View previous topic :: View next topic |
Author |
Message |
vokiel Tux's lil' helper
Joined: 01 Oct 2004 Posts: 110
|
|
Back to top |
|
|
vokiel Tux's lil' helper
Joined: 01 Oct 2004 Posts: 110
|
Posted: Tue May 11, 2021 1:51 pm Post subject: |
|
|
I'll just encrypt the whole thumb drive and make random keys on an encrypted partition instead of attempting to do an encrypted key file.
It seems I have issues with size. I don't think cryptsetup can be used as described in Encrypting keys anymore. |
|
Back to top |
|
|
ocicorp n00b
Joined: 11 May 2021 Posts: 1
|
Posted: Tue May 11, 2021 9:25 pm Post subject: |
|
|
Hello Vokiel
I have undertaken the encrypted keyfile many times myself for use when maintaining servers which hold devel files that I don't want pilfered .
I personally follow this pattern:
Code: |
sudo dd if=/dev/urandom of=/dev/sdb
sudo dd if=/dev/urandom of=~/keyfile count=8192
sudo cfdisk /dev/sdb
sudo mount /dev/sdb1 /mnt/whatever
sudo cp ~/keyfile /mnt/whatever/keyfile
sudo cryptsetup luksFormat --key-file /mnt/whatever/keyfile {partition}
sudo cryptsetup luksOpen --key-file /mnt/whatever/keyfile {path_to_encrypted_partition} {mount_point}
(eg. ... luksOpen --key-file /mnt/whatever/keyfile /mnt/nvme4b1b1 Gentoo_Root )
And then carry on from there |
It is important to note that unless you are booting directly from the USB key, you need to write your grub config to look at your USB key for the partition key.
To alleviate the security consideration, you can either make your USB key look legitimately like a USB linux distro with a grub-option to pivot root to your desktop, or you can just have plain jane Grub sitting there with the correct entries.
Update with your progress _________________ 3700x, 32GB Ram, 980
Algo-trading developer |
|
Back to top |
|
|
vokiel Tux's lil' helper
Joined: 01 Oct 2004 Posts: 110
|
Posted: Wed May 12, 2021 1:45 pm Post subject: |
|
|
Right now I'm looking at the following potential scenario:
1. I have an unencrypted /boot partition and an encrypted LVM one
2. I'll use a USB thumb drive that is also encrypted with the key files on it.
3. I've written my own /init and packaged an initramfs
So I think I'm free to do whatever in there as long as I packaged the binaries needed to first mount the USB drive with its UUID from the GRUB command line and then select the right key file again from the GRUB command line. This is all very loosely based on the example I linked above. I just moved the unencrypted key file from the initramfs to my thumb drive which will be encrypted with a passphrase. |
|
Back to top |
|
|
|