{"id":300,"date":"2009-06-16T05:17:08","date_gmt":"2009-06-16T03:17:08","guid":{"rendered":"http:\/\/raftaman.net\/?p=300"},"modified":"2021-05-15T11:46:42","modified_gmt":"2021-05-15T09:46:42","slug":"300","status":"publish","type":"post","link":"https:\/\/possiblelossofprecision.net\/?p=300","title":{"rendered":"Unlocking a luks volume with a USB key"},"content":{"rendered":"\n

A luks<\/a> encrypted disk partition is great. The only thing that can bug you from time to time is that you have to specify the key before you can use it. Or maybe, if you try to mount the volume with \/etc\/fstab<\/code>, you’ll be prompted for the password during boot.<\/p>\n

Wouldn’t it be great, if you could use a real key<\/em> to unlock your encrypted volume? Not a keyfile, but a physically existent key like the ones you use to unlock your front door?!<\/p>\n

Well, it’s not actually a key, but these LaCie USB Flash Drives<\/a> come very close:<\/p>\n

\"LaCie<\/a><\/p>\n

This article will show you, how to generate a random key<\/a> for your luks encrypted volume, hide it on any USB flash drive<\/a> and use udev to unlock<\/a> and mount<\/a> your luks volume whenever you plug this flash drive into a USB port<\/p>\n

<\/p>\n

1. Generating a random keyfile<\/a><\/h2>\n

First, we need a random keyfile. Linux normally comes with two different random number generators: A blocking one called \/dev\/random<\/code><\/a> and its non-blocking counterpart \/dev\/urandom<\/code><\/a>.<\/p>\n

The size of your keyfile and which RNG you use is totally up to you. Quite often you’ll find tutorials, that recommend something like<\/p>\n

\r\ndd if=\/dev\/urandom of=secretkey bs=512 count=4\r\n<\/pre>\n
which generates a 2048byte or 214<\/sup>bit keyfile. For more the paranoid under us:<\/p>\n
\r\ndd if=\/dev\/random of=secretkey bs=1 count=4096\r\n<\/pre>\n
which generates a 4096byte or 215<\/sup>bit keyfile. Notice that this uses the non-blocking RNG \/dev\/random<\/code> and therefore can take quite some time (5mins+) depending on the current filling degree of the entropy pool.<\/p>\n
2. Adding keyfile to LUKS-Volume<\/a><\/h2>\n
Adding this keyfile to your existing luks volume is no big deal<\/p>\n
\r\n# cryptsetup luksAddKey \/dev\/md0 secretkey \r\nEnter any LUKS passphrase: \r\nVerify passphrase: \r\nkey slot 0 unlocked.\r\nCommand successful.\r\n<\/pre>\n
where \/dev\/md0<\/code> of course is the path to your luks device or partition<\/p>\n
3. Hiding key<\/a><\/h2>\n
You could now just copy this keyfile to your USB drive as you can do it with any other file. But someone looking for the key would easily find it. So we’ll hide the key directly between MBR and the first partition.<\/p>\n
WARNING: You should only follow this step if you know what you are doing – it can cause data loss and damage your partitions or MBR on the stick!<\/strong><\/p>\n
If you have a bootloader installed on your drive you have to adjust the values, e.g. Grub needs the first 16 sectors, so you would have to replace seek=4 with seek=16; otherwise you will overwrite parts of your Grub installation. When in doubt, take a look at the first 64 sectors of your drive and decide on your own where to place your key. <\/p>\n
Optional:<\/em><\/p>\n
\r\ndd if=\/dev\/usbstick of=64sectors bs=512 count=64  # copy first 64 sectors\r\nghex2 64sectors                                   # determine free space\r\n<\/pre>\n
Now you can write your key to the disk:<\/p>\n
\r\ndd if=secretkey of=\/dev\/usbstick bs=512 seek=4\r\n<\/pre>\n
You should not simply use rm<\/code> to delete the keyfile because rm<\/code> only unlinks it from your filesystem (it would still be left physically intact). If everything went fine you can overwrite and delete your temporary secretkey with<\/p>\n
\r\nshred --remove --zero secretkey\r\n<\/pre>\n
4. Udev Auto-Magic<\/a><\/h2>\n
We need to achieve two things: First, we have to make sure our USB drive containing the key can always be found under the same name. Second, we need to execute a shell script that unlocks the luks volume and mounts it whenever the USB drive is plugged into a USB port. This can be done with a small udev-rule<\/p>\n
\r\nBUS=="usb", \r\nKERNEL=="sd*", \r\nATTRS{manufacturer}=="laCie", \r\n[...]\r\nSYMLINK+="usbkey%n", \r\nRUN+="\/usr\/local\/bin\/unlock-luks"\r\n<\/pre>\n
A tutorial on how to write udev-rules would go way beyond the scope of this article. Notice the highlighted lines: SYMLINK+=\"usbkey%n\"<\/code> ensures, that our USB drive can be found under \/dev\/usbkey<\/code> and RUN+=\"\/usr\/local\/bin\/unlock-luks\"<\/code> runs a shell script every time we plug it in.<\/p>\n
Save it as \/etc\/udev\/rules.d\/99-unlock-lucks.rules<\/code> and reload all udev rules with<\/p>\n
\r\n# udevadm control --reload-rules\r\n<\/pre>\n
To make sure that this happens only when the USB drive containing the key is plugged in, you have to specify some more attributes besides ATTRS{manufacturer}<\/code>. You can query those attributes with udevadm<\/a>. A nice document describing how to write udev rules can be found on http:\/\/www.reactivated.net\/writing_udev_rules.html<\/a>.<\/p>\n
5. Mounting script<\/a><\/h2>\n
The udev-rule<\/a> runs \/usr\/loca\/bin\/unlock-luks<\/code> every time the USB drive containing the key is plugged in. We can do nearly everything within this script but it suggests itself to unlock the luks volume and mount it somewhere:<\/p>\n
\r\n#!\/bin\/bash\r\ndd if=\/dev\/usbkey bs=512 skip=4 count=8 | cryptsetup luksOpen \/dev\/md0 luksVolume --key-file=- && mount \/dev\/mapper\/luksVolume \/mnt\/\r\n<\/pre>\n
Notice, that this skips the first 2048bytes and reads the next 4096bytes. If you generated a smaller of bigger keyfile, or placed you keyfile somewhere else on you USB drive in Section 3<\/a>, YMWV!<\/p>\n
\n","protected":false},"excerpt":{"rendered":"
A luks encrypted disk partition is great. The only thing that can bug you from time to time is that you have to specify the key before you can use it. Or maybe, if you try to mount the volume with \/etc\/fstab, you’ll be prompted for the password during boot. Wouldn’t it be great, if you could use a real… Read more »<\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[58,20,19],"class_list":["post-300","post","type-post","status-publish","format-standard","hentry","category-uncategorized","tag-hardware","tag-luks","tag-udev"],"_links":{"self":[{"href":"https:\/\/possiblelossofprecision.net\/index.php?rest_route=\/wp\/v2\/posts\/300","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/possiblelossofprecision.net\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/possiblelossofprecision.net\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/possiblelossofprecision.net\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/possiblelossofprecision.net\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=300"}],"version-history":[{"count":90,"href":"https:\/\/possiblelossofprecision.net\/index.php?rest_route=\/wp\/v2\/posts\/300\/revisions"}],"predecessor-version":[{"id":1831,"href":"https:\/\/possiblelossofprecision.net\/index.php?rest_route=\/wp\/v2\/posts\/300\/revisions\/1831"}],"wp:attachment":[{"href":"https:\/\/possiblelossofprecision.net\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=300"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/possiblelossofprecision.net\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=300"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/possiblelossofprecision.net\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=300"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}