public
Last active

Debian/PowerBook G4: USB key for an encrypted LVM

  • Download Gist
gistfile1.md
Markdown

This was originally posted on 2009-08-05 to http://andrewho.co.uk/weblog/debian-powerbook-g4-usb-key-for-an-encrypted-lvm

When setting Lenny up on my PowerBook, I wanted some way to encrypt important data on the hard drive. Crucially, this includes the contents of the main PostgreSQL database cluster. With this in mind, using an encrypted LVM seemed to be the obvious way to go and so I went ahead and did this during the initial installation (Debian makes it pretty easy to do). The one downside is that the 16 character alphanumeric password is a little cumbersome to type in every time, so I opted to have a key file stored on a USB key which could be plugged in at boot time to authenticate and unlock the LVM instead. Here's how I did this.

The first step is to generate a key that can be used. You can use whatever you want, such as an innocuous-looking PDF on your USB key, maybe. I stored my key in <usbkey>/.keys/<hostname>.key, and used this to generate it:

% head -c 5000 /dev/random | uuencode -m - | head -n 65 | tail -n 64 \
> > /path/to/<hostname>.key

Next, we need to tell LUKS about this key which requires us to know which is the encrypted device. Note that LUKS will prompt you for a passphrase (likely the one you set during the partitioning stage of Debian's installer).

% cat /etc/crypttab
hda4_crypt /dev/hda4 none luks
% cryptsetup luksAddKey /dev/hda4 /path/to/<machine>.key
Enter any LUKS passphrase: <passphrase>
key slot 0 unlocked.
Command successful.

Some modules need to be loaded to open and read the USB key, so append the following lines to /etc/initramfs-tools/modules:

vfat
fat
nls_cp437
nls_utf8

We need a self-contained script that will retrieve the key file from the plugged-in USB key and present it to LUKS. I've used the one from here and stored it as /usr/local/sbin/crypt-usb-key.sh. Tell the system about this by changing /etc/crypttab to your equivalent of this:

hda4_crypt /dev/hda4 .keys/<machine>.key luks,keyscript=/usr/local/sbin/crypto-usb-key.sh

Update your initramfs image:

% update-initramfs -u all

Finally, reboot with the USB key attached and you shouldn't be prompted for your LUKS passphrase (unless you forget to plug it in).

Hat tip: much of the above was derived from this article

Please sign in to comment on this gist.

Something went wrong with that request. Please try again.