This was originally posted on 2009-08-05 to http://andrewho.co.uk/weblog/debian-powerbook-g4-usb-key-for-an-encrypted-lvm
When setting Lenny up on my PowerBook, I wanted some way to encrypt important data on the hard drive. Crucially, this includes the contents of the main PostgreSQL database cluster. With this in mind, using an encrypted LVM seemed to be the obvious way to go and so I went ahead and did this during the initial installation (Debian makes it pretty easy to do). The one downside is that the 16 character alphanumeric password is a little cumbersome to type in every time, so I opted to have a key file stored on a USB key which could be plugged in at boot time to authenticate and unlock the LVM instead. Here's how I did this.
The first step is to generate a key that can be used. You can use whatever you
want, such as an innocuous-looking PDF on your USB key, maybe. I stored my key
in <usbkey>/.keys/<hostname>.key
, and used this to generate it:
% head -c 5000 /dev/random | uuencode -m - | head -n 65 | tail -n 64 \
> > /path/to/<hostname>.key
Next, we need to tell LUKS about this key which requires us to know which is the encrypted device. Note that LUKS will prompt you for a passphrase (likely the one you set during the partitioning stage of Debian's installer).
% cat /etc/crypttab
hda4_crypt /dev/hda4 none luks
% cryptsetup luksAddKey /dev/hda4 /path/to/<machine>.key
Enter any LUKS passphrase: <passphrase>
key slot 0 unlocked.
Command successful.
Some modules need to be loaded to open and read the USB key, so append the
following lines to /etc/initramfs-tools/modules
:
vfat
fat
nls_cp437
nls_utf8
We need a self-contained script that will retrieve the key file from the
plugged-in USB key and present it to LUKS. I've used the one from
here and stored it as
/usr/local/sbin/crypt-usb-key.sh
. Tell the system about this by changing
/etc/crypttab
to your equivalent of this:
hda4_crypt /dev/hda4 .keys/<machine>.key luks,keyscript=/usr/local/sbin/crypto-usb-key.sh
Update your initramfs image:
% update-initramfs -u all
Finally, reboot with the USB key attached and you shouldn't be prompted for your LUKS passphrase (unless you forget to plug it in).
Hat tip: much of the above was derived from this article