[pkg-cryptsetup-devel] Bug#786578: cryptsetup: crypt asks passphrase instead of using keyfile

westlake westlake2012 at videotron.ca
Sat May 23 01:17:53 UTC 2015 

Package: cryptsetup
Version: 2:1.6.6-5
Severity: wishlist

Dear Maintainer,

I suppose this is still in the works as other distros there are guides 
on having /boot included within the encrypted volume. The procedure, if 
this is something of interest to debian, is relatively simple. I believe 
this might be a wishful feature but it might even be a bug -- I'm still 
new to using luks but I know using a keyfile with luks works perfectly 
-- however with /boot in a luks container a keyfile won't be picked up 
even if it were on removable media (as it were tested)

Afaict this also wasn't reported, so here is... the report! :p

A manual partitioning was done with debian's installer using just a 
removable device (for the crypt key), and one drive containing a luks 
partition.

I'm using virtualbox so it's more convenient for me to use this -- but 
it could be another removable device to hold the cryptkey.

The drive partitioned:

/dev/sda1 luks
and /dev/sda2 for /boot (can set it 50-300 mb -- smallest possible as it 
will be deleted later. technically I really used another drive for this 
since it is difficult to resize the luks container if possible.)

sda1 luks is mapped to /dev/mapper/cryptroot (cryptroot contains one 
ext2 partition which itself gets mounted to "/" (there is no sdb as it 
eventually takes sda's place)

On post-install I attempted to use the keyfile while having /boot inside 
the luks volume (passphrase and floppy containing the keyfile both 
tested to work perfectly).

Here the things done after install:

- created a keyfile, stored it to floppy(or usb storage), and added the 
key to the luks container
- moved /boot partition files to the encrypted volume (removed /boot 
from /etc/fstab)
- updated /etc/default/grub and /etc/crypttab and carried out the update 
commands (update-initramfs, update-grub2, grub-install -- basically 
these three)

The changes needed for /etc/default/grub:
  GRUB_ENABLE_CRYPTODISK="y"
 
GRUB_CMDLINE_LINUX="cryptdevice=/dev/disk/by-uuid/05a7ec49-f4b3-4d58-b906-932b7bec8457:sdb1_crypt 
cryptkey=/dev/fd0:ext2:/mykeyfile"

The file /etc/crypttab needs to be done before update-initramfs, and I 
made sure to remove the default line which defines only using a passphrase.

I know there is some referencing towards the floppy as I'm seeing the 
delay error message(reported bug #786559) and I have also set the floppy 
module in /etc/modules and /etc/initramfs-tools/modules. I tried seeing 
if this made a difference but still no success.

I have made attachments where there's "sdb1_crypt" referenced instead of 
"cryptroot" -- a second drive was used to hold /boot but this drive was 
permanently removed.

thanks

More information about the pkg-cryptsetup-devel mailing list