Genkernel initramfs with LUKS+GPG key

[Xander314]

I am using DM-Crypt LUKS for full disk encryption on my laptop. I have a keyfile on an external drive encrypted with GPG. When booting from a live CD I can unlock the dmcrypt volume with
gpg -qd /path/to/key/file | cryptsetup luksOpen /dev/sdc1 crypt_root
This works fine.

However, I am having trouble with my initramfs. I created it using genkernel with LVM, DMCrypt and GPG support. When I boot it finds the keyfile and asks for my GPG password. But after providing this, it simply says "No key available with this passphrase", despite the fact that the very same keyfile will unlock the disk when I call gpg and cryptsetup manually from the rescue CD.

Any ideas? What is going wrong here?

[frostschutz]

Is it asking for the GPG password or showing the LUKS prompt directly? In the latter case the Initramfs ignored your GPG key for some reason.

You could add the debug parameter to get a shell and see if the GPG key is there at all, if it's the correct file (md5sum it), what the correct path to the GPG key is inside the initramfs, to use with the root_key parameter. And last but not least whether your command works within the Initramfs shell.

Initramfs uses gpg 1.x as the 2.x is much more complicated to integrate; that's usually not a problem unless you do something special not supported by gpg 1.x

[Xander314]

Thanks for the help. I booted into the initramfs shell and tried to run the gpg command. I got the error "gpg: cannot open /dev/tty': No such device or address".

[frostschutz]

That's why I don't use GPG for encrypted keys... it just sucks so much in the Initramfs.

Basically you have to link /dev/tty to /dev/console here. Genkernel already does that before calling GPG; so that should not be your problem.

[Xander314]

Thanks. Having done that I can manually open the LUKS device. I'm currently investigating exactly what command the initramfs script is calling.

[frostschutz]

if you can add a set -x to the script it may print the commands for you

not sure if genkernel has an option to enable that automatically

[Xander314]

I think I found the problem. When I created the LUKS volume I called

[frostschutz]

That'll be your issue, then.

It silently stops reading after newline, that's one major security pitfall in cryptsetup/LUKS, because if you happen to make that mistake and you're unlucky and the newline was within the first 4 bytes of your "keyfile", it's really easy to brute force ...

One way to avoid it (apart from doing it right in the first place) is to use a keyfile that can be typed in if you are truly desparate.

[Xander314]

Yep, that fixed it. I had already ready about this somewhere but it took a while for the significant to sink in. At least I know now... Thanks for all the help.

[Massimo B.]

Inspired by https://wiki.gentoo.org/wiki/Sakaki%27s_EFI_Install_Guide/Preparing_the_LUKS-LVM_Filesystem_and_Boot_USB_Key I try to create a similar setup.
I already created the gpg encrypted key file, and added the key to LUKS. For the genkernel initramfs I passed root_key=/boot/LUKS-KEY.gpg.

But it cannot find the device. The rescue prompt:

[Massimo B.]

frostschutz, in https://unix.stackexchange.com/questions/183666/booting-gentoo-on-lvm-inside-luks-with-gpg-encrypted-keyfile you already said that using gpg is not the preferred way. How do I use LUKS itself?
I though about moving the LUKS header to the SD Card.
What I like to achieve is the 2-way security, that will need the SD-Card and my passwort to open the LUKS at boot time.
_________________
HP ZBook Power 15.6" G8 i7-11800H|HP EliteDesk 800G1 i7-4790|HP Compaq Pro 6300 i7-3770

[frostschutz]

[Massimo B.]

I tried again with bs=2048.
But the genkernel initrd does not try to decrypt it:

[Massimo B.]

I see, genkernel had no GPG support, trying to enable GPG support in genkernel fails at creating the initramfs:

[frostschutz]

This is exactly why I use LUKS for encrypted keyfiles, no need to build yet another encryption tool or jump through any of these hoops, well, if genkernel supported it which it doesn't.

Seems it's trying to build gpg-1 statically (which is not possible, or at least a lot more complicated, for gpg-2) and fails doing so.

Maybe you're missing some static-libs?

[Massimo B.]

If encrypting the keyfile with LUKS I would need an initramfs that supports LUKS encrypted key files. genkernel does not support that as far as I know.
_________________
HP ZBook Power 15.6" G8 i7-11800H|HP EliteDesk 800G1 i7-4790|HP Compaq Pro 6300 i7-3770

[Massimo B.]

[Massimo B.]

-> bug 599704
_________________
HP ZBook Power 15.6" G8 i7-11800H|HP EliteDesk 800G1 i7-4790|HP Compaq Pro 6300 i7-3770

[Massimo B.]

This issue breaks almost all wikis and howtos describing the 2-level security by having an GPG-ecnrypted LUKS key on a hardware key:

https://wiki.gentoo.org/wiki/Dm-crypt_full_disk_encryption#Generating_a_GnuPG_encrypted_keyfile

And the very sophisticated:
https://wiki.gentoo.org/wiki/Sakaki%27s_EFI_Install_Guide/Preparing_the_LUKS-LVM_Filesystem_and_Boot_USB_Key#Creating_a_Password-Protected_Keyfile_for_LUKS

An alternative approach of a 2-level security requiring a user-password + hardware key would be a Detached_LUKS_header. From usage point of view it would be the same, inserting the hardware-key, entering password. This would be even more secure regarding there is no information at all about the LUKS on the LUKS container anymore. But then I don't know if the initramfs of genkernel can be configured to open a detached header as described with cryptsetup in that wiki.
_________________
HP ZBook Power 15.6" G8 i7-11800H|HP EliteDesk 800G1 i7-4790|HP Compaq Pro 6300 i7-3770

[rwmailing]

[SATtva]

The issue is caused by new GCC versions pickiness in regard to some legacy GnuPG code. You can work around the compilation error by updating genkernel to a recent GnuPG 1.4 branch version. It can be achieved this way:

[R0b0t1]

I use the following, as I have yet to find out how to fix GnuPG in an initramfs environment: