tiyn/wiki
1
0
Fork 0
mirror of https://github.com/tiyn/wiki.git synced 2025-11-04 12:21:14 +01:00
Code Issues Projects Releases Wiki Activity

dm-crypt: added automatic usb key decryption

Browse Source
This commit is contained in:
tiyn
2022-07-03 03:45:42 +02:00
parent 2f03bef819
commit b462e5e734
2 changed files with 68 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
wiki/linux/arch-linux/installation.md
View File

@@ -207,3 +207,7 @@ You can go on to other guides aswell.
Additionally if you have a NVidia Graphics Cards you should read Additionally if you have a NVidia Graphics Cards you should read
[the NVidia article](../nvidia.md) too. [the NVidia article](../nvidia.md) too.
If you are interested in automatic decryption of the dm-crypt encrypted
partition, take a look at the according section in
[the dm-crypt article](../dm-crypt.md).

64
wiki/linux/dm-crypt.md
View File

@@ -29,3 +29,67 @@ If you don't want to extend the encrypted volume to the whole partition
or the partition is to small for your purposes, make sure to resize the or the partition is to small for your purposes, make sure to resize the
partition first accordingly (see [disk management](./disk-management.md)). partition first accordingly (see [disk management](./disk-management.md)).
`cryptsetup resize crypt-volume` `cryptsetup resize crypt-volume`
## Creating a automatic encryption key with an USB stick
This guide assumes you to have an Arch Linux System, as installed in
[this wiki arch linux installation](./arch-linux/installation.md).
This section is based on entries from the
[arch linux forum](https://forum.archlinux.de/d/28886-systementschluesselung-per-usb-stick).
Insert your USB stick.
This guide will assume its address is `/dev/sde`.
Fill in the first sectors (in this case 94, make sure this number is bigger
than skip sector count and size sector count combined) stick with a random
sequence:
`dd if=/dev/urandom of=/dev/sde bs=512 seek=1 count=94`.
Save the key to a keyfile (with offset 14848 = 29 x 512 and
keysize 2048 = 4 x 512):
`dd if=/dev/sde bs=512 skip=29 count=4 > key.bin`.
Add the keyfile to the encrypted partition (assuming the dm-crypted device is
called `/dev/sda2`):
`cryptsetup luksAddKey /dev/sda2 key.bin`.
Next it has to be made sure that the decryption key, is available at the same
position every time.
For this check the `serial` and `product` of your USB stick with the following
commands.
```sh
udevadm info -a -p `udevadm info -q path -n /dev/sde` | grep ATTRS{serial}
udevadm info -a -p `udevadm info -q path -n /dev/sde` | grep ATTRS{product}
```
The first line gives the `serial`, the second the `product`.
The `product` should match your USB stick.
After this create a file at `/etc/udev/rules.d/50-usbkey.rules` with the
following content.
Assuming the `serial` is `14AB0000000096`.
```txt
SUBSYSTEMS=="usb", ATTRS{serial}=="14AB0000000096", KERNEL=="sd*", SYMLINK+="usbkey%n"
```
Then reload the udev rules by running:
`udevadm control --reload-rules`.
Unplug the stick and plug it back in.
It should be available under `dev/usbkey`.
After that make sure in `/etc/mkinitcpio.conf` under the `HOOKS` section
`keymap encrypt lvm2` are written before `filesystems`.
Add `/etc/udev/rules.d/50-usbkey.rules` under the `FILES` section.
Then modify `/boot/loader/entries/arch.conf` and add
`cryptkey=/dev/usbkey:14848:2048` to the
end of the `options` line.
Finally run:
`mkinitcpio -p linux`.
Reboot the system with `reboot`.
Make sure the USB key for decryption is plugged in.
If so the encrypted partition should be decrypted automatically.