View previous topic :: View next topic |
Author |
Message |
Alexey Vladykin n00b
Joined: 17 Dec 2013 Posts: 10
|
Posted: Tue Dec 17, 2013 9:22 pm Post subject: systemd-cryptsetup with keyfile on removable drive |
|
|
I've recently migrated from OpenRC to systemd and I'm missing one feature: ability to auto-mount encrypted LUKS partition using a removable drive with keyfile.
With OpenRC I simply had in /etc/conf.d/dmcrypt:
Code: | target=home
source=/dev/sda4
remdev=/dev/sdb1
key=/keyfile.dat
|
During boot OpenRC mounted /dev/sdb1 to some temporary mount point and used keyfile.dat to open the encrypted partition.
Unfortunately with systemd I can't find how to achieve the same result. Something like this is described at http://wejn.org/how-to-make-passwordless-cryptsetup.html, but it relies upon a "keyscript" option which apparently does not exist in my systemd version 208-r2.
Anybody managed to make systemd-cryptsetup mount LUKS partitions using keyfile from removable drive?
Will appreciate any ideas. |
|
Back to top |
|
|
nlsa8z6zoz7lyih3ap Guru
Joined: 25 Sep 2007 Posts: 388 Location: Canada
|
Posted: Wed Dec 18, 2013 3:16 pm Post subject: |
|
|
To set up /dev/mapper/sda8 without a password I add the following line to /etc/crypttab
Code: | sda8 /dev/sda8 /PathToKey/sda8crypt luks |
where the key is sda8crypt.
Here, /dev/mapper/sda8 will be mounted to /home.
To mount the encrypted root, I use an initrdramfs, 'tho of course this takes a password.
I had some trouble setting this up, as detailed in the forums:
Quote: | https://forums.gentoo.org/viewtopic-t-972332-highlight-.html |
|
|
Back to top |
|
|
Alexey Vladykin n00b
Joined: 17 Dec 2013 Posts: 10
|
Posted: Thu Dec 19, 2013 8:01 pm Post subject: |
|
|
Thank you for response, I've studied that thread before asking my question, but my case is a little bit different.
I have my keyfile on a removable USB thumb which has no static mount point configured in fstab, so there is nothing I can write in place of /PathToKey/. Only the device node of USB drive is known in advance (/dev/sdb1). OpenRC handled this pretty well, now I'm looking for a similar feature in systemd. |
|
Back to top |
|
|
nlsa8z6zoz7lyih3ap Guru
Joined: 25 Sep 2007 Posts: 388 Location: Canada
|
Posted: Thu Dec 19, 2013 8:10 pm Post subject: |
|
|
Assuming that you are not mounting root, would the persistent names feature of udev allow you to give it a name that you can put int /etc/fstab?
Even without that, my flash drive always comes up with the same name, so I could put in in /etc/fstab.
This is only a thought, I realize that it may not be what you are looking for. |
|
Back to top |
|
|
Alexey Vladykin n00b
Joined: 17 Dec 2013 Posts: 10
|
Posted: Thu Dec 19, 2013 8:56 pm Post subject: |
|
|
If I configure a mount point for my removable drive in fstab like this
Code: | /dev/sdb1 /mnt/flash vfat noatime,nofail 0 0 |
and in crypttab specify path to key using this mount point
Code: | home /dev/sda4 /mnt/flash/keyfile luks |
then indeed systemd reads my keyfile from USB drive and does not ask for password.
That's good However there are two drawbacks compared to the OpenRC functionality:- USB drive has to be manually unmounted after booting in order to remove it
- mount point for USB drive has to be configured in fstab
Is it possible to address these drawbacks? |
|
Back to top |
|
|
nlsa8z6zoz7lyih3ap Guru
Joined: 25 Sep 2007 Posts: 388 Location: Canada
|
Posted: Fri Dec 20, 2013 6:35 pm Post subject: |
|
|
Quote: | That's good :D However there are two drawbacks compared to the OpenRC functionality:
USB drive has to be manually unmounted after booting in order to remove it
mount point for USB drive has to be configured in fstab
Is it possible to address these drawbacks? |
I don't know how to address this without using /etc/fstab unless you write an intramfs that mounts the flash drive, does the cryptsetup, then unmounts the flash drive
before pivoting to the to systemd. This is quite easy if you are used to writing your own initramfs, otherwise it probably isn't worth the learning curve for such a minor task.
Since I use kde, I would unmount it by creating the following file " ~//home/owner/.kde4/Autostart/UnMountFlash.sh"
Code: | sudo umount /mnt/flash/keyfile |
Don't forget to make this executable. Of course you will also need to have sudo installed with permissions to run ~//home/owner/.kde4/Autostart/UnMountFlash.sh
I suspect also that you could write your owner systemd element to do this, and that would be the most elegant solution. I don't know how to do this.
I did write my own for a few other services that were lacking, but I didn't really understand what I was doing. I just google around, copied shamelessly and modified until they worked.
Quote: | However there are two drawbacks compared to the OpenRC functionality: |
openrc worked better for me. I shall be moving back to it after I have finished with the fun of experimenting with systemd. I don't need systemd, but I did wish to use it for a while
so that I would at least know something about it.
Would moving back to openrc work for you? |
|
Back to top |
|
|
nlsa8z6zoz7lyih3ap Guru
Joined: 25 Sep 2007 Posts: 388 Location: Canada
|
Posted: Fri Dec 20, 2013 10:44 pm Post subject: |
|
|
Quote: | However there are two drawbacks compared to the OpenRC functionality:
USB drive has to be manually unmounted after booting in order to remove it |
Here is a question: If you change your /etc/fstab line to
Code: | /dev/sdb1 /mnt/flash vfat ro,nofail 0 0 |
can you just unplug it without unmounting it?
It would seem to me that you should be able to, but I am no expert and I do not actually know the answer. |
|
Back to top |
|
|
Alexey Vladykin n00b
Joined: 17 Dec 2013 Posts: 10
|
Posted: Sat Dec 21, 2013 9:36 am Post subject: |
|
|
I've recently updated to GNOME 3.8 which wants systemd running, so I'll stick with systemd and look for solutions/workarounds.
Currently I see that writing a custom systemd script is the most clean and elegant approach.
Thank you! |
|
Back to top |
|
|
nlsa8z6zoz7lyih3ap Guru
Joined: 25 Sep 2007 Posts: 388 Location: Canada
|
Posted: Sat Dec 21, 2013 4:08 pm Post subject: |
|
|
Would you be kind enough to share the script when you have it working? |
|
Back to top |
|
|
Alexey Vladykin n00b
Joined: 17 Dec 2013 Posts: 10
|
Posted: Wed Dec 25, 2013 8:19 pm Post subject: |
|
|
Sure, I will share the solution once I have it.
By the way, it seems that systemd has a standard mechanism for retrieving encryption passwords from non-typical places: http://www.freedesktop.org/wiki/Software/systemd/PasswordAgents/
Writing such password agent would be an option then. |
|
Back to top |
|
|
boris64 Veteran
Joined: 04 Oct 2003 Posts: 1770 Location: Vechelde/Peine
|
Posted: Sun Mar 30, 2014 12:00 pm Post subject: |
|
|
Hey folks, any working solution yet? I tried your way, but
when i plug out my usb stick, my home drive is umounted instantly. _________________ boris64.net 200x / visit my desktop / try these tiny kernel patches |
|
Back to top |
|
|
Alexey Vladykin n00b
Joined: 17 Dec 2013 Posts: 10
|
Posted: Sun Mar 30, 2014 9:39 pm Post subject: |
|
|
I've found that unmounting flash drive before removing it prevents my home from disappearing. No better solution yet. Writing a password agent for systemd is still on my todo list. |
|
Back to top |
|
|
Alexey Vladykin n00b
Joined: 17 Dec 2013 Posts: 10
|
|
Back to top |
|
|
|