luks password bypass in systemd

Hey,

 I've recently upgraded my backup machine from 11.4 to openSuSE 13.1 and I use an encrypted drive. In the past (prior to systemd) I could edit /lib/cryptsetup/boot.crypto.functions to look something like the following:

local cmd
            # map the devices
            if test -n "$luks" || cryptsetup isLuks "$device" &> /dev/null; then
                luks='yes'
                cmd=(luksOpen -d /path/to/my/key "$device" "$name")
            else

However, doing this seems to no longer work as I get a prompt like:


Password entry required for 'Please enter passphrase for disk MYDISK (cr_mountpoint) on /mountpoint!' (PID ####).
Please enter password with the systemd-tty-ask-password-agent tool!

Does anyone know what file I might need to edit to fix this?

Thanks!

If the key is in a file that is available at the right time during boot, you can put the path in “/etc/crypttab”. Check the man page.

On 2013-12-16 21:56, nrickert wrote:
>
> sailorcire;2608919 Wrote:
>> Does anyone know what file I might need to edit to fix this?
>
> If the key is in a file that is available at the right time during boot,
> you can put the path in “/etc/crypttab”. Check the man page.

This interests me.

I read time ago that it was possible to keep a large key in a file
stored in external media (memory card, usb stick…), and be prompted
for a passphrase as well, before activating a encrypted partition.

Thus if the memory stick is stolen, it is not enough to read the data.


Cheers / Saludos,

Carlos E. R.
(from 12.3 x86_64 “Dartmouth” at Telcontar)

Thanks, that did it!

For those who are too lazy to read the manual (or in the event it changes in the future), the third parameter in /etc/crypttab can be a path to your key file.

So you’d have an entry like:


cr_mountpoint /dev/sdX /path/to/keyfile none

The fourth parameter is for other options.

This sounds interesting as well, it might be very useful for a laptop.

If you come across an article then I’d be interested, if not then oh well.

On 2013-12-16 22:56, sailorcire wrote:
>
> nrickert;2608959 Wrote:

> For those who are too lazy to read the manual (or in the event it
> changes in the future), the third parameter in /etc/crypttab can be a
> path to your key file.

Yep, I know that :slight_smile:

But it does not ask you for a passphrase in addition to the file. I’ve
never seen how to do that, only mentions that some people do it.


Cheers / Saludos,

Carlos E. R.
(from 12.3 x86_64 “Dartmouth” at Telcontar)

On 2013-12-16 23:06, sailorcire wrote:
>
> robin_listas;2608967 Wrote:

>
> This sounds interesting as well, it might be -very- useful for a laptop.
>
> If you come across an article then I’d be interested, if not then oh
> well.

Sure! But I have never seen it…


Cheers / Saludos,

Carlos E. R.
(from 12.3 x86_64 “Dartmouth” at Telcontar)