How to automatically unlock LUKS encrypted root with a keyfile from a USB

Darkyere · June 3, 2017, 12:11pm

Ive tried to unlock my encrypted root with a keyfile on a USB but i cant seem to get an understanding of how to do it on OpenSUSE.

And i cant find any explanations of anyone who have unlocked encrypted root with USB keyfile on OpenSUSE.

It unlocks fine with nomal password on boot but i would like to be able to just put in a USB key and unlock LUKS root with the keyfile put on there.

On Kubuntu/LinuxMint i could get it to work by the help of https://github.com/chadoe/luks-triple-unlock

I know that there scripts is meant for Ubuntu/Debian/Mint. But i tried inserting the the keyfile for the luks volume and added the information in crypttab myself. But it wont find the keyfile. Here is how my system looks followed by my different crypttab attempts.

My system lsblk looks like this

NAME                    MAJ:MIN RM   SIZE RO TYPE  MOUNTPOINT
sda                       8:0    0    50G  0 disk  
├─sda1                    8:1    0     1G  0 part  
├─sda2                    8:2    0    25G  0 part  
│ └─md0                   9:0    0    50G  0 raid0 
├─sda3                    8:3    0     1G  0 part  /boot
└─sda4                    8:4    0    23G  0 part  
  └─md1                   9:1    0    46G  0 raid0 
    └─OpenSUSECrypt     254:0    0    46G  0 crypt 
      ├─OpenSUSE-lvroot 254:1    0    20G  0 lvm   /
      ├─OpenSUSE-lvhome 254:2    0    20G  0 lvm   /home
      └─OpenSUSE-lvswap 254:3    0     6G  0 lvm   [SWAP]
sdb                       8:16   0    50G  0 disk  
├─sdb1                    8:17   0     1G  0 part  
├─sdb2                    8:18   0    25G  0 part  
│ └─md0                   9:0    0    50G  0 raid0 
├─sdb3                    8:19   0     1G  0 part  
└─sdb4                    8:20   0    23G  0 part  
  └─md1                   9:1    0    46G  0 raid0 
    └─OpenSUSECrypt     254:0    0    46G  0 crypt 
      ├─OpenSUSE-lvroot 254:1    0    20G  0 lvm   /
      ├─OpenSUSE-lvhome 254:2    0    20G  0 lvm   /home
      └─OpenSUSE-lvswap 254:3    0     6G  0 lvm   [SWAP]
sdc                       8:32   0   7.5G  0 disk  
├─sdc1                    8:33   0   3.7G  0 part  /mnt
└─sdc2                    8:34   0   3.7G  0 part  
sr0                      11:0    1 613.5M  0 rom

Where sdc1 contains the keyfile and is NTFS
and sdc1 allso contains the keyfile and is Ext4

Ive tried several versions of crypttab first where i try to load the same script (crypto-usb-key.sh) as on Kubuntu/Debian/LinuxMint

This one works on Kubuntu/Debian/Mint

OpenSUSECrypt UUID=(my UUID for the device) crypt_keyfile.bin luks,keyscript=/usr/local/sbin/crypto-usb-key.sh

The crypto-usb-key.sh script looks like this on github

https://github.com/chadoe/luks-triple-unlock/blob/master/crypto-usb-key.sh

and with another try on loading keyfile i did on NTFS

OpenSUSECrypt UUID=(my UUID for the device) /dev/disk/by-label/SECURIKEY:/crypt_keyfile.bin luks,keyscript=keyscript=/lib/cryptsetup/scripts/passdev

and on a Ext4

OpenSUSECrypt UUID=(my UUID for the device) /dev/disk/by-label/SECURIKEYEXT4:/crypt_keyfile.bin luks,keyscript=keyscript=/lib/cryptsetup/scripts/passdev

I find dracut very confusing and cant figure out how to make an mkinitrd that loads a keyfile from a USB and unlock the LUKS encrypted root on boot.

I hope anyone out there can help me and will happely add more information if needed.

Best Regards and thank you for your time

Darkyere

Darkyere · June 7, 2017, 12:41pm

Im going to bump this thread. There must be someone out there who know how to make OpenSUSE unlock root filsystem with keyfile on USB.

nrickert · June 8, 2017, 2:36pm

I use LUKS, but I do not use a key file. I think there’s a way to do it, but I don’t know the details.

Darkyere · June 17, 2017, 9:23pm

Im going to bump this thread one last time in the hope that anyone out there knows how to unlock encrypted root with keyfile on boot.

I refuse to belive im the only one in the world who would like to do this in OpenSUSE there must be someone out there who have done this.

If there is plz. tell me how

arvidjaar · June 18, 2017, 8:10am

Is keyfile located on raw USB or on filesystem on USB?

Darkyere · June 18, 2017, 11:07pm

Its located on USB filesystem NTFS.

arvidjaar · June 19, 2017, 7:53pm

I tested keyfile on external block device (emulated USB in QEMU VM). To my great surprise it worked (I was surprised because last time I tested it it did not and there are several bug reports about this missing functionality). First I installed openSUSE using standard encrypted root proposal without snapshots. It resulted in separate /boot to avoid unlocking in bootloader. After installation was complete I added additional key to root device and modified crypttab and dracut configuration. Unfortunately dracut will not automatically do the right thing. So

/etc/dracut.conf.d/50-extkey.conf:

add_drivers+=" vfat nls_cp437 nls_iso8859-1 "
add_fstab+=" /etc/fstab.rootkey "

grep extkey /etc/fstab:

UUID=410A-F382 /extkey vfat noauto,nofail 0 0

/etc/fstab.rootkey:

UUID=410A-F382 /extkey vfat noauto,nofail 0 0

/etc/crypttab:

#cr_scsi-0QEMU_QEMU_HARDDISK_hd0-part2 /dev/disk/by-id/scsi-0QEMU_QEMU_HARDDISK_hd0-part2 none       none
cr_scsi-0QEMU_QEMU_HARDDISK_hd0-part2 /dev/disk/by-id/scsi-0QEMU_QEMU_HARDDISK_hd0-part2 /extkey/rootkey       none

UUID in this case is UUID of filesystem on USB device where key is located. I am not sure whether it also needs to be present in /etc/fstab, but after boot it is not mounted so it at least does not harm The critical part is extra line in /etc/fstab inside initrd; that is what add_fstab directive does. This is required so systemd in initrd can correctly mount external device with key.

Note that systemd cryptsetup utility is rather dumb, which means, if key is not present it will not fallback to interactive passphrase. That may or may not be what you want.

The hardest (for some definition of it) part is to determine which kernel modules you need. My initial attempt failed due to missing NLS modules required by vfat driver. After everything is completed, do not forget to run mkinitrd. I guess for read-only mount kernel ntfs driver should be enough. If something goes wrong, you will be dropped into initrd shell. Just run cryptsetup manually, mount root, chroot into it, fix things, rinse and repeat.

If this works for you we can think about extending dracut to handle it automatically.

arvidjaar · June 20, 2017, 8:21pm

No, it does not.

If this works for you

Note that resume from encrypted swap does not work as it creates dependency loop between services. Not sure why it worked for me before; now I had to remove resume=/dev/system/swap kernel parameter.

Darkyere · June 21, 2017, 10:12am

Thank you for you answer this was exactly what i needed to get it to work.
I can now unlock Encrypted root with keyfile on boot very nice to not put in a password every time.

About not being able to resume from encrypted swap is not that important to me as i never used hibernate before on openSUSE.

So all in all im very happy about your responce it worked perfectly

Thank you again and best regards,
Darkyere

Darkyere · June 21, 2017, 4:13pm

I just tested it on NTFS allso and it failed but thats not important it works for fat32 and thats good enough for me

My USB is 4 GB and i only need 8 MB per key so ill just make a new 512 MB fat32 partition on my USB for my Main PC.

Btw. If you think about putting this in dracut to autohandle it. Is it then possible to make it so it falls back to interactive passrphrase just to make sure a person got a backup to fall back to.

Tank you again for the help was very nice to get it to work.