Proper way of implementing unlock with keyfile instead of passphrase
0mn1...@gmail.com
I'm hoping someone can give me a hand here. What I am trying to do is setup my Qubes install so that "/" is unlocked with a keyfile and not a passphrase. Preferably an encrypted keyfile that can be decrypted using keyscript in /etc/crypttab.
Adding a keyfile using cryptsetup and then adding an entry in /etc/crypttab doesn't seem to work and I do not think forcing dracut to omit "systemd" is a good idea, from my limited know-how.
Another solution I found is to copy the keyfile to initramfs but if it isn't encrypted, another bad idea. I have not yet found a way to get keyscript to work in order to encrypt the keyfile copied to initramfs.
Any information and help on this matter is greatly appreciated.
Jan Betlach
I am not sure if I can help with Qubes (Fedora), however on Arch I just create 4096 bit key and add the keyfile to LUKS (cryptsetup luksAddKey /dev/sdx /crypted_keyfile.bin). I also make sure that nobody except Grub can read the file (chmod 000 / crypted_keyfile.bin).
Then I add the crypted_keyfile for the LUKS partition to initramfs (adding FILES="/crypted_keyfile.bin" to mkinitcpio.conf and generate initramfs).
Obviously the crypted_keyfile can be located on separate USB flash...
0mn1...@gmail.com
Greetings.
Guess I'll go with copying the keyfile to initramfs and encrypting it with gpg, to be decrypted at boot via password. On Debian this was straightforward, adding "keyscript=/lib/cryptsetup/scripts/decrypt_gnupg" in /etc/crypttab but as of now I haven't found an equivalent for Qubes or Fedora. Suppose I'll have to keep looking.
Thank you for your reply and have a good one.
Connor Page
0mn1...@gmail.com
> https://www.kernel.org/pub/linux/utils/boot/dracut/dracut.html#_crypto_luks_key_on_removable_device_support
Thanks for your reply. I am not skilled enough yet to understand the sections relating to "gpg", specifically, how to put them to use.
Unfortunately after much experimentation only one "fix" seems to make my below setup work. These are the steps I have taken to attempt unlock via keyfile:
- create keyfile of random data and move it to /boot.
- add keyfile to LUKS keychain.
" sudo cryptsetup luksAddKey /dev/disk/by-UUID/**** /boot/keyfile "
- edit /etc/crypttab to look similar to this:
" luks-**** UUID=**** /boot/keyfile luks "
- checked to make sure dracut config contains the following:
' add_dracutmodules+="lvm crypt" '
- edited /etc/default/grub to add the following to GRUB_CMDLINE_LINUX:
" rd.luks.key=/boot/keyfile:UUID=**** "
- made sure "systemd" is an omitted module in dracut.
- regenerated dracut and grub2 configurations.
This was done in Qubes R3.2. Will attempt in 3.1 as well. Without omitting "systemd" module in dracut, the above setup does not work and qubes defaults to asking for a passphrase. Why it is this way, I do not know. Any more information anyone could provide on how this can be properly done is appreciated.