Tag Archives: luks

Ubuntu: booting enctypted fs from with key on usb stick

Install ubuntu server with two partitions:

  • sda1 /boot
  • sda2 encrypted partition

make sda2 encrypted with lvm partitions into it.
Now when your system ready you can load it with password which you enter from keyboard,
but it's boring and we would like boot from keyfile on the usb stick.
mkdir /key && mount /dev/sdb1 /key # there is sdb1 partition on my usb-flash

dd if=/dev/urandom of=/key/keyfile bs=1K count=10

create file /etc/initramfs-tools/scripts/local-top/luks_key_mount with the following content

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
#!/bin/sh

case $1 in
prereqs)
     exit 0
     ;;
esac

. /scripts/functions

log_begin_msg "Decrypting root filesystem using a key file."
wait_for_udev
/bin/sleep 7
mkdir /key
/bin/mount -t ext4 /dev/sdb1 /key
/sbin/cryptsetup luksOpen /dev/sda2 crypt_sda2 --key-file /key/keyfile
log_end_msg

if [ ! -b /dev/mapper/srvlvm-srvlvmroot ]
then
  panic "
Welcome to Linux command prompt.
"
fi
exit 0

# in that script /dev/sdb1 — my usb flash card
# /dev/sda2 — my encrypted partition
# /dev/mapper/srvlvm-srvlvmroot — lvm root partition

chmod +x /etc/initramfs-tools/scripts/local-top/luks_key_mount

1
update-initramfs -u

reboot

encrypted file-partition

How to create:

dd if=/dev/urandom of=/home/user/.hide bs=1GB count=10
dd if=/dev/urandom of=/home/user/.keyfile bs=1KB count=2
losetup /dev/loop1 /home/user/.hide
badblocks -s -w -t random -v /dev/loop1
cryptsetup luksFormat /dev/loop1 -d /home/user/.keyfile
cryptsetup luksOpen /dev/loop1 secret -d /home/user/.keyfile
mkfs.ext4 -j /dev/mapper/secret
e2fsck -f /dev/mapper/secret

How to mount:

losetup /dev/loop1 /home/user/.hide
cryptsetup luksOpen /dev/loop1 secret -d /home/user/.keyfile
mount /dev/mapper/secret /mnt/hide/

How to umount:

umount /mnt/hide
cryptsetup luksClose secret
losetup -d /dev/loop1