Unlock your LUKS drive through USB or passphrase
It’s always advisable to keep your data as secure as possible. A great way of doing this is LUKS . Linux Mint for instance supports this out of the box as part of the installation process. Usually an encrypted drive can be unlocked using a passphrase which generally works fine but what if you want to use a more robust key? What if you want to automatically unlock a drive with a key located on a USB drive? I found several tutorials though they weren’t working as expected so here is my solution using Linux Mint.
Add another key
Assume the encrypted drive is /dev/sd13 . First we’re creating a keyfile using random values. In this little example we’re creating a keyfile out.key of 4096 bytes.
dd bs=4096 count=1 if=/dev/urandom of=my.key
Be aware that this keyfile is your key and should be protected accordingly.
The next step requires you to add this key to your encrypted drive:
cryptsetup luksAddKey /dev/sd13 my.key
Fetch the actual key
What we’re trying to accomplish is the following:
- Unlock the drive using the key on a USB stick
- if the USB stick is missing ask for the passphrase
Create the file /etc/initramfs-tools/scripts/usb-unlock with the following content and take note of the comments in there (inspired by Bob Arezina ):
#!/bin/sh
set -e
# the name we're using to idenfify the usb drive containing our key
# (change it according to your needs)
LABEL=USB_KEY
# the name of the key provided to this script
KEYNAME="$1"
# mount the drive and print the key content if available
if [ ! -e /mnt ]; then
mkdir -p /mnt
sleep 3
fi
DEVICEPATH="/dev/disk/by-label/${LABEL}"
if mount "${DEVICEPATH}" /mnt 2>/dev/null; then
KEYPATH="/mnt/${KEYNAME}"
# only cat the keyfile content if the file exists
if [ -e "${KEYPATH}" ]; then
cat "${KEYPATH}"
exit
fi
fi
# mimic the default behavior and ask for a passphrase
/lib/cryptsetup/askpass "Passphrase"
exit
This script simply prints the key either sourced from the usb drive or the user input. Don’t forget to mark this shell script as executable. Note that the script has been added into /etc/initramfs-tools/scripts/ so it’s meant to be bundled as part of the initramfs image used during the loading stage of Linux.
Configure the automatic unlocking
Now we need to configure the drive that’s supposed to be unlocked automatically while adding a corresponding line to /etc/crypttab:
sd13_crypt UUID=75ae9676-64be-43b4-903b-507f60becdeb my.key luks,keyscript=/etc/initramfs-tools/scripts/usb-unlock
This causes the script /etc/initramfs-tools/scripts/usb-unlock to be called with the name of the key my.key as the first argument. Obviously it’s up to you to choose the name of your key file and to provide the right UUID for /dev/sd13 (you can also choose alternative ways to select your drive). If everything went well you will find the unlocked drive under /dev/mapper/sd13_crypt. Don’t forget to put a corresponding configuration line into /etc/fstab.
Enable the automatic unlocking
After setting everything up you need to update your initial ram disk executing the following command:
update-initramfs -u
All you have to do now is to reboot and verify that the unlocking works with the usb drive keeping your key and one way using the passphrase thus without the usb drive.
I have to emphasize that you should keep your usb drive holding the key as secure as possible.