Login or Register to Ask a Question and Join Our Community


Debian

Problems with cryptsetup keyfile encrypted root partition under Debian 9, i386

Login to Discuss or Reply to this Discussion in Our Community

 
Thread Tools Search this Thread
Operating Systems Linux Debian Problems with cryptsetup keyfile encrypted root partition under Debian 9, i386
# 1  
Old 10-10-2018
Problems with cryptsetup keyfile encrypted root partition under Debian 9, i386
Hello, i'm trying to set up a machine with an encrypted filesystem. It's a Debian 9/i386.

The partition table on /dev/sda
Code:
1.    1 MiB BIOS BOOT  (04) N/A  N/A
2.  256 MiB Linux      (83) ext4 /boot
3. 2304 MiB Linux      (83) ext4 /
4.    1 MiB MINIX      (81) N/A  N/A
5.  510 MiB Linux swap (82) swap swap

When i finished the partitioning, i run these:
Code:
dd if=/dev/urandom of=/dev/sda4 bs=1 count=512
echo 'YES' | cryptsetup -v -c aes-xts-plain64 -s 512 -h sha256 -i 2000 --keyfile-size=512 luksFormat /dev/sda3 /dev/sda4
cryptsetup -c aes-xts-plain64 -d /dev/sda4 -s 512 -i 2000 --keyfile-size=512 open --type=plain /dev/sda3 eldcr
mkfs.ext4 -F /dev/sda2
e2label /dev/sda2 BootLabel
mkfs.ext4 -F /dev/mapper/eldcr
e2label /dev/mapper/eldcr RootLabel
mkdir -p /mnt/disk
mount /dev/mapper/eldcr /mnt/disk
mkswap /dev/sda5

/etc/fstab looks like this:
Code:
/dev/disk/by-partuuid/<partuuid of /dev/sda2> /boot ext4 errors=remount-ro 0 1
/dev/mapper/eldcr / ext4 errors=remount-ro 0 1
/dev/disk/by-partuuid/<partuuid of /dev/sda5> none swap sw 0 0

/etc/crypttab:
Code:
eldcr /dev/disk/by-partuuid/<partuuid of /dev/sda3> /dev/disk/by-partuuid/<partuuid of /dev/sda4> luks,cipher=aes-xts-plain64,size=512,hash=sha256,keyfile-size=512,time=2000,keyscript=getlukskey.sh

/etc/initramfs-tools/conf.d/cryptroot:
Code:
CRYPTROOT=target=eldcr,source=/dev/disk/by-partuuid/<partuuid of /dev/sda3>

I modified some lines in /etc/default/grub:
Code:
GRUB_ENABLE_CRYPTODISK=y
GRUB_PRELOAD_MODULES="luks cryptodisk"
GRUB_CMDLINE_LINUX=""
GRUB_CMDLINE_LINUX_DEFAULT="cryptdevice=/dev/disk/by-partuuid/<partuuid of /dev/sda3>:eldcr root=/dev/mapper/eldcr cryptopts=target=eldcr,source=/dev/disk/by-partuuid/<partuuid of /dev/sda3>,keyscript=getlukskey.sh crypto=sha256:aes-xts-plain64:512:0:0

The scripts:

/lib/cryptsetup/scripts/getlukskey.sh:
Code:
#!/bin/sh
dd if=/dev/disk/by-partuuid/<partuuid of /dev/sda4> bs=1 count=512 2>/dev/null

/usr/share/initramfs-tools/hooks/glkcopy:
Code:
#!/bin/sh -e
PREREQS=""
case $1 in
        prereqs) echo "${PREREQS}"; exit 0;;
esac
. /usr/share/initramfs-tools/hook-functions
copy_exec /lib/cryptsetup/scripts/getlukskey.sh /bin
copy_exec /sbin/cryptsetup
copy_exec /sbin/dmsetup
copy_exec /lib/cryptsetup/askpass

And i added the following modules to /etc/initramfs-tools/modules: chainiv, cryptomgr, krng, cbc, ecb, ctr, aes, sha256, xts, dm-mod, dm-crypt

Then i install grub and make the initramfs:
Code:
grub-install --target=i386-pc --skip-fs-probe --efi-directory=/ --boot-directory=/boot --root-directory=/ /dev/sda
grub-mkconfig -o /boot/grub/grub.cfg
update-initramfs -c -k all

and in the end "update-initramfs -u -k". (The creation does not include my script, so i have to update it again...)

Result is "cryptsetup (eldcr): unknown fstype, bad password or options?" when i try to boot.

What is the problem?

I also tried to remove the "keyscript" from the boot options and the crypttab and put "cryptkey=/dev/disk/by-partuuid/<partuuid of /dev/sda4>:0:512" into the boot options. Then when i run the initramfs update it says: "WARNING: root target eldcr uses a key file, skipped." And after boot it asks for a password...

Any idea?
# 2  
Old 10-10-2018
What, exactly, are you trying to accomplish? What ought to be happening here?

Quote:
And after boot it asks for a password.
This is normal... No?
# 3  
Old 10-10-2018
I am trying to create a Debian 9 system with the root partition encrypted with a keyfile which is stored on a different (and unformatted) partition. And the aim is to get the keyfile at boot automatically, so the machine asking for the password at boot is not the desired effect.
# 4  
Old 10-11-2018
So you want to encrypt your disk, with key on that same disk without password ?
You have accomplished nothing security wise, beats the propose of the entire encryption task.

Anyone can just power on your system and access the data.

If you mentioned external disk such as usb or similar, used to store key, perhaps the request would be more sane.
For that scenario check out luksAddKey options and examples online.

Hope the helps
Regards
Peasant.
# 5  
Old 10-11-2018
The final goal is to put the key on USB, but right now i don't have any. This approach is solely exists for test and learning reasons. And since the USB key appears in the system as just another block device, like any partition, i'm trying to assemble the whole thing like this and then put the keyfile on USB.

I've searched through the net and i stucked. This is why i asked for help.

------ Post updated at 10:16 AM ------

I've checked out luksAddKey. It's not what i want to achieve. It's for adding an additional keyfile, but i don't want to add an additional keyfile, i want to use that one on /dev/sda4.
# 6  
Old 10-11-2018
It's not hard to convert a key on partition into a key on file.

Code:
dd if=/dev/sda4 of=/tmp/keyfile bs=sizeofkeyinbytes count=1

What instructions were you attempting to follow, exactly?
# 7  
Old 10-13-2018
I do not want to convert it to a keyfile. My aim is to use the raw partition to read the keyfile.

I've written ALL the instructions i did in my opening post.
Login or Register to Ask a Question

Previous Thread | Next Thread

8 More Discussions You Might Find Interesting

1. Ubuntu

Regarding OS partition and root user

Dear Concern, I am new in ubuntu. Is root user disable in ubuntu? Also, is os partition default in ubuntu? I don't find any feature to create customize mount point to install OS. Below is my current OS partition. amirislam@blnidapp03:~$ df -h Filesystem Size Used... (1 Reply)
Discussion started by: makauser
1 Replies

2. Ubuntu

Cannot access or boot encrypted drive (gave up waiting for root device...)

I cannot access or boot from my C drive. I'm running Zorin 9 and the drive is a Samsung SSD. The disk was encrypted on install, and that has not given me any problems before. When I start the system it gets to the memory test page, and does not then load the password prompt, which it used to.... (1 Reply)
Discussion started by: David4321
1 Replies

3. Red Hat

Removing encrypted lvm partition

Hi guys, let me start by saying I appreciate your assistance always. I was practicing how to encrypt partitions in my server. I encrypted an lvm partition using luks and when I tried to remove the partition using lvremove, I get this message Logical volume vg10/lvol1 is used by another... (2 Replies)
Discussion started by: cjashu
2 Replies

4. Solaris

Need to partition root

Hello guys, I am using Solaris 10 x86 OS. While installing OS i have allocated entire 10 GB space to the root. Now i am not able to create new partition it says me "out of range" or "<cylinder number> not expected". Can someone please help me to allocated a default recommended space i.e 8GB or... (2 Replies)
Discussion started by: bhargav90
2 Replies

5. IP Networking

iptables forward public IP, no NAT, Debian i386

Hello all, got kinda problem. Have two machines in LAN, one of them connected to Internet directly, another one must be forwarded through the first one. Masquerading works perfectly, but is not what is needed here. Both machines have public IP addresses, when the second machine is forwarded its... (0 Replies)
Discussion started by: Action
0 Replies

6. Solaris

increasing root / partition

Dear all, I have a root partition which is 20 G in size. I have var and /tmp as seperate file systems. But this 20 G of root is not sufficeint. I want to increase the size of the / partition. Is there any way to increase with out down time. my df -k output is Filesystem ... (4 Replies)
Discussion started by: jegaraman
4 Replies

7. Linux

partition problems!

Hey, haha i'm back! Just when i thought everythign was working fine and dandy i found out that i screwed up my partitions way back when i set teh computer up like 5 months ago...lol. SO! I have decided to format....jus tcause this is my learning computer and install RH9 or whatever the... (15 Replies)
Discussion started by: byblyk
15 Replies

8. UNIX for Dummies Questions & Answers

Partition Problems

I just finished installing Solaris 5.8 and I tried to install StarOffice, it said I was out of room. Now I have a 3 gig HD and I THOUGHT that I gave 512 to swap and kept the rest for storage room. How do I check how much room I have, how would I if I figured out I don't have enough room add... (5 Replies)
Discussion started by: veitcha
5 Replies
Login or Register to Ask a Question