Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in

  FAQ | Search | Memberlist | Usergroups | Statistics | Profile | Log in to check your private messages | Log in | Register

Unlocking LUKS w/o LVM with USB flash on boot?
 View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
carcajou
Apprentice
Apprentice


Joined: 10 Jun 2008
Posts: 248
PostPosted: Wed Apr 12, 2023 9:24 pm    Post subject: Unlocking LUKS w/o LVM with USB flash on boot? Reply with quote
Hi guys.

Is there an easy/simple way to unlock encrypted root partition on boot using the USB flash with key, instead of typing the passphrase? I would leave passphrase input as fallback.

I have LUKS encrypted root partition and unencrypted /boot partition. Now, on each boot, I enter the passphrase. It is not a big deal for me personally, but now my desktop will be used by my wife and I do not expect her to understand why she has to type 2 passphrases to login to her account (the first one being quite long). :lol: :lol: :lol:

Thank you.
Back to top
View user's profile Send private message
sublogic
Guru
Guru


Joined: 21 Mar 2022
Posts: 309
Location: Pennsylvania, USA
PostPosted: Thu Apr 13, 2023 2:25 am    Post subject: Re: Unlocking LUKS w/o LVM with USB flash on boot? Reply with quote
kukibl wrote:
Is there an easy/simple way to unlock encrypted root partition on boot using the USB flash with key, instead of typing the passphrase? I would leave passphrase input as fallback.


I never tried, but I know genkernel does it. From the man page:
Code:
RAMDISK/INITRAMFS OPTIONS
[ . . . ]
       root_key=<...>
           In case your root is encrypted with a key, you can use a device
           like a usb pen to store the key. This value should be the key path
           relative to the mount point.

       root_keydev=<...>
           If necessary provide the name of the device that carries the
           root_key. If unset while using root_key, it will automatically look
           for the device in every boot.

       root_keydev_fstype=<...>
           Used filesystem for root_keydev. See rootfstype for more details.
Details left as an exercise.
Back to top
View user's profile Send private message
Hu
Administrator
Administrator


Joined: 06 Mar 2007
Posts: 23091
PostPosted: Thu Apr 13, 2023 3:05 am    Post subject: Reply with quote
As an obligatory reminder, before enabling password-free boot via USB key, consider your threat model. Why did you encrypt the drive? Who are you trying to keep out? Will that adversary likely have ready access to the USB key? Using a key can be acceptable if you encrypted the drive as a defense against a future warranty return or gift/recycling of the drive. It may not be a good idea if you encrypted the drive as a defense against someone robbing your home and taking the electronics for later perusal / fencing.
Back to top
View user's profile Send private message
sMueggli
Guru
Guru


Joined: 03 Sep 2022
Posts: 538
PostPosted: Thu Apr 13, 2023 6:34 am    Post subject: Reply with quote
I am not a thief, but I imagine that I would not also steal the laptop, but also steal the attached USB key.

And people tend to use USB sticks to store data. For example to share photos with other people.
Back to top
View user's profile Send private message
carcajou
Apprentice
Apprentice


Joined: 10 Jun 2008
Posts: 248
PostPosted: Thu Apr 13, 2023 9:20 am    Post subject: Reply with quote
sublogic wrote:

I never tried, but I know genkernel does it. From the man page:


I moved from genkernel to dracut, but thank you for the idea. I will check how dracut does it. There is even this (will research it a little bit later): https://wiki.gentoo.org/wiki/Full_Encrypted_System_Root_with_Dracut_USB_Stick

Hu wrote:
As an obligatory reminder, before enabling password-free boot via USB key, consider your threat model. Why did you encrypt the drive? Who are you trying to keep out? Will that adversary likely have ready access to the USB key? Using a key can be acceptable if you encrypted the drive as a defense against a future warranty return or gift/recycling of the drive. It may not be a good idea if you encrypted the drive as a defense against someone robbing your home and taking the electronics for later perusal / fencing.


sMueggli wrote:
I am not a thief, but I imagine that I would not also steal the laptop, but also steal the attached USB key.

And people tend to use USB sticks to store data. For example to share photos with other people.


The usb key unlocking is only temporary, because my wife has to use it to connect her office remotely. The disk is encrypted primary for the privacy - in case I sell the computer later or give it away or send it for repair (except simple upgrades and replacements, I usually do not fiddle with hardware). Getting robbed is not one of the concerns. :D
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum



 Links: forums.gentoo.org | www.gentoo.org | bugs.gentoo.org | wiki.gentoo.org | forum-mods@gentoo.org

Copyright 2001-2025 Gentoo Foundation, Inc. Designed by Kyle Manna © 2003; Style derived from original subSilver theme. | Hosting by Gossamer Threads Inc. © | Powered by phpBB 2.0.23-gentoo-p11 © 2001, 2002 phpBB Group
Privacy Policy