Problems with cryptsetup keyfile encrypted root partition under Debian 9, i386


Login or Register to Reply

 
Thread Tools Search this Thread
# 1  
Problems with cryptsetup keyfile encrypted root partition under Debian 9, i386

Hello, i'm trying to set up a machine with an encrypted filesystem. It's a Debian 9/i386.

The partition table on /dev/sda
Code:
1.    1 MiB BIOS BOOT  (04) N/A  N/A
2.  256 MiB Linux      (83) ext4 /boot
3. 2304 MiB Linux      (83) ext4 /
4.    1 MiB MINIX      (81) N/A  N/A
5.  510 MiB Linux swap (82) swap swap

When i finished the partitioning, i run these:
Code:
dd if=/dev/urandom of=/dev/sda4 bs=1 count=512
echo 'YES' | cryptsetup -v -c aes-xts-plain64 -s 512 -h sha256 -i 2000 --keyfile-size=512 luksFormat /dev/sda3 /dev/sda4
cryptsetup -c aes-xts-plain64 -d /dev/sda4 -s 512 -i 2000 --keyfile-size=512 open --type=plain /dev/sda3 eldcr
mkfs.ext4 -F /dev/sda2
e2label /dev/sda2 BootLabel
mkfs.ext4 -F /dev/mapper/eldcr
e2label /dev/mapper/eldcr RootLabel
mkdir -p /mnt/disk
mount /dev/mapper/eldcr /mnt/disk
mkswap /dev/sda5

/etc/fstab looks like this:
Code:
/dev/disk/by-partuuid/<partuuid of /dev/sda2> /boot ext4 errors=remount-ro 0 1
/dev/mapper/eldcr / ext4 errors=remount-ro 0 1
/dev/disk/by-partuuid/<partuuid of /dev/sda5> none swap sw 0 0

/etc/crypttab:
Code:
eldcr /dev/disk/by-partuuid/<partuuid of /dev/sda3> /dev/disk/by-partuuid/<partuuid of /dev/sda4> luks,cipher=aes-xts-plain64,size=512,hash=sha256,keyfile-size=512,time=2000,keyscript=getlukskey.sh

/etc/initramfs-tools/conf.d/cryptroot:
Code:
CRYPTROOT=target=eldcr,source=/dev/disk/by-partuuid/<partuuid of /dev/sda3>

I modified some lines in /etc/default/grub:
Code:
GRUB_ENABLE_CRYPTODISK=y
GRUB_PRELOAD_MODULES="luks cryptodisk"
GRUB_CMDLINE_LINUX=""
GRUB_CMDLINE_LINUX_DEFAULT="cryptdevice=/dev/disk/by-partuuid/<partuuid of /dev/sda3>:eldcr root=/dev/mapper/eldcr cryptopts=target=eldcr,source=/dev/disk/by-partuuid/<partuuid of /dev/sda3>,keyscript=getlukskey.sh crypto=sha256:aes-xts-plain64:512:0:0

The scripts:

/lib/cryptsetup/scripts/getlukskey.sh:
Code:
#!/bin/sh
dd if=/dev/disk/by-partuuid/<partuuid of /dev/sda4> bs=1 count=512 2>/dev/null

/usr/share/initramfs-tools/hooks/glkcopy:
Code:
#!/bin/sh -e
PREREQS=""
case $1 in
        prereqs) echo "${PREREQS}"; exit 0;;
esac
. /usr/share/initramfs-tools/hook-functions
copy_exec /lib/cryptsetup/scripts/getlukskey.sh /bin
copy_exec /sbin/cryptsetup
copy_exec /sbin/dmsetup
copy_exec /lib/cryptsetup/askpass

And i added the following modules to /etc/initramfs-tools/modules: chainiv, cryptomgr, krng, cbc, ecb, ctr, aes, sha256, xts, dm-mod, dm-crypt

Then i install grub and make the initramfs:
Code:
grub-install --target=i386-pc --skip-fs-probe --efi-directory=/ --boot-directory=/boot --root-directory=/ /dev/sda
grub-mkconfig -o /boot/grub/grub.cfg
update-initramfs -c -k all

and in the end "update-initramfs -u -k". (The creation does not include my script, so i have to update it again...)

Result is "cryptsetup (eldcr): unknown fstype, bad password or options?" when i try to boot.

What is the problem?

I also tried to remove the "keyscript" from the boot options and the crypttab and put "cryptkey=/dev/disk/by-partuuid/<partuuid of /dev/sda4>:0:512" into the boot options. Then when i run the initramfs update it says: "WARNING: root target eldcr uses a key file, skipped." And after boot it asks for a password...

Any idea?
# 3  
I am trying to create a Debian 9 system with the root partition encrypted with a keyfile which is stored on a different (and unformatted) partition. And the aim is to get the keyfile at boot automatically, so the machine asking for the password at boot is not the desired effect.
# 4  
So you want to encrypt your disk, with key on that same disk without password ?
You have accomplished nothing security wise, beats the propose of the entire encryption task.

Anyone can just power on your system and access the data.

If you mentioned external disk such as usb or similar, used to store key, perhaps the request would be more sane.
For that scenario check out luksAddKey options and examples online.

Hope the helps
Regards
Peasant.
# 5  
The final goal is to put the key on USB, but right now i don't have any. This approach is solely exists for test and learning reasons. And since the USB key appears in the system as just another block device, like any partition, i'm trying to assemble the whole thing like this and then put the keyfile on USB.

I've searched through the net and i stucked. This is why i asked for help.

------ Post updated at 10:16 AM ------

I've checked out luksAddKey. It's not what i want to achieve. It's for adding an additional keyfile, but i don't want to add an additional keyfile, i want to use that one on /dev/sda4.
# 6  
It's not hard to convert a key on partition into a key on file.

Code:
dd if=/dev/sda4 of=/tmp/keyfile bs=sizeofkeyinbytes count=1

What instructions were you attempting to follow, exactly?
# 7  
I do not want to convert it to a keyfile. My aim is to use the raw partition to read the keyfile.

I've written ALL the instructions i did in my opening post.
Login or Register to Reply

|
Thread Tools Search this Thread
Search this Thread:
Advanced Search

More UNIX and Linux Forum Topics You Might Find Helpful
Cannot access or boot encrypted drive (gave up waiting for root device...)
David4321
I cannot access or boot from my C drive. I'm running Zorin 9 and the drive is a Samsung SSD. The disk was encrypted on install, and that has not given me any problems before. When I start the system it gets to the memory test page, and does not then load the password prompt, which it used to....... Ubuntu
1
Ubuntu
Removing encrypted lvm partition
cjashu
Hi guys, let me start by saying I appreciate your assistance always. I was practicing how to encrypt partitions in my server. I encrypted an lvm partition using luks and when I tried to remove the partition using lvremove, I get this message Logical volume vg10/lvol1 is used by another...... Red Hat
2
Red Hat
iptables forward public IP, no NAT, Debian i386
Action
Hello all, got kinda problem. Have two machines in LAN, one of them connected to Internet directly, another one must be forwarded through the first one. Masquerading works perfectly, but is not what is needed here. Both machines have public IP addresses, when the second machine is forwarded its...... IP Networking
0
IP Networking