Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
adding keyfile to LUKS partition
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
Ruffman
n00b
n00b


Joined: 03 Mar 2012
Posts: 20

PostPosted: Sat Mar 17, 2012 3:23 am    Post subject: adding keyfile to LUKS partition Reply with quote

I have encrypted my /home and /swap partitions mainly following this guide.
I read inside the gentoo dm-crypt wiki that I can add up to 8 passwords/keyfiles, but I can't figure out how. My /home in partition /dev/sda7 is mapped under /dev/mapper/home, and I want to add a keyfile to it that is loaded from a usb stick. What are the steps i have to do? Is it possible to change passwords or keyfiles that are set once?
Back to top
View user's profile Send private message
Hu
Moderator
Moderator


Joined: 06 Mar 2007
Posts: 21431

PostPosted: Sat Mar 17, 2012 4:17 am    Post subject: Reply with quote

Use cryptsetup to manage the keys of a LUKS volume. You want luksAddKey, which will first require you to give an existing valid password to unlock the volume key. You can also use cryptsetup to remove previously valid passwords.
Back to top
View user's profile Send private message
Ruffman
n00b
n00b


Joined: 03 Mar 2012
Posts: 20

PostPosted: Sat Mar 17, 2012 1:25 pm    Post subject: Reply with quote

Thx.
If I add a key with luksAddKey, it's stored in - I assume slot 2 - . But I can't get the right syntax:
cryptsetup luksAddKey /dev/mapper/home /path/to/key/on/usb will work (at least it seems so), but is not realized on boot, or I will not be asked for it on mount.
there is a config in /etc/conf.d/dmcrypt where I store the Informations of the password. Can I simply add an entry there with the same source a and target but with additional Key entry? Does it take the key on USB on Boot, but falls back to Password if no Key was found?
Back to top
View user's profile Send private message
Hu
Moderator
Moderator


Joined: 06 Mar 2007
Posts: 21431

PostPosted: Sat Mar 17, 2012 4:26 pm    Post subject: Reply with quote

Have you looked at the examples in /etc/conf.d/dmcrypt?
/etc/conf.d/dmcrypt:
    66  ## /home with regular keyfile
    67  #target=crypt-home
    68  #source='/dev/hda5'
    69  #key='/full/path/to/homekey'
    76  ## /home with regular keyfile on removable media(such as usb-stick)
    77  #target=crypt-home
    78  #source='/dev/hda5'
    79  #key='/full/path/to/homekey'
    80  #remdev='/dev/sda1'
    82  ##/home with gpg protected key on removable media(such as usb-stick)
    83  #target=crypt-home
    84  #source='/dev/hda5'
    85  #key='/full/path/to/homekey:gpg'
    86  #remdev='/dev/sda1'
I think at least one of these will match the behavior you want.
Back to top
View user's profile Send private message
Ruffman
n00b
n00b


Joined: 03 Mar 2012
Posts: 20

PostPosted: Sun Mar 18, 2012 1:18 am    Post subject: Reply with quote

I saw these examples, but I didn't see a "/home with regular key on removable media or password fallback" option ;)
So If I add the "/home with regular key on removable media" option I'm not shure if it will fallback on password if no media present? Can I run a batch script inside it, to determine first, if a key on usb is present, and if not set the "normal" password decryption?
Back to top
View user's profile Send private message
lduser
n00b
n00b


Joined: 06 Jan 2012
Posts: 22

PostPosted: Sun Mar 18, 2012 2:23 am    Post subject: Reply with quote

Ruffman wrote:
I saw these examples, but I didn't see a "/home with regular key on removable media or password fallback" option ;)
So If I add the "/home with regular key on removable media" option I'm not shure if it will fallback on password if no media present? Can I run a batch script inside it, to determine first, if a key on usb is present, and if not set the "normal" password decryption?


Perhaps you need to set up for `remdev':
Code:

remdev='/dev/disk/by-uuid/bla-bla-bla-bla'


For towards to know an UUID for device:
Code:

blkid /dev/your_usb_dev
Back to top
View user's profile Send private message
Ruffman
n00b
n00b


Joined: 03 Mar 2012
Posts: 20

PostPosted: Mon Mar 19, 2012 12:21 am    Post subject: Reply with quote

so it is possible inside this config to add a simple bash statement like

Code:
if [ -f /dev/disk/by-uuid/uuidfromUSB ] ; then
  #config for key
else
  #config for password
fi

?
Back to top
View user's profile Send private message
lduser
n00b
n00b


Joined: 06 Jan 2012
Posts: 22

PostPosted: Mon Mar 19, 2012 5:18 pm    Post subject: Reply with quote

Ruffman wrote:
so it is possible inside this config to add a simple bash statement like

Code:
if [ -f /dev/disk/by-uuid/uuidfromUSB ] ; then
  #config for key
else
  #config for password
fi

?


I think you can to do it not for `/etc/conf.d/dmcrypt',
but into `/etc/init.d/dmcrypt'


PS:

And you need to change flag `f' to `b' for check block device:
Code:

if [ -b "/dev/disk/by-uuid/uuidfromUSB" ] ; then
  #config for key
else
  #config for password
fi
Back to top
View user's profile Send private message
Ruffman
n00b
n00b


Joined: 03 Mar 2012
Posts: 20

PostPosted: Mon Mar 19, 2012 10:27 pm    Post subject: Reply with quote

sorry I can't get it. I cannot put a bash if/else inside conf.d but inside init.d... Ok but is it the EXACT same config? I wouldn't think, that init.d is taking variables like 'target' or 'source'?!
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum