Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
systemd-cryptsetup with keyfile on removable drive
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Kernel & Hardware
View previous topic :: View next topic  
Author Message
Alexey Vladykin
n00b
n00b


Joined: 17 Dec 2013
Posts: 10

PostPosted: Tue Dec 17, 2013 9:22 pm    Post subject: systemd-cryptsetup with keyfile on removable drive Reply with quote

I've recently migrated from OpenRC to systemd and I'm missing one feature: ability to auto-mount encrypted LUKS partition using a removable drive with keyfile.

With OpenRC I simply had in /etc/conf.d/dmcrypt:
Code:
target=home
source=/dev/sda4
remdev=/dev/sdb1
key=/keyfile.dat

During boot OpenRC mounted /dev/sdb1 to some temporary mount point and used keyfile.dat to open the encrypted partition.

Unfortunately with systemd I can't find how to achieve the same result. Something like this is described at http://wejn.org/how-to-make-passwordless-cryptsetup.html, but it relies upon a "keyscript" option which apparently does not exist in my systemd version 208-r2.

Anybody managed to make systemd-cryptsetup mount LUKS partitions using keyfile from removable drive?
Will appreciate any ideas.
Back to top
View user's profile Send private message
nlsa8z6zoz7lyih3ap
Guru
Guru


Joined: 25 Sep 2007
Posts: 366
Location: Canada

PostPosted: Wed Dec 18, 2013 3:16 pm    Post subject: Reply with quote

To set up /dev/mapper/sda8 without a password I add the following line to /etc/crypttab

Code:
sda8  /dev/sda8   /PathToKey/sda8crypt     luks

where the key is sda8crypt.

Here, /dev/mapper/sda8 will be mounted to /home.

To mount the encrypted root, I use an initrdramfs, 'tho of course this takes a password.

I had some trouble setting this up, as detailed in the forums:

Quote:
https://forums.gentoo.org/viewtopic-t-972332-highlight-.html
Back to top
View user's profile Send private message
Alexey Vladykin
n00b
n00b


Joined: 17 Dec 2013
Posts: 10

PostPosted: Thu Dec 19, 2013 8:01 pm    Post subject: Reply with quote

Thank you for response, I've studied that thread before asking my question, but my case is a little bit different.

I have my keyfile on a removable USB thumb which has no static mount point configured in fstab, so there is nothing I can write in place of /PathToKey/. Only the device node of USB drive is known in advance (/dev/sdb1). OpenRC handled this pretty well, now I'm looking for a similar feature in systemd.
Back to top
View user's profile Send private message
nlsa8z6zoz7lyih3ap
Guru
Guru


Joined: 25 Sep 2007
Posts: 366
Location: Canada

PostPosted: Thu Dec 19, 2013 8:10 pm    Post subject: Reply with quote

Assuming that you are not mounting root, would the persistent names feature of udev allow you to give it a name that you can put int /etc/fstab?
Even without that, my flash drive always comes up with the same name, so I could put in in /etc/fstab.

This is only a thought, I realize that it may not be what you are looking for.
Back to top
View user's profile Send private message
Alexey Vladykin
n00b
n00b


Joined: 17 Dec 2013
Posts: 10

PostPosted: Thu Dec 19, 2013 8:56 pm    Post subject: Reply with quote

If I configure a mount point for my removable drive in fstab like this
Code:
/dev/sdb1               /mnt/flash      vfat            noatime,nofail  0 0

and in crypttab specify path to key using this mount point
Code:
home       /dev/sda4       /mnt/flash/keyfile     luks

then indeed systemd reads my keyfile from USB drive and does not ask for password.

That's good :D However there are two drawbacks compared to the OpenRC functionality:
  • USB drive has to be manually unmounted after booting in order to remove it
  • mount point for USB drive has to be configured in fstab
Is it possible to address these drawbacks?
Back to top
View user's profile Send private message
nlsa8z6zoz7lyih3ap
Guru
Guru


Joined: 25 Sep 2007
Posts: 366
Location: Canada

PostPosted: Fri Dec 20, 2013 6:35 pm    Post subject: Reply with quote

Quote:
That's good :D However there are two drawbacks compared to the OpenRC functionality:

USB drive has to be manually unmounted after booting in order to remove it
mount point for USB drive has to be configured in fstab

Is it possible to address these drawbacks?

I don't know how to address this without using /etc/fstab unless you write an intramfs that mounts the flash drive, does the cryptsetup, then unmounts the flash drive
before pivoting to the to systemd. This is quite easy if you are used to writing your own initramfs, otherwise it probably isn't worth the learning curve for such a minor task.
Since I use kde, I would unmount it by creating the following file " ~//home/owner/.kde4/Autostart/UnMountFlash.sh"
Code:
sudo umount /mnt/flash/keyfile

Don't forget to make this executable. Of course you will also need to have sudo installed with permissions to run ~//home/owner/.kde4/Autostart/UnMountFlash.sh
I suspect also that you could write your owner systemd element to do this, and that would be the most elegant solution. I don't know how to do this.
I did write my own for a few other services that were lacking, but I didn't really understand what I was doing. I just google around, copied shamelessly and modified until they worked.

Quote:
However there are two drawbacks compared to the OpenRC functionality:


openrc worked better for me. I shall be moving back to it after I have finished with the fun of experimenting with systemd. I don't need systemd, but I did wish to use it for a while
so that I would at least know something about it.

Would moving back to openrc work for you?
Back to top
View user's profile Send private message
nlsa8z6zoz7lyih3ap
Guru
Guru


Joined: 25 Sep 2007
Posts: 366
Location: Canada

PostPosted: Fri Dec 20, 2013 10:44 pm    Post subject: Reply with quote

Quote:
However there are two drawbacks compared to the OpenRC functionality:

USB drive has to be manually unmounted after booting in order to remove it


Here is a question: If you change your /etc/fstab line to

Code:
/dev/sdb1               /mnt/flash      vfat            ro,nofail  0 0


can you just unplug it without unmounting it?

It would seem to me that you should be able to, but I am no expert and I do not actually know the answer.
Back to top
View user's profile Send private message
Alexey Vladykin
n00b
n00b


Joined: 17 Dec 2013
Posts: 10

PostPosted: Sat Dec 21, 2013 9:36 am    Post subject: Reply with quote

I've recently updated to GNOME 3.8 which wants systemd running, so I'll stick with systemd and look for solutions/workarounds.
Currently I see that writing a custom systemd script is the most clean and elegant approach.

Thank you!
Back to top
View user's profile Send private message
nlsa8z6zoz7lyih3ap
Guru
Guru


Joined: 25 Sep 2007
Posts: 366
Location: Canada

PostPosted: Sat Dec 21, 2013 4:08 pm    Post subject: Reply with quote

Would you be kind enough to share the script when you have it working?
Back to top
View user's profile Send private message
Alexey Vladykin
n00b
n00b


Joined: 17 Dec 2013
Posts: 10

PostPosted: Wed Dec 25, 2013 8:19 pm    Post subject: Reply with quote

Sure, I will share the solution once I have it.

By the way, it seems that systemd has a standard mechanism for retrieving encryption passwords from non-typical places: http://www.freedesktop.org/wiki/Software/systemd/PasswordAgents/
Writing such password agent would be an option then.
Back to top
View user's profile Send private message
boris64
Veteran
Veteran


Joined: 04 Oct 2003
Posts: 1770
Location: vechelde / peine

PostPosted: Sun Mar 30, 2014 12:00 pm    Post subject: Reply with quote

Hey folks, any working solution yet? I tried your way, but
when i plug out my usb stick, my home drive is umounted instantly.
_________________
boris64.net 200x / visit my desktop / try these tiny kernel patches ;)
Back to top
View user's profile Send private message
Alexey Vladykin
n00b
n00b


Joined: 17 Dec 2013
Posts: 10

PostPosted: Sun Mar 30, 2014 9:39 pm    Post subject: Reply with quote

I've found that unmounting flash drive before removing it prevents my home from disappearing. No better solution yet. Writing a password agent for systemd is still on my todo list.
Back to top
View user's profile Send private message
Alexey Vladykin
n00b
n00b


Joined: 17 Dec 2013
Posts: 10

PostPosted: Sun Apr 13, 2014 6:45 pm    Post subject: Reply with quote

I've finally written a password agent that reads encryption password from removable drive. It works perfectly for me. Here it is: https://github.com/vladykin/systemd-askpass-remdev.
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Kernel & Hardware All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum