Please see the original post on this topic if you’re looking for a full setup. This post is an optional update.
Two recent hard drive failures have sharply reminded me about the need for comprehensive backups. When I built the current home server I included two eSATA-SATAII connectors so that I could later add my two 1TB WD MyBook external HDDs as local backup drives. Upon rebooting the server the first thing I found out was that the MyBooks do not support SMART monitoring through their internal eSATA bridge so I had to disable SMART monitoring on these drives in the server bios to keep it from whining about failures. The second thing I found is that plugging in these drives really pissed off my LUKS scripts due to the kernel reordering the drives. Fortunately this was a fairly easy fix by replacing the “/dev/sdaX” references to the drives with the drive UUIDs. I believe the UUID=”U-U-I-D” method is also now supported by the cryptsetup scripts but I chose to play it safe using the “/dev/disk/by-uuid/U-U-I-D” method instead.
I’ll assume that if you already have a working setup from the first post that I don’t need to explain how much of a pain in the ass it will be to recover your system if you muck any of this up.
The important changes are:
sda2_crypt /dev/sda2 none luks,keyscript=/usr/local/sbin/unlock-usb-key.sh
sda2_crypt /dev/disk/by-uuid/uuid-goes-here none luks,keyscript=/usr/local/sbin/unlock-usb-key.sh
3) Edit the cryptopts parameters of the kopts line in /boot/grub/menu.lst
# kopt=root=/dev/mapper/vg0-root ro cryptopts=target=sda2_crypt,source=/dev/sda2,lvm=vg0-root,keyscript=/keyscripts/unlock-usb-key.sh
# kopt=root=/dev/mapper/vg0-root ro cryptopts=target=sda2_crypt,source=/dev/disk/by-uuid/uuid-goes-here,lvm=vg0-root,keyscript=/keyscripts/unlock-usb-key.sh
4) Run “update-grub” and check that the new UUID was added to kernel selections.
5) Update your initramfs:
# update-initramfs -u -k 2.6.XX-X-amd64
I’m fairly certain that the original post could be re-written to use the usb key’s UUID for the keyscript and skip having to configure udev to create the /dev/usbkey device entry. If anyone has time to do so I’d be interested in seeing it.
Updated version for Ubuntu/Grub2: http://www.oxygenimpaired.com/ubuntu-with-grub2-luks-encrypted-lvm-root-hidden-usb-keyfile