Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
How dm-crypt with key file works?
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
dustfinger
Guru
Guru


Joined: 15 Aug 2004
Posts: 449

PostPosted: Mon Sep 08, 2014 1:40 pm    Post subject: How dm-crypt with key file works? Reply with quote

Hi,

I am interested in setting up a full disk encrypted gentoo box. I am looking at two different approaches to the problem, both using dm-crypt.

1. The first approach is the one presented on the gentoo wiki and uses a key file: http://wiki.gentoo.org/wiki/DM-Crypt_LUKS

2. The other approach uses a pass phrase:
http://linux.arantius.com/installing-gentoo-into-a-luks-encrypted-zfs-root

In the second case it is clear to me the user's role in decrypting the drives as the system boots up. The system will prompt the user for the pass phrase. If the user enters the correct pass phrase then the system will decrypt the drives and boot gentoo. The first case is where I am not fully clear. The system requires a key to decrypt the drives before boot. Where does the user keep that key? a USB? How does the user tell the system where and how to use that key? I know that the instructions mention that the initrd will have to be passed parameters to tell hit how to decrypt the drive, but the example parameters seem to only tell it where the drive is:
Code:
title Gentoo Linux 3.4.0-gentoo
root (hd0,0)
kernel /boot/kernel-3.4.0-gentoo crypt_root=UUID=<encrypted partition uuid> root=/dev/mapper/root
initrd /boot/initramfs-3.4.0-gentoo


So can someone please explain how the user interacts with the system so that the system knows how to decrypt the drive and boot gentoo. I am lost.

Thank you kindly in advance.

Sincerely,

dustfinger
_________________
Unanswered Post Initiative:
https://forums.gentoo.org/viewtopic.php?t=119906
Back to top
View user's profile Send private message
Hu
Moderator
Moderator


Joined: 06 Mar 2007
Posts: 13509

PostPosted: Mon Sep 08, 2014 10:17 pm    Post subject: Reply with quote

It depends on how the initramfs is designed. You could have an initramfs that mounts an external USB stick, either at a known name or by searching available devices. You could download the encrypted key from network storage and get a passphrase from the user to unlock it. You could download an unencrypted key from network storage if your threat model only deals with preventing the system from being usable outside your network. The most logical is to store the key on an external USB, and usually to have the key encrypted. In that model, unlocking the drive requires the presence of the USB stick and knowledge of the password that protects the key stored on the stick.
Back to top
View user's profile Send private message
umka69
Tux's lil' helper
Tux's lil' helper


Joined: 31 Mar 2013
Posts: 124

PostPosted: Tue Sep 09, 2014 3:44 pm    Post subject: Reply with quote

How to build initramfs that could use encrypted key from USB? I need it too.
I now that all /boot can be from USB but i like to have only key there.
_________________
Make a wish, this text is magic. :)
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum