Skip to content

Instantly share code, notes, and snippets.

@martijnvermaat

martijnvermaat/encrypted-root-debian-wheezy.markdown

Created May 18, 2012 16:55
Show Gist options
  • Star 10 You must be signed in to star a gist
  • Fork 2 You must be signed in to fork a gist
  • Save martijnvermaat/2726386 to your computer and use it in GitHub Desktop.
Save martijnvermaat/2726386 to your computer and use it in GitHub Desktop.
Download ZIP
Encrypted root filesystem on Debian Wheezy
Raw
encrypted-root-debian-wheezy.markdown

Encrypted root filesystem on Debian Wheezy

This documents how to set up an encrypted root filesystem (except for /boot) on Debian Wheezy with automatic mounting using a keyfile on a USB drive.

Basic setup

In the Debian Installer, choose "Guided - use entire disk and set up encrypted LVM". That's it, on boot you will be asked to enter you passphrase using the keyboard. My system does not usually have a keyboard attached, so that's not very convenient (but read on).

I'm going to assume /dev/sda5 is the Luks-encrypted partition, providing sda5_crypt to the device mapper. The UUID for /dev/sda5 is 6b41de52-78f4-4c4c-9a84-7090750312c5.

Keyfile on a USB drive

To decrypt the partition using a keyfile instead of entering a passphrase, create a keyfile and add it to the encrypted partition:

head -c 2880 /dev/urandom | uuencode -m - | head -n 65 | tail -n 64 | sudo tee /media/usbdisk/example.key
sudo cryptsetup luksAddKey UUID=6b41de52-78f4-4c4c-9a84-7090750312c5 /media/usbdisk/example.key

(I assume you have some external device listed in /etc/fstab mounted at /media/usbdisk with device UUID de5ee1ad-b2a8-4605-b1ee-257f9520f40a).

Any external encrypted storage device (or anything that can be mounted after the basis system has been set up, i.e. not /) could be automatically mounted during boot by:

  1. Setting the keyfile in /etc/crypttab, e.g.

     sda5_crypt UUID=6b41de52-78f4-4c4c-9a84-7090750312c5 /media/usbdisk/example.key luks

  2. Setting CRYPTDISKS_MOUNT="/media/usbdisk" in /etc/defaults/cryptsetup.

  3. Running sudo update-initramfs -u.

However, this mechanism appearently doesn't work for the root filesystem. To bootstrap our system, create /sbin/keyfile with the following content (modified from [this thread] 1):

#!/bin/sh
modprobe usb-storage
sleep 5
mkdir /keydev 1>&2
mount -t ext4 -o ro /dev/disk/by-uuid/de5ee1ad-b2a8-4605-b1ee-257f9520f40a /keydev 1>&2
cat /keydev/example.key
umount /keydev 1>&2

I noticed mount failed if I used -U de5ee... from the initramfs (whereas the exact same command works on a fully booted system). Fortunately it works using the /dev/disk/by-uuid/de5ee... link.

Now use this script in /etc/crypttab:

sda5_crypt UUID=6b41de52-78f4-4c4c-9a84-7090750312c5 none luks,keyscript=/sbin/keyscript

And run sudo update-initramfs -u.

In my case the USB disk containing the keyfile has a ext4 formatted partition. If you use another filesystem type you may need to add some modules to /etc/initramfs-tools/modules (e.g. nls_cp437, nls_iso8859_1, and vfat for FAT32).

If everything went well you can now reboot with the USB disk inserted and not be asked to enter a passphrase. There is no fallback here though, so if the USB disk is not inserted during boot it will just fail without asking you for your passphrase. See below how to continue the boot in that case (or [this guide] 2 for a more involved solution).

Troubleshooting

If you somehow get stuck in the initramfs busybox shell during boot, you can try the following to manually decrypt the partition and add the LVM volumes to the device mapper:

cryptsetup luksOpen /dev/sda5 sda5_crypt
vgchange -ay

Then press ^D to continue booting.

@romanrm
Copy link

romanrm commented May 26, 2018
edited

To bootstrap our system, create /sbin/keyfile

sda5_crypt UUID=6b41de52-78f4-4c4c-9a84-7090750312c5 none luks,keyscript=/sbin/keyscript

The filename of /sbin/keysomething needs to be the same in both places.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment