Results 1 to 6 of 6

Thread: Keyfile for encrypted drive (luks)

  1. #1
    Join Date
    Oct 2008
    Location
    Sunny Arizona
    Posts
    251

    Default Keyfile for encrypted drive (luks)

    I can't seem to get an encrypted partition to recognize a keyfile. It is a backup partition that I would like to keep unmounted until a cron-script runs once a week to backup my sensitive data. In order for the script to run without my assistance, I thought I'd use a keyfile to authorize the mount.

    So far I've created a keyfile and have added it to the partition using "luksKeyAdd". It didn't really say it was successful, but when I do a luksdump, it shows that another key slot has been enabled, so I believe it worked.

    After that I created a /etc/crypttab file with the following:

    Code:
    backup_sdd1  /dev/sdd1  /root/backup  luks
    /dev/sdd1 being the backup partition, and /root/backup being the keyfile

    After rebooting, I am still prompted for a password when trying to mount the encrypted partition (sdd1), and there is no device "/dev/mapper/backup_sdd1" created like I believe there should be.

    I haven't added any entries to fstab, as I don't want this partition to mount at boot.

    Any assistance you could provide would be greatly appreciated.

  2. #2
    Join Date
    Oct 2008
    Location
    Sunny Arizona
    Posts
    251

    Default Re: Keyfile for encrypted drive (luks)

    I found that using a standard cryptsetup "luksOpen" command with the --key-file option works fine, so I added it to my backup script and it works for what I need it for.

    I never could get crypttab to do anything. Is this a bug in 11.3? Has anybody else had any success decrypting a partition at boot with crypttab?

  3. #3
    Join Date
    Feb 2009
    Location
    Spain
    Posts
    25,547

    Default Re: Keyfile for encrypted drive (luks)

    On 2010-10-19 17:36, queequeg wrote:

    > I never could get crypttab to do anything. Is this a bug in 11.3? Has
    > anybody else had any success decrypting a partition at boot with
    > crypttab?


    Me, for years.

    It needs a corresponding entry in fstab.

    --
    Cheers / Saludos,

    Carlos E. R.
    (from 11.2 x86_64 "Emerald" at Telcontar)

  4. #4
    Join Date
    Oct 2008
    Location
    Sunny Arizona
    Posts
    251

    Default Re: Keyfile for encrypted drive (luks)

    Quote Originally Posted by robin_listas View Post
    On 2010-10-19 17:36, queequeg wrote:

    > I never could get crypttab to do anything. Is this a bug in 11.3? Has
    > anybody else had any success decrypting a partition at boot with
    > crypttab?


    Me, for years.

    It needs a corresponding entry in fstab.

    --
    Cheers / Saludos,

    Carlos E. R.
    (from 11.2 x86_64 "Emerald" at Telcontar)
    Could you check mine out to see if I'm doing it correctly? Here is my /etc/crypttab:
    Code:
    backup_crypt /dev/disk/by-id/ata-ST31000333AS_6TE0D582-part1 none none
    And here is my corresponding fstab entry:
    Code:
    /dev/mapper/backup_crypt     /fullbackup    ext4  defaults    1 2
    Am I doing something wrong? At boot, it says it can't fsck one of the disks and kicks me into recovery mode. I've tried several different crypttab entries (pointing to keyfiles, using the /dev/sdXX address, etc.) and it doesn't change anything, same error at startup.

  5. #5
    Join Date
    Feb 2009
    Location
    Spain
    Posts
    25,547

    Default Re: Keyfile for encrypted drive (luks)

    On 2010-10-22 07:36, queequeg wrote:
    >
    > robin_listas;2240757 Wrote:


    > Could you check mine out to see if I'm doing it correctly? Here is my
    > /etc/crypttab:
    >
    > Code:
    > --------------------
    > backup_crypt /dev/disk/by-id/ata-ST31000333AS_6TE0D582-part1 none none
    > --------------------
    >
    >
    > And here is my corresponding fstab entry:
    >
    > Code:
    > --------------------
    > /dev/mapper/backup_crypt /fullbackup ext4 defaults 1 2
    > --------------------
    >
    >
    > Am I doing something wrong? At boot, it says it can't fsck one of the
    > disks and kicks me into recovery mode. I've tried several different
    > crypttab entries (pointing to keyfiles, using the /dev/sdXX address,
    > etc.) and it doesn't change anything, same error at startup.


    No, it is fstab which is the problem. That "2" there means "fsck it", which happens probably before
    it ask for the password, and thus the mapped device does not exist. The standard failure message
    says to fsck, but it should also mention that perhaps you have to edit fstab instead for incorrect
    lines.

    Change the fstab line to:

    /dev/mapper/backup_crypt /fullbackup ext4 noauto,nofail 1 2


    The noauto means that mount should not try to mount it automatically (the /etc/init.d/boot.crypto
    does it), and the nofail means "Do not report errors for this device if it does not exist". The fsck
    is done by the boot script if necessary.


    Try that and tell me if it works :-)



    --
    Cheers / Saludos,

    Carlos E. R.
    (from 11.2 x86_64 "Emerald" at Telcontar)

  6. #6
    Join Date
    Oct 2008
    Location
    Sunny Arizona
    Posts
    251

    Default Re: Keyfile for encrypted drive (luks)

    Thank you, works great.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •