This documents how to set up an encrypted root filesystem (except for /boot
) on Debian Wheezy with automatic mounting using a keyfile on a USB drive.
In the Debian Installer, choose "Guided - use entire disk and set up encrypted LVM". That's it, on boot you will be asked to enter you passphrase using the keyboard. My system does not usually have a keyboard attached, so that's not very convenient (but read on).
I'm going to assume /dev/sda5
is the Luks-encrypted partition, providing sda5_crypt
to the device mapper. The UUID for /dev/sda5
is 6b41de52-78f4-4c4c-9a84-7090750312c5
.
To decrypt the partition using a keyfile instead of entering a passphrase, create a keyfile and add it to the encrypted partition:
head -c 2880 /dev/urandom | uuencode -m - | head -n 65 | tail -n 64 | sudo tee /media/usbdisk/example.key
sudo cryptsetup luksAddKey UUID=6b41de52-78f4-4c4c-9a84-7090750312c5 /media/usbdisk/example.key
(I assume you have some external device listed in /etc/fstab
mounted at /media/usbdisk
with device UUID de5ee1ad-b2a8-4605-b1ee-257f9520f40a
).
Any external encrypted storage device (or anything that can be mounted after the basis system has been set up, i.e. not /
) could be automatically mounted during boot by:
-
Setting the keyfile in
/etc/crypttab
, e.g.sda5_crypt UUID=6b41de52-78f4-4c4c-9a84-7090750312c5 /media/usbdisk/example.key luks
-
Setting
CRYPTDISKS_MOUNT="/media/usbdisk"
in/etc/defaults/cryptsetup
. -
Running
sudo update-initramfs -u
.
However, this mechanism appearently doesn't work for the root filesystem. To bootstrap our system, create /sbin/keyfile
with the following content (modified from [this thread] 1):
#!/bin/sh
modprobe usb-storage
sleep 5
mkdir /keydev 1>&2
mount -t ext4 -o ro /dev/disk/by-uuid/de5ee1ad-b2a8-4605-b1ee-257f9520f40a /keydev 1>&2
cat /keydev/example.key
umount /keydev 1>&2
I noticed mount
failed if I used -U de5ee...
from the initramfs (whereas the exact same command works on a fully booted system). Fortunately it works using the /dev/disk/by-uuid/de5ee...
link.
Now use this script in /etc/crypttab
:
sda5_crypt UUID=6b41de52-78f4-4c4c-9a84-7090750312c5 none luks,keyscript=/sbin/keyscript
And run sudo update-initramfs -u
.
In my case the USB disk containing the keyfile has a ext4
formatted partition. If you use another filesystem type you may need to add some modules to /etc/initramfs-tools/modules
(e.g. nls_cp437
, nls_iso8859_1
, and vfat
for FAT32
).
If everything went well you can now reboot with the USB disk inserted and not be asked to enter a passphrase. There is no fallback here though, so if the USB disk is not inserted during boot it will just fail without asking you for your passphrase. See below how to continue the boot in that case (or [this guide] 2 for a more involved solution).
If you somehow get stuck in the initramfs busybox shell during boot, you can try the following to manually decrypt the partition and add the LVM volumes to the device mapper:
cryptsetup luksOpen /dev/sda5 sda5_crypt
vgchange -ay
Then press ^D
to continue booting.
The filename of /sbin/keysomething needs to be the same in both places.