Automatically unlock LUKS partition using a key on an USB drive on Debian Jessie
I think you are almost correct. I used your instructions to setup automatic unlock of LUKS partitions here, but not /. ;-)
What seems wrong to me, is the UUID you use. You seems to confuse the UUID with the setup of the keyfile on USB. the UUID points to the uuid of the LUKS partition you want to unlock. So you don't want to change it from the line above, unless I have misunderstood.
I would use in /etc/crypttab
instead:
md1_crypt UUID=e53fc075-0afa-4018-b187-912f8f355699 /dev/disk/by-id/usb-0_USB_DRIVE_00000000000165A3-0:0 luks,tries=3,keyfile-size=2048,keyfile-offset=512
One important step is to add the needed modules to the initramfs/initcpio so that the kernel can read the USB key.
On Ubuntu, I have changed /etc/initramfs-tools/modules
with rtsx_usb{_ms,_sdmmc,} and memstick because I use the SD card reader instead. But for the USB key, you will need usb_storage, usbhid (?), hid_generic (?), hid (?), memstick and may be others.
then run
sudo update-initramfs -u
and reboot. It should work
Related videos on Youtube
mcnesium
Updated on September 18, 2022Comments
-
mcnesium over 1 year
I am trying to have the encrypted root partition be unlocked on boot automatically using a connected USB drive on a fresh installation of Debian Jessie (no non-systemd upgrade). After following a couple of tutorials on the web, I am stuck, as it still asks for the passphrase right after boot. This is what I've done so far:
Created the key on the USB drive:
root@fls:~# dd if=/dev/urandom of=/dev/sdc bs=512 seek=1 count=60
Copied the appropriate part as the key into a temp file:
root@fls:~# dd if=/dev/sdc bs=512 skip=1 count=4 > tempKeyFile.bin
Added that key to the encrypted partition config:
root@fls:~# cryptsetup luksAddKey /dev/md1 --key-file=- tempKeyFile.bin
Found out the ID of the USB drive:
root@fls:~# ls -l /dev/disk/by-id/ | grep sdc lrwxrwxrwx 1 root root 9 usb-0_USB_DRIVE_00000000000165A3-0:0 -> ../../sdc lrwxrwxrwx 1 root root 10 usb-0_USB_DRIVE_00000000000165A3-0:0-part1 -> ../../sdc1
Changed
/etc/crypttab
like that:#md1_crypt UUID=e53fc075-0afa-4018-b187-912f8f355699 none luks md1_crypt UUID=ED04-17F5 /dev/disk/by-id/usb-0_USB_DRIVE_00000000000165A3-0:0 luks,tries=3,keyfile-size=2048,keyfile-offset=512
Updated the systemd generator files:
systemctl --system daemon-reload
I am not sure whether that
UUID=
entry is correct, as it is actually the UUID of/dev/sdc1
and apparently there will not be a UUID for/dev/sdc
, so what do I have to enter there?Also, did I miss anything else that would prevent the key on the USB drive to unlock the partition? When I do
cryptsetup luksDump /dev/md1
it does show two Key Slots, so the key is properly configured, I guess.Any ideas?