can do:
- Create one big partition, and encrypt it. Build an LVM on that
partition and divide it as you want. That way you will only need one
password, which unlocks the big partition that holds the LVM.
- Store keyfiles on the first encrypted partition. Enter the password
for that partition, tell cryptsetup that this partition needs to be
mounted for the other ones to be accessed.
> Another question: is there a way to use a USB pendrive to store the
> information needed to LUKS to decrypt the partitions? (so that I
> wouldn't have to fill in any password, just plug the USB pendrive)
Yes, there is. For any partition *except* the root partition, you need
to make the following changes:
- add the key to the luks-Partitions using cryptsetup luksAddKey
- make an entry for your stick in your fstab, e.g. /media/key
- copy the keyfile to the stick, e.g. to /media/key/keyfile
- change your crypttab to use the keyfile, e.g.
usr-crypt /dev/hda7 /media/key/keyfile luks
- change CRYPTDISKS_MOUNT in /etc/defaults/cryptsetup to include your
USB stick, e.g. CRYPTDISKS_MOUNT="/media/key"
- rebuild your initrd using update-initramfs -u
As far as I know using a key on an USB stick for your root partition is
a little more complicated. I needed to make the following extra
changes:
- change /etc/initramfs-tools/modules to make sure initramfs includes
the necessary modules for the fat file system and codepages (not needed
if you use ext2 as the file system on your stick, usb mass storage and
scsi disk support were included by default)
I hat to add the following lines:
nls_cp437
nls_iso8859_1
vfat
- write a keyscript that takes care of mounting the stick, gets the key
file, writes it to stdout and unmounts the stick. The script I use is
this one:
#!/bin/sh
modprobe usb-storage #load usb mass storage driver
sleep 5 #wait for recognized devices to settle
mkdir /keydev 1>&2
mount -t vfat -o ro,umask=077 /dev/sda1 /keydev 1>&2
cat /keydev/key
umount /keydev 1>&2
Note that all normal output is redirected to stderr so it doesn't get
mixed up with the key file.
- save the keyscript to /sbin and change the crypttab entry for my root
partition:
root_crypt /dev/hda6 none luks,keyscript=/sbin/keyscript
Note that using /sbin is not required, you can save the keyscript
anywhere you like and adapt your crypttap accordingly.
- rebuild the initrd using update-initramfs -u. It will include your
keyscript automatically, no need to copy anything on your own.
That's it. Another thing you should keep in mind when changing crypto
settings for your root partition: when you do something wrong and
rebuild the initrd, after rebooting you won't be able to mount the root
partition anymore, except with the help of some external Linux system,
e.g. from a live CD like grml or knoppix. Keep a backup of your initrd
with the settings still using passwords and add an entry for it to your
boot loader configuration - that way as long as you are not sure that
everything works you can still boot into your system using your
passwords. Took me more that an hour of rebooting grml, cryptsetupping,
mounting, chrooting my root fs and rebuilding initrds until I had the
idea to do it another way.
regards
Andreas Janssen
--
Andreas Janssen <andreas.janssen@bigfoot.com>
PGP-Key-ID: 0xDC801674 ICQ #17079270
Registered Linux User #267976
http://www.andreas-janssen.de/debian-tipps-sarge.html
Reply to: