Tag Archives: cryptsetup

Ubuntu: booting enctypted fs from with key on usb stick

Install ubuntu server with two partitions:

  • sda1 /boot
  • sda2 encrypted partition

make sda2 encrypted with lvm partitions into it.
Now when your system ready you can load it with password which you enter from keyboard,
but it's boring and we would like boot from keyfile on the usb stick.
mkdir /key && mount /dev/sdb1 /key # there is sdb1 partition on my usb-flash

dd if=/dev/urandom of=/key/keyfile bs=1K count=10

create file /etc/initramfs-tools/scripts/local-top/luks_key_mount with the following content

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
#!/bin/sh

case $1 in
prereqs)
     exit 0
     ;;
esac

. /scripts/functions

log_begin_msg "Decrypting root filesystem using a key file."
wait_for_udev
/bin/sleep 7
mkdir /key
/bin/mount -t ext4 /dev/sdb1 /key
/sbin/cryptsetup luksOpen /dev/sda2 crypt_sda2 --key-file /key/keyfile
log_end_msg

if [ ! -b /dev/mapper/srvlvm-srvlvmroot ]
then
  panic "
Welcome to Linux command prompt.
"
fi
exit 0

# in that script /dev/sdb1 — my usb flash card
# /dev/sda2 — my encrypted partition
# /dev/mapper/srvlvm-srvlvmroot — lvm root partition

chmod +x /etc/initramfs-tools/scripts/local-top/luks_key_mount

1
update-initramfs -u

reboot