Full Disk Encryption with Keyfile

Hello Community,

I have succesfully installed openSUSE Tumbleweed with Full Disk Encryption but every boot i have to enter my password twice.
Then i have searched the forum here and found this thread.

But unfortunately the Link in the first Post is down/ not reachable.
There are some instruction but i don’t know what i have to to exactly.

Can someone help me or provide me link?

Thank you

On Fri, 20 Apr 2018 19:46:01 +0000, in famous wrote:

> Hello Community,
>
> I have succesfully installed openSUSE Tumbleweed with Full Disk
> Encryption but every boot i have to enter my password twice.
> Then i have searched the forum here and found this ‘thread’
> (http://tinyurl.com/y7qzspde).
>
> But unfortunately the Link in the first Post is down/ not reachable.
> There are some instruction but i don’t know what i have to to exactly.
>
> Can someone help me or provide me link?
>
> Thank you

https://web.archive.org/web/20180103175714/http://
www.pavelkogan.com/2014/05/23/luks-full-disk-encryption/ might be a good
cache of the page in question.

Jim


Jim Henderson
openSUSE Forums Administrator
Forum Use Terms & Conditions at http://tinyurl.com/openSUSE-T-C

Hello,

Just wanted to post my solution that i found out with the help of the Mailinglist.

I added a few comments and hope it will help new user, like me :wink:

Edit Grub File and change GRUB_ENABLE_CRYPTODISK=n TO GRUB_ENABLE_CRYPTODISK=y

sudo nano /etc/default/grub

Create Keyfile

sudo dd bs=512 count=4 if=/dev/urandom of=/.crypto_keyfile.bin

Show Disks to find your LUKS device

lsblk

Add Key (Replace /dev/sdaX with your LUKS Device)

sudo cryptsetup luksAddKey /dev/sdaX /.crypto_keyfile.bin 

(“Enter any existing passphrase:” means your LUKS Password)

Change Permission

sudo chmod 000 /.crypto_keyfile.bin && sudo chmod -R g-rwx,o-rwx /boot

Edit Crypttab

sudo nano /etc/crypttab

INSERT AT END:

 /.crypto_keyfile.bin

Add Keyfile to initrd

sudo nano /etc/dracut.conf.d/99-initcrypt.conf

INSERT:

install_items+=" /.crypto_keyfile.bin "

Rebuild initrd

sudo mkinitrd

Thanks for this post!

I’m going to add a few links (sorry only one is SuSE oriented) that talk about Yubikey so I can bookmark this thread and possibly incorporate your steps in when I ever have time:

https://software.opensuse.org/package/yubikey-piv-manager

https://www.howtoforge.com/ubuntu-two-factor-authentication-with-yubikey-for-harddisk-encryption-with-luks

https://askubuntu.com/questions/599825/yubikey-two-factor-authentication-full-disk-encryption-via-luks#599826

https://github.com/agherzan/yubikey-full-disk-encryption

You mean it works with only these steps? I miss step that actually tells dracut to use this keyfile. Adding file to initrd does not mean it is going to be used to decrypt anything.

P.S. sorry, is it supposed to be “insert at the end of /etc/crypttab”? At the end of what? At the end of /etc/crypttab file? This cannot work. At the end of line - can’t be because line in crypttab has 4 fields and keyfile goes into the third field (not to mention that there could be multiple lines in /etc/crypttab).

If there is only a single encrypted partition, and if it is setup by the current Tumbleweed installer, then it probably works. The installer is generating a “crypttab” with only two fields. So adding to the end (on the same line) would put it in the third field.

I don’t think one should depend on this current behavior of the installer. It would have been better to specify that this information goes in the third field. But it may have actually worked as described.

Hello,

Yes it worked for me, so i thought this would work for everyone.
But thanks for the information and here is the better solution…at least i hope so

#Edit Grub File and change GRUB_ENABLE_CRYPTODISK=n TO GRUB_ENABLE_CRYPTODISK=y
sudo nano /etc/default/grub

#Create Keyfile
sudo dd bs=512 count=4 if=/dev/urandom of=/.crypto_keyfile.bin

#Show Disks to find your LUKS device
lsblk

#Add Key (Replace /dev/sdaX with your LUKS Device)
sudo cryptsetup luksAddKey /dev/sdaX /.crypto_keyfile.bin
#"Enter any existing passphrase:" means your LUKS Password

#Change Permission
sudo chmod 000 /.crypto_keyfile.bin && sudo chmod -R g-rwx,o-rwx /boot

#Edit Crypttab and insert the following at the thrird Position of your LUKS Device:  /.crypto_keyfile.bin
sudo nano /etc/crypttab

#example:
cr_sdaX UUID=000000000000000000000 /.crypto_keyfile.bin
#when there is "none" at the third position, replace "none" with /.crypto_keyfile.bin

#Add Keyfile to initrd
echo 'install_items+=" /.crypto_keyfile.bin "' | sudo tee /etc/dracut.conf.d/99-initcrypt.conf

#Rebuild initrd
sudo dracut --force

For that last step, it might be better to use:

mkinitrd

Or, at least, that one is easier to remember.