[pkg-cryptsetup-devel] "Universal" keyscript for LVM encrypted systems with key on removable device

Jonas Meurer jonas at freesources.org
Tue Jul 29 14:05:14 UTC 2008 

On 22/07/2008 Swâmi Petaramesh wrote:
> Hi folks,
> 
> Debian and Ubuntu installers include a "standard" way of building a 
> fully-encrypted machine on a LUKS-encrypted LVM.
> 
> On top of this, I have written a more or less "universal" keyscript allowing 
> the machine's LVM key to reside as a file on a removable device (i.e. USB key 
> or SD-card) so this removable device will be the "key" for using the machine. 
> That's quite convenient.

Hey Swâmi,

The debian package already contains the 'passdev' keyscript which
implements a similar approach. See section '10. The "passdev" keyscript'
of /usr/share/doc/cryptsetup/README.initramfs.gz:

--- snip ---
If you have a keyfile on a removable device (e.g. a USB-key), you can use the
passdev keyscript. It will wait for the device to appear, mount it read-only,
read the key and then unmount the device.

The "key" part of /etc/crypttab will be interpreted as <device>:<path>, it is
strongly recommended that you use one of the persistent device names from
/dev/disk/*, e.g. /dev/disk/by-label/myusbkey.

This is an example of a suitable line in cryptsetup:
cryptroot /dev/hda2 /dev/disk/by-label/myusbkey:/keys/root.key cipher=aes-cbc-essiv:sha256,size=256,hash=plain,keyscript=/lib/cryptsetup/scripts/passdev

The above line would cause the boot to pause until /dev/disk/by-label/myusbkey
appears in the fs, then mount that device and use the file /keys/root.key
on the device as the key (without any hashing) as the key for the fs.
--- snap ---

Also, you should be able to replace the function type_key() by invoking
'/lib/cryptsetup/askpass "Enter password: "'.

> The removable device partition on which the keyfile resides can be FAT, 
> ext2/3, or itself a LUKS-encrypted partition in which case the bootkeyscript 
> will prompt for its passphrase for unlocking it and getting the key to the 
> machine's main encrypted LVM. This allows for "two form factor 
> authentication".

The passdev keyscript supports all common filesystems. Only support for
LUKS-encrypted media is missing. Maybe you could use the same syntax as
passdev in /etc/crypttab and simplify your keyscript like the following
(untested by me):

#!/bin/sh
argv="$1"
IFS=':' echo "$argv" | while read keydev keyfile; do
	if /lib/cryptsetup/scripts/passdev "$argv"; then
		exit 0
	elif /sbin/cryptsetup isLuks "$keydev"; then
		count=0; while [ $count -lt 3 ]; do
			if /lib/cryptsetup/askpass "Enter password: " | /sbin/cryptsetup --readonly --key-file=- luksOpen "$keydev" "keydevscript"; then
				/lib/cryptsetup/scripts/passdev "${keydev2}:${keyfile}"
				break
			fi
			count=$(( $count + 1 ))
			test "$count" -ge 3 && exit 1
		done
	else
		exit 1
	fi
done
unset keydev keydev2 keyfile

example line for /etc/crypttab:
cryptroot /dev/hda2 /dev/disk/by-label/myusbkey:/keys/root.key luks,keyscript=/path/to/your/keyscript

greetings,
 jonas

More information about the pkg-cryptsetup-devel mailing list