View previous topic :: View next topic |
Author |
Message |
Ruffman n00b
Joined: 03 Mar 2012 Posts: 20
|
Posted: Sat Mar 17, 2012 3:23 am Post subject: adding keyfile to LUKS partition |
|
|
I have encrypted my /home and /swap partitions mainly following this guide.
I read inside the gentoo dm-crypt wiki that I can add up to 8 passwords/keyfiles, but I can't figure out how. My /home in partition /dev/sda7 is mapped under /dev/mapper/home, and I want to add a keyfile to it that is loaded from a usb stick. What are the steps i have to do? Is it possible to change passwords or keyfiles that are set once? |
|
Back to top |
|
|
Hu Moderator
Joined: 06 Mar 2007 Posts: 21633
|
Posted: Sat Mar 17, 2012 4:17 am Post subject: |
|
|
Use cryptsetup to manage the keys of a LUKS volume. You want luksAddKey, which will first require you to give an existing valid password to unlock the volume key. You can also use cryptsetup to remove previously valid passwords. |
|
Back to top |
|
|
Ruffman n00b
Joined: 03 Mar 2012 Posts: 20
|
Posted: Sat Mar 17, 2012 1:25 pm Post subject: |
|
|
Thx.
If I add a key with luksAddKey, it's stored in - I assume slot 2 - . But I can't get the right syntax:
cryptsetup luksAddKey /dev/mapper/home /path/to/key/on/usb will work (at least it seems so), but is not realized on boot, or I will not be asked for it on mount.
there is a config in /etc/conf.d/dmcrypt where I store the Informations of the password. Can I simply add an entry there with the same source a and target but with additional Key entry? Does it take the key on USB on Boot, but falls back to Password if no Key was found? |
|
Back to top |
|
|
Hu Moderator
Joined: 06 Mar 2007 Posts: 21633
|
Posted: Sat Mar 17, 2012 4:26 pm Post subject: |
|
|
Have you looked at the examples in /etc/conf.d/dmcrypt? /etc/conf.d/dmcrypt: | 66 ## /home with regular keyfile
67 #target=crypt-home
68 #source='/dev/hda5'
69 #key='/full/path/to/homekey'
76 ## /home with regular keyfile on removable media(such as usb-stick)
77 #target=crypt-home
78 #source='/dev/hda5'
79 #key='/full/path/to/homekey'
80 #remdev='/dev/sda1'
82 ##/home with gpg protected key on removable media(such as usb-stick)
83 #target=crypt-home
84 #source='/dev/hda5'
85 #key='/full/path/to/homekey:gpg'
86 #remdev='/dev/sda1' | I think at least one of these will match the behavior you want. |
|
Back to top |
|
|
Ruffman n00b
Joined: 03 Mar 2012 Posts: 20
|
Posted: Sun Mar 18, 2012 1:18 am Post subject: |
|
|
I saw these examples, but I didn't see a "/home with regular key on removable media or password fallback" option
So If I add the "/home with regular key on removable media" option I'm not shure if it will fallback on password if no media present? Can I run a batch script inside it, to determine first, if a key on usb is present, and if not set the "normal" password decryption? |
|
Back to top |
|
|
lduser n00b
Joined: 06 Jan 2012 Posts: 22
|
Posted: Sun Mar 18, 2012 2:23 am Post subject: |
|
|
Ruffman wrote: | I saw these examples, but I didn't see a "/home with regular key on removable media or password fallback" option
So If I add the "/home with regular key on removable media" option I'm not shure if it will fallback on password if no media present? Can I run a batch script inside it, to determine first, if a key on usb is present, and if not set the "normal" password decryption? |
Perhaps you need to set up for `remdev':
Code: |
remdev='/dev/disk/by-uuid/bla-bla-bla-bla'
|
For towards to know an UUID for device:
Code: |
blkid /dev/your_usb_dev
|
|
|
Back to top |
|
|
Ruffman n00b
Joined: 03 Mar 2012 Posts: 20
|
Posted: Mon Mar 19, 2012 12:21 am Post subject: |
|
|
so it is possible inside this config to add a simple bash statement like
Code: | if [ -f /dev/disk/by-uuid/uuidfromUSB ] ; then
#config for key
else
#config for password
fi |
? |
|
Back to top |
|
|
lduser n00b
Joined: 06 Jan 2012 Posts: 22
|
Posted: Mon Mar 19, 2012 5:18 pm Post subject: |
|
|
Ruffman wrote: | so it is possible inside this config to add a simple bash statement like
Code: | if [ -f /dev/disk/by-uuid/uuidfromUSB ] ; then
#config for key
else
#config for password
fi |
? |
I think you can to do it not for `/etc/conf.d/dmcrypt',
but into `/etc/init.d/dmcrypt'
PS:
And you need to change flag `f' to `b' for check block device:
Code: |
if [ -b "/dev/disk/by-uuid/uuidfromUSB" ] ; then
#config for key
else
#config for password
fi |
|
|
Back to top |
|
|
Ruffman n00b
Joined: 03 Mar 2012 Posts: 20
|
Posted: Mon Mar 19, 2012 10:27 pm Post subject: |
|
|
sorry I can't get it. I cannot put a bash if/else inside conf.d but inside init.d... Ok but is it the EXACT same config? I wouldn't think, that init.d is taking variables like 'target' or 'source'?! |
|
Back to top |
|
|
|