Add LUKS key to an already installed encrypted root MD array, residing on an SD card

MSK · February 10, 2025, 12:44pm

Hi, this is my setup

https://forums.opensuse.org/t/self-compiled-linux-6-12-6-kernel-issues-with-initial-ramdisk/

Now I want to “pimp” my already close to feature optimised system.

For the purpose of hardening I want to add a LUKS key to the encrypted root file system, which should reside on an SD Card (USB key as an alternative).

This will mean that I will run the command:

cryptsetup luksAddKey /dev/??? /mnt/sdcard0

For your valued information

(base) tuxy:/ # lsblk -o +UUID,LABEL
NAME          MAJ:MIN RM   SIZE RO TYPE  MOUNTPOINTS
                                                   UUID                                 LABEL
nvme1n1       259:0    0 953.9G  0 disk            f0ce0891-4e0e-dc2e-e617-e6e286330394 any:tuxy
└─md127         9:127  0 953.9G  0 raid1                                                
  ├─md127p1   259:2    0   140M  0 part  /boot/efi 105A-E937                            boot-1
  ├─md127p2   259:3    0   444G  0 part            9df71dbb-3817-4703-8232-b519d6dd6d8c 
  │ └─cr_root 254:0    0   444G  0 crypt /         23123c1a-70c9-443e-a5bb-16bab1fbfb22 root-1
  ├─md127p3   259:4    0   140M  0 part            0FE8-DCA5                            boot-2
  ├─md127p4   259:5    0   444G  0 part            d0234a0d-25f6-4b17-840e-7a1548da3a13 root-2
  ├─md127p5   259:6    0   512M  0 part            f4dc1d0f-033f-4f13-b9db-fd3c5990c9d9 
  └─md127p6   259:7    0    64G  0 part  [SWAP]    da613a42-a085-41e4-8c01-ea37fe9eed46 swap
nvme0n1       259:1    0 953.9G  0 disk            f0ce0891-4e0e-ac2e-e617-e6e286300394 any:tuxy
└─md127         9:127  0 953.9G  0 raid1                                                
  ├─md127p1   259:2    0   140M  0 part  /boot/efi 105A-E937                            boot-1
  ├─md127p2   259:3    0   444G  0 part            9df71dbb-3217-4703-8332-b519d6dd6d8c 
  │ └─cr_root 254:0    0   444G  0 crypt /         23123c1a-77c9-443e-a5ab-16bab1fbfb22 root-1
  ├─md127p3   259:4    0   140M  0 part            0FE8-D3A5                            boot-2
  ├─md127p4   259:5    0   444G  0 part            d0231a0d-25f6-4b17-810e-7a1548da3a13 root-2
  ├─md127p5   259:6    0   512M  0 part            f4dc6d0f-033f-4f13-b9ab-fd3c5990c9d9 
  └─md127p6   259:7    0    64G  0 part  [SWAP]    da613a42-a055-41b4-8c01-ea37fe9eed46 swap

This is my current /etc/crypttab file

cr_scratch  UUID=f4dc6d0f-013f-4f13-b9db-fd3c59b0c9d9  none  noauto
cr_root     UUID=9df71dcb-3817-4703-8332-b549d6dd6d8c  none  x-initrd.attach

I found this very informative article

https://en.opensuse.org/SDB:Encrypted_root_file_system

but…

it does not touch

Putting the key on an external (SD Card) drive
Using a RAID array as root filesystem

Now I wonder, is it that simple?

Will the key be available when it is not part of the root filesystem? Actually I want to dry run the whole setup. By no means I want to be locked out of my marvellous Linux system - HOWTO?

Any thoughts on that would be great!

TIA, Martin.

arvidjaar · February 10, 2025, 12:53pm

This is really the case of RTFM. man crypttab

        3. The third field specifies an absolute path to a file with the encryption key. Optionally, the path may be
           followed by ":" and an /etc/fstab style device specification (e.g. starting with "LABEL=" or similar); in
           which case the path is taken relative to the specified device's file system root.

Hint - there are more options that may be useful in this case. Try to actually read the man page.

MSK · February 10, 2025, 1:21pm

Thank you, great!

Although I prefer to call it RTPM, P = precious,

That put me already in the right direction…

But what about the RAID setup, could this pose a problem?

arvidjaar · February 10, 2025, 2:06pm

I am not sure I understand the question. The key location is interpreted by same program that queries for the password. What problems do you expect?

MSK · February 10, 2025, 2:29pm

O. K. The PURPOSE of my question relates to my wish to make my system UNBOOTABLE without the SD Card (sure I will create 1:1 copies of my SD card, just in case they break after some time).

But by reading the dracut.conf man page it states

install_items+=" <file>[ <file> ...] "
           Specify additional files to include in the initramfs, separated by spaces.

But I do not want to get the key file included in the initramfs! For that I do not need the SD card. I want sth. like to include the link to the SD card file in the initramfs. Other options?

Martin

arvidjaar · February 10, 2025, 5:16pm

Then delete all LUKS slots where the key is stored.

MSK · February 10, 2025, 8:20pm

O. K. but before I do that, here is an updated information

I managed successfully and now I am able to boot the system ONLY when the card is inserted. This is EXACTLY what I wanted.

Regarding the key slots, I am hesitating…

Right now, before the GRUB menu gets displayed, I get asked for a passphrase, even though I inserted the card. So the content of the card (and whether a card was inserted) does not matter at that point.

Now I fear that in deleting the passphrase in the LUKS #0 slot makes GRUB unusable.

FYI: My /etc/default/grub contains GRUB_ENABLE_CRYPTODISK=“y”

Both, the root filesystem, and “/boot” are encrypted.

arvidjaar · February 11, 2025, 8:26am

GRUB needs to read its own configuration and it is located in /boot so it does need to unlock it and currently it can only use passphrase from a LUKS slot.

GRUB itself supports using an external key(file) to unlock LUKS partition, but there is no integration with GRUB configuration. Realistic options in this case are

use separate unecnrypted /boot. It is incompatible with rollbacks using btrfs snapshots as implemented by (open)SUSE.
switch to systemd-boot which loads kernel and initrd from the ESP. It is integrated into btrfs snapshots, but it does need space on ESP - 140MB is barely enough for a couple of initrd’s. Also, it is still work in progress so there may be rough edges.

More involving is either manually setup separate GRUB instance that can use your SD card to unlock LUKS (assuming, your SD card it visible in BIOS to start with) or integrate support for the external key into the standard GRUB configuration.

MSK · February 11, 2025, 9:53am

Thanks again for keeping the discussion active, I do appreciate…

Without further ado I checked for visibility of the card in the GRUB2 environment by means of the “ls” command. Even with FASTBOOT™ disabled my BIOS does not reveal USB drives (tested several ones). Using the “nativedisk” command in the GRUB2 environment did not change things.

Anyway, I am rather satisfied with my setup now.

MSK · February 11, 2025, 8:21pm

O. K.

After some more reading I found this article

https://sysguides.com/install-fedora-37-with-luks-full-disk-encryption

I found the answers for my residual questions. I created an additional LUKS partition, holding the “/boot” directory entries.

Now I have exactly the setup which I wanted to have:

The root partition is encrypted by means of the SD card key file, GRUB (/boot) is encrypted by means of a passphrase.

I deleted the passphrase key slot for the root directory, and now the system cannot get started without the SD card.

The SD card is only an in-between scenario, will use yubikey or nitrokey in the future.

Martin.

P. S. Luckily I did not face the situation being left with an unbootable Linux system

system · March 13, 2025, 8:21pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.