Move encryption passphrase to usb stick?

Message

CoderMan · Post by **CoderMan** » Fri Nov 20, 2009 3:53 am

Hi. I've got Gentoo installed on a Dell Inspiron Mini 10v, and everything but the boot folder is on one AES-encrypted partition with LVM layered on top of that. I love encryption, but I get tired of typing in the 20+ character passphrase I created, and I was hoping it was possible to move the passphrase some how to a usb stick.

I found this in the cryptsetup FAQ:

If you want the USB stick to be sufficient to access your data,

1. mkfs/mount your USB stick
2. generate a key file directly onto the USB stick (for example, a 2048bit key): dd if=/dev/random of=/mnt/usbstick/keyfile bs=1 count=256
3. and add it into a key slot: cryptsetup luksAddKey /dev/luksPartition /mnt/usbstick/keyfile

However, when I started to run luksAddKey it immediately asked me for a new passphrase, which is not what I wanted, so I aborted. I looked through the cryptsetup man page:

luksAddKey <device> [<new key file>]

add a new key file/passphrase. An existing passphrase or key file
(via --key-file) must be supplied. The key file with the new mate‐
rial is supplied as a positional argument. <options> can be [--key-
file, --key-slot].

But this leaves me a little confused. Am I accomplishing here what I think I am accomplishing? I just want to be able to decrypt my drive without typing in the passphrase (separated onto the USB stick for security). Do I need a new encryption key? I would appreciate it if someone could provide some clarity here.

anonybosh · Post by **anonybosh** » Tue Nov 24, 2009 6:37 pm

Are you sure it was asking for a NEW password, or just asking for the existing password that you have on the partition?

CoderMan · Post by **CoderMan** » Tue Nov 24, 2009 11:53 pm

anonybosh wrote:Are you sure it was asking for a NEW password, or just asking for the existing password that you have on the partition?

Yes, I think you are right. I tried this, and the command seems to have worked as it was supposed to.

Now that I've created the new key slot, I still am not able to use it because I cannot figure out how to get the kernel to mount the usb stick before trying to read the key... but that is probably a better question for the Gentoo forums, since I built my kernel with genkernel.

anonybosh · Post by **anonybosh** » Wed Nov 25, 2009 4:05 am

I have an encrypted root setup going for all of the servers I'm in charge of (currently 3) but I use initramfs to do the setting up of the partitions at boot. This may be more complicated that what you need, as I also use an encrypted usb key.
Having not used genkernel, I cannot say how easy it is to set something like this up though.
If you are interested, I can post the scripts and stuff I have for it.

meyerm · Post by **meyerm** » Sat Nov 28, 2009 9:01 pm

anonybosh wrote:If you are interested, I can post the scripts and stuff I have for it.

/me is interested

anonybosh · Post by **anonybosh** » Mon Jul 11, 2011 4:21 pm

Well, I'm approaching 2 years for a reply, but here it is!

So I had created a mini-root with busybox, mdadm and dm-crypt (of which I will not describe the details here), and a couple of scripts.

2 scripts that I use:
1) init
The init script that is run immediately after the kernel is loaded; creates RAID members, opens encrypted USB key, decrypts drive partitions, switches root and boots.
2) make_cpio.sh
Makes/compresses the cpio root image.

Code: Select all

#!/bin/sh

# initramfs/init
# This script is a rather rudimentary init script that
# assembles a few RAID arrays, mounts an encrypted USB
# key and decrypts the encrypted RAID partitions with
# a key file on the USB key.
# Uses dm-crypt, mdadm and busybox.

# 2010, Ryan Dallas <anonybosh@gmail.com>

export PATH="/bin:/sbin"

# Partitions that need to be decrypted
ROOT="/dev/md3"
SWAP="/dev/md2"
BOOT="/dev/md1"
BACKUP="/dev/sdc1"

# Drives involved in RAID1 array (md[123] from above)
HD1="/dev/sda"
HD2="/dev/sdb"

# This is the tricky part: without rules setup for the
# naming of the usbkey, this path can change...
USBKEY="/dev/sdd1"

# The plaintext file (stored on the encrypted USB key)
# that has the decryption key for the partitions listed
# at top.
KEYFILE="trow.key"

mount -t proc proc /proc
mount -t sysfs none /sys
mount -t tmpfs tmpfs /dev

# Populate /dev from /sys
mdev -s

# Handle hotplug events
echo /sbin/mdev > /proc/sys/kernel/hotplug

CMDLINE=`cat /proc/cmdline`

# Assemble the RAID1 arrays
mdadm --assemble ${BOOT} ${HD1}1 ${HD2}1
mdadm --assemble ${SWAP} ${HD1}2 ${HD2}2
mdadm --assemble ${ROOT} ${HD1}3 ${HD2}3

sleep 5

# Wait for the usbkey to be found
echo "Insert USB Key and Press Return..."
read x
sleep 5

# Open the USB key, and ask for passphrase
cryptsetup -r luksOpen ${USBKEY} usbkey

# Mount the USB key read-only
mount -o ro /dev/mapper/usbkey /mnt/usbkey

# Decrypt the drive partitions using the keyfile on the
# USB key
cryptsetup -d /mnt/usbkey/${KEYFILE} luksOpen ${ROOT} root
cryptsetup -d /mnt/usbkey/${KEYFILE} luksOpen ${SWAP} swap
cryptsetup -d /mnt/usbkey/${KEYFILE} luksOpen ${BACKUP} backup

# Close out the USB key
umount /mnt/usbkey
cryptsetup luksClose usbkey
echo "Remove USB Key and Press Return..."
read x

# Enable if using tux on ice hibernation
#echo 1 > /sys/power/tuxonice/do_resume
sleep 2

# Switch root to the decrypted root partition, and boot!
mount -r /dev/mapper/root /new-root
cd /new-root
exec switch_root -c /dev/console /new-root /sbin/init ${CMDLINE}

Code: Select all

#!/bin/bash

# Make and compress a bootable CPIO archive

#Boot directory where this should be placed
RELATIVE_BOOT_DIR="../../boot"

find . | cpio --quiet -o -H newc | gzip -9 > ${RELATIVE_BOOT_DIR}/initramfs.cpio.gz

An example grub item:

Code: Select all

title=2.6.28-r9v2
root (hd0,0)
kernel /boot/28r9v2 resume=swap:/dev/md2
initrd /initramfs.cpio.gz

You can download the whole initramfs directory that I use here. It already has busybox, mdadm and dm-crypt compiled in (versions from august 2010, whatever they may be). MD5: 6b9f04d738ecd492959ced8ef1507bce