Results 1 to 8 of 8

Thread: Full Disk Encryption with Keyfile

  1. #1

    Default Full Disk Encryption with Keyfile

    Hello Community,

    I have succesfully installed openSUSE Tumbleweed with Full Disk Encryption but every boot i have to enter my password twice.
    Then i have searched the forum here and found this thread.

    But unfortunately the Link in the first Post is down/ not reachable.
    There are some instruction but i don't know what i have to to exactly.

    Can someone help me or provide me link?

    Thank you

  2. #2
    Join Date
    Jul 2008
    Location
    Seattle, WA
    Posts
    17,317

    Default Re: Full Disk Encryption with Keyfile

    On Fri, 20 Apr 2018 19:46:01 +0000, in famous wrote:

    > Hello Community,
    >
    > I have succesfully installed openSUSE Tumbleweed with Full Disk
    > Encryption but every boot i have to enter my password twice.
    > Then i have searched the forum here and found this 'thread'
    > (http://tinyurl.com/y7qzspde).
    >
    > But unfortunately the Link in the first Post is down/ not reachable.
    > There are some instruction but i don't know what i have to to exactly.
    >
    > Can someone help me or provide me link?
    >
    > Thank you


    https://web.archive.org/web/20180103175714/http://
    http://www.pavelkogan.com/2014/05/23...sk-encryption/ might be a good
    cache of the page in question.

    Jim



    --
    Jim Henderson
    openSUSE Forums Administrator
    Forum Use Terms & Conditions at http://tinyurl.com/openSUSE-T-C

  3. #3

    Default Re: Full Disk Encryption with Keyfile

    Hello,

    Just wanted to post my solution that i found out with the help of the Mailinglist.

    I added a few comments and hope it will help new user, like me

    Edit Grub File and change GRUB_ENABLE_CRYPTODISK=n TO GRUB_ENABLE_CRYPTODISK=y
    Code:
    sudo nano /etc/default/grub
    Create Keyfile
    Code:
    sudo dd bs=512 count=4 if=/dev/urandom of=/.crypto_keyfile.bin
    Show Disks to find your LUKS device
    Code:
    lsblk
    Add Key (Replace /dev/sdaX with your LUKS Device)
    Code:
    sudo cryptsetup luksAddKey /dev/sdaX /.crypto_keyfile.bin
    ("Enter any existing passphrase:" means your LUKS Password)

    Change Permission
    Code:
    sudo chmod 000 /.crypto_keyfile.bin && sudo chmod -R g-rwx,o-rwx /boot
    Edit Crypttab
    Code:
    sudo nano /etc/crypttab
    INSERT AT END:
    Code:
     /.crypto_keyfile.bin
    Add Keyfile to initrd
    Code:
    sudo nano /etc/dracut.conf.d/99-initcrypt.conf
    INSERT:
    Code:
    install_items+=" /.crypto_keyfile.bin "
    Rebuild initrd
    Code:
    sudo mkinitrd

  4. #4

    Default Re: Full Disk Encryption with Keyfile

    Thanks for this post!

    I'm going to add a few links (sorry only one is SuSE oriented) that talk about Yubikey so I can bookmark this thread and possibly incorporate your steps in when I ever have time:

    https://software.opensuse.org/packag...ey-piv-manager

    https://www.howtoforge.com/ubuntu-tw...tion-with-luks

    https://askubuntu.com/questions/5998...ia-luks#599826

    https://github.com/agherzan/yubikey-...isk-encryption
    I don’t have anything to hide, but I don’t have anything I want to show you either.

  5. #5
    Join Date
    Sep 2012
    Posts
    7,106

    Default Re: Full Disk Encryption with Keyfile

    Quote Originally Posted by in_famous View Post
    hope it will help new user
    You mean it works with only these steps? I miss step that actually tells dracut to use this keyfile. Adding file to initrd does not mean it is going to be used to decrypt anything.

    P.S. sorry, is it supposed to be "insert at the end of /etc/crypttab"? At the end of what? At the end of /etc/crypttab file? This cannot work. At the end of line - can't be because line in crypttab has 4 fields and keyfile goes into the third field (not to mention that there could be multiple lines in /etc/crypttab).

  6. #6
    Join Date
    Aug 2010
    Location
    Chicago suburbs
    Posts
    15,681
    Blog Entries
    3

    Default Re: Full Disk Encryption with Keyfile

    Quote Originally Posted by arvidjaar View Post
    P.S. sorry, is it supposed to be "insert at the end of /etc/crypttab"? At the end of what? At the end of /etc/crypttab file? This cannot work.
    If there is only a single encrypted partition, and if it is setup by the current Tumbleweed installer, then it probably works. The installer is generating a "crypttab" with only two fields. So adding to the end (on the same line) would put it in the third field.

    I don't think one should depend on this current behavior of the installer. It would have been better to specify that this information goes in the third field. But it may have actually worked as described.
    openSUSE Leap 15.3; KDE Plasma 5.18.6;

  7. #7

    Default Re: Full Disk Encryption with Keyfile

    Hello,

    Yes it worked for me, so i thought this would work for everyone.
    But thanks for the information and here is the better solution...at least i hope so


    Code:
    #Edit Grub File and change GRUB_ENABLE_CRYPTODISK=n TO GRUB_ENABLE_CRYPTODISK=y
    sudo nano /etc/default/grub
    
    #Create Keyfile
    sudo dd bs=512 count=4 if=/dev/urandom of=/.crypto_keyfile.bin
    
    #Show Disks to find your LUKS device
    lsblk
    
    #Add Key (Replace /dev/sdaX with your LUKS Device)
    sudo cryptsetup luksAddKey /dev/sdaX /.crypto_keyfile.bin
    #"Enter any existing passphrase:" means your LUKS Password
    
    #Change Permission
    sudo chmod 000 /.crypto_keyfile.bin && sudo chmod -R g-rwx,o-rwx /boot
    
    #Edit Crypttab and insert the following at the thrird Position of your LUKS Device:  /.crypto_keyfile.bin
    sudo nano /etc/crypttab
    
    #example:
    cr_sdaX UUID=000000000000000000000 /.crypto_keyfile.bin
    #when there is "none" at the third position, replace "none" with /.crypto_keyfile.bin
    
    #Add Keyfile to initrd
    echo 'install_items+=" /.crypto_keyfile.bin "' | sudo tee /etc/dracut.conf.d/99-initcrypt.conf
    
    #Rebuild initrd
    sudo dracut --force

  8. #8
    Join Date
    Aug 2010
    Location
    Chicago suburbs
    Posts
    15,681
    Blog Entries
    3

    Default Re: Full Disk Encryption with Keyfile

    Quote Originally Posted by in_famous View Post
    Code:
    sudo dracut --force
    For that last step, it might be better to use:
    Code:
    mkinitrd
    Or, at least, that one is easier to remember.
    openSUSE Leap 15.3; KDE Plasma 5.18.6;

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •