Home
Man
Search
Today's Posts
Register

Debian GNU/Linux is a free distribution of the GNU/Linux operating system.

Problems with cryptsetup keyfile encrypted root partition under Debian 9, i386

Tags
cryptsetup, debian, ed, partition, root, root partition

Login to Reply

 
Thread Tools Search this Thread
# 1  
Old 4 Weeks Ago
Problems with cryptsetup keyfile encrypted root partition under Debian 9, i386

Hello, i'm trying to set up a machine with an encrypted filesystem. It's a Debian 9/i386.

The partition table on /dev/sda
Code:
1.    1 MiB BIOS BOOT  (04) N/A  N/A
2.  256 MiB Linux      (83) ext4 /boot
3. 2304 MiB Linux      (83) ext4 /
4.    1 MiB MINIX      (81) N/A  N/A
5.  510 MiB Linux swap (82) swap swap

When i finished the partitioning, i run these:
Code:
dd if=/dev/urandom of=/dev/sda4 bs=1 count=512
echo 'YES' | cryptsetup -v -c aes-xts-plain64 -s 512 -h sha256 -i 2000 --keyfile-size=512 luksFormat /dev/sda3 /dev/sda4
cryptsetup -c aes-xts-plain64 -d /dev/sda4 -s 512 -i 2000 --keyfile-size=512 open --type=plain /dev/sda3 eldcr
mkfs.ext4 -F /dev/sda2
e2label /dev/sda2 BootLabel
mkfs.ext4 -F /dev/mapper/eldcr
e2label /dev/mapper/eldcr RootLabel
mkdir -p /mnt/disk
mount /dev/mapper/eldcr /mnt/disk
mkswap /dev/sda5

/etc/fstab looks like this:
Code:
/dev/disk/by-partuuid/<partuuid of /dev/sda2> /boot ext4 errors=remount-ro 0 1
/dev/mapper/eldcr / ext4 errors=remount-ro 0 1
/dev/disk/by-partuuid/<partuuid of /dev/sda5> none swap sw 0 0

/etc/crypttab:
Code:
eldcr /dev/disk/by-partuuid/<partuuid of /dev/sda3> /dev/disk/by-partuuid/<partuuid of /dev/sda4> luks,cipher=aes-xts-plain64,size=512,hash=sha256,keyfile-size=512,time=2000,keyscript=getlukskey.sh

/etc/initramfs-tools/conf.d/cryptroot:
Code:
CRYPTROOT=target=eldcr,source=/dev/disk/by-partuuid/<partuuid of /dev/sda3>

I modified some lines in /etc/default/grub:
Code:
GRUB_ENABLE_CRYPTODISK=y
GRUB_PRELOAD_MODULES="luks cryptodisk"
GRUB_CMDLINE_LINUX=""
GRUB_CMDLINE_LINUX_DEFAULT="cryptdevice=/dev/disk/by-partuuid/<partuuid of /dev/sda3>:eldcr root=/dev/mapper/eldcr cryptopts=target=eldcr,source=/dev/disk/by-partuuid/<partuuid of /dev/sda3>,keyscript=getlukskey.sh crypto=sha256:aes-xts-plain64:512:0:0

The scripts:

/lib/cryptsetup/scripts/getlukskey.sh:
Code:
#!/bin/sh
dd if=/dev/disk/by-partuuid/<partuuid of /dev/sda4> bs=1 count=512 2>/dev/null

/usr/share/initramfs-tools/hooks/glkcopy:
Code:
#!/bin/sh -e
PREREQS=""
case $1 in
        prereqs) echo "${PREREQS}"; exit 0;;
esac
. /usr/share/initramfs-tools/hook-functions
copy_exec /lib/cryptsetup/scripts/getlukskey.sh /bin
copy_exec /sbin/cryptsetup
copy_exec /sbin/dmsetup
copy_exec /lib/cryptsetup/askpass

And i added the following modules to /etc/initramfs-tools/modules: chainiv, cryptomgr, krng, cbc, ecb, ctr, aes, sha256, xts, dm-mod, dm-crypt

Then i install grub and make the initramfs:
Code:
grub-install --target=i386-pc --skip-fs-probe --efi-directory=/ --boot-directory=/boot --root-directory=/ /dev/sda
grub-mkconfig -o /boot/grub/grub.cfg
update-initramfs -c -k all

and in the end "update-initramfs -u -k". (The creation does not include my script, so i have to update it again...)

Result is "cryptsetup (eldcr): unknown fstype, bad password or options?" when i try to boot.

What is the problem?

I also tried to remove the "keyscript" from the boot options and the crypttab and put "cryptkey=/dev/disk/by-partuuid/<partuuid of /dev/sda4>:0:512" into the boot options. Then when i run the initramfs update it says: "WARNING: root target eldcr uses a key file, skipped." And after boot it asks for a password...

Any idea?
# 2  
Old 4 Weeks Ago
What, exactly, are you trying to accomplish? What ought to be happening here?

Quote:
And after boot it asks for a password.
This is normal... No?
# 3  
Old 4 Weeks Ago
I am trying to create a Debian 9 system with the root partition encrypted with a keyfile which is stored on a different (and unformatted) partition. And the aim is to get the keyfile at boot automatically, so the machine asking for the password at boot is not the desired effect.
# 4  
Old 4 Weeks Ago
So you want to encrypt your disk, with key on that same disk without password ?
You have accomplished nothing security wise, beats the propose of the entire encryption task.

Anyone can just power on your system and access the data.

If you mentioned external disk such as usb or similar, used to store key, perhaps the request would be more sane.
For that scenario check out luksAddKey options and examples online.

Hope the helps
Regards
Peasant.
# 5  
Old 4 Weeks Ago
The final goal is to put the key on USB, but right now i don't have any. This approach is solely exists for test and learning reasons. And since the USB key appears in the system as just another block device, like any partition, i'm trying to assemble the whole thing like this and then put the keyfile on USB.

I've searched through the net and i stucked. This is why i asked for help.

------ Post updated at 10:16 AM ------

I've checked out luksAddKey. It's not what i want to achieve. It's for adding an additional keyfile, but i don't want to add an additional keyfile, i want to use that one on /dev/sda4.
# 6  
Old 4 Weeks Ago
It's not hard to convert a key on partition into a key on file.

Code:
dd if=/dev/sda4 of=/tmp/keyfile bs=sizeofkeyinbytes count=1

What instructions were you attempting to follow, exactly?
# 7  
Old 4 Weeks Ago
I do not want to convert it to a keyfile. My aim is to use the raw partition to read the keyfile.

I've written ALL the instructions i did in my opening post.
Login to Reply

« Previous Thread | Next Thread »
Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes

More UNIX and Linux Forum Topics You Might Find Helpful
Thread Thread Starter Forum Replies Last Post
Regarding OS partition and root user makauser Ubuntu 1 12-23-2015 10:34 AM
Cannot access or boot encrypted drive (gave up waiting for root device...) David4321 Ubuntu 1 12-12-2015 09:09 AM
Removing encrypted lvm partition cjashu Red Hat 2 10-14-2013 05:27 PM
Need to partition root bhargav90 Solaris 2 06-12-2012 04:51 PM
iptables forward public IP, no NAT, Debian i386 Action IP Networking 0 07-15-2011 09:53 PM
Ran out of space on /dev/root partition Martyn Filesystems, Disks and Memory 2 07-07-2006 10:58 AM
partition problems! byblyk Linux 15 05-05-2004 07:58 PM
Partition Problems veitcha UNIX for Dummies Questions & Answers 5 12-06-2000 09:18 PM


All times are GMT -4. The time now is 12:27 PM.

Unix & Linux Forums Content Copyright 1993-2018. All Rights Reserved.
UNIX.COM Login
Username:
Password:  
Show Password