Debian Lenny + LUKS encrypted root + hidden USB keyfile (part 2)

Posted: November 23rd, 2010 | Author: | Filed under: computing | 2 Comments »

Please see the original post on this topic if you’re looking for a full setup. This post is an optional update.

Two recent hard drive failures have sharply reminded me about the need for comprehensive backups. When I built the current home server I included two eSATA-SATAII connectors so that I could later add my two 1TB WD MyBook external HDDs as local backup drives. Upon rebooting the server the first thing I found out was that the MyBooks do not support SMART monitoring through their internal eSATA bridge so I had to disable SMART monitoring on these drives in the server bios to keep it from whining about failures. The second thing I found is that plugging in these drives really pissed off my LUKS scripts due to the kernel reordering the drives. Fortunately this was a fairly easy fix by replacing the “/dev/sdaX” references to the drives with the drive UUIDs. I believe the UUID=”U-U-I-D” method is also now supported by the cryptsetup scripts but I chose to play it safe using the “/dev/disk/by-uuid/U-U-I-D” method instead.

I’ll assume that if you already have a working setup from the first post that I don’t need to explain how much of a pain in the ass it will be to recover your system if you muck any of this up.

The important changes are:

1) /etc/crypttab

sda2_crypt /dev/sda2 none luks,keyscript=/usr/local/sbin/unlock-usb-key.sh

now becomes:

sda2_crypt /dev/disk/by-uuid/uuid-goes-here none luks,keyscript=/usr/local/sbin/unlock-usb-key.sh

2) /etc/initramfs-tools/conf.d/cryptroot

CRYPTROOT=target=sda2_crypt,source=/dev/sda2

now becomes:

CRYPTROOT=target=sda2_crypt,source=/dev/disk/by-uuid/uuid-goes-here

3) Edit the cryptopts parameters of the kopts line in /boot/grub/menu.lst

# kopt=root=/dev/mapper/vg0-root ro cryptopts=target=sda2_crypt,source=/dev/sda2,lvm=vg0-root,keyscript=/keyscripts/unlock-usb-key.sh

now becomes:

# kopt=root=/dev/mapper/vg0-root ro cryptopts=target=sda2_crypt,source=/dev/disk/by-uuid/uuid-goes-here,lvm=vg0-root,keyscript=/keyscripts/unlock-usb-key.sh

4) Run “update-grub” and check that the new UUID was added to kernel selections.

5) Update your initramfs:

# update-initramfs -u -k 2.6.XX-X-amd64

Reboot.

I’m fairly certain that the original post could be re-written to use the usb key’s UUID for the keyscript and skip having to configure udev to create the /dev/usbkey device entry. If anyone has time to do so I’d be interested in seeing it.

Part 1: http://www.oxygenimpaired.com/debian-lenny-luks-encrypted-root-hidden-usb-keyfile

Updated version for Ubuntu/Grub2: http://www.oxygenimpaired.com/ubuntu-with-grub2-luks-encrypted-lvm-root-hidden-usb-keyfile

2 Comments on “Debian Lenny + LUKS encrypted root + hidden USB keyfile (part 2)”

  1. 1 joebar said at 6:32 am on December 19th, 2011:

    I’ve tried your excelent tutorial on Debian Squeeze but failed to get it working with Grub2. Can’t seem to figure out the changes from menu.lst to menu.conf. Any tips?

  2. 2 admin said at 7:57 pm on January 2nd, 2012:

    @joebar – well.. just ran into this myself and have it working now: http://www.oxygenimpaired.com/ubuntu-with-grub2-luks-encrypted-lvm-root-hidden-usb-keyfile

Leave a Reply