Chuck
Posts: 6
Joined: Sun Jul 07, 2013 11:10 am

encrypted root: auto-unlock w. usb drive?

Sun Feb 26, 2017 7:00 pm

Hi all,

I have setup my Pi3 <1> with an encrypted root partition <2>.
Currently, I have to open the root partition manually on startup and would like to auto-unlock it with an attached USB drive <3>

So, my first approach was
* to create a dedicated 1MB partition on the USB drive (avoid any fs dependencies),
* overwrite the partition from /dev/urandom,
* add it as key to the root's LUKS container,
* include it in cmdline.txt with cryptkey <4> and
* rebuild the initramfs.
However, root got unlocked on boot

My second attempt was to go for a dedicated FAT32 partition on the drive and add a key file on the FAT-partition to the LUKS container and to cmdline.txt (plaing save and going directly by /dev/sdX and not relying on links in /dev/disk) <5>
Assumption is that the initramfs includes a vfat driver (else /boot should not be readable, I guess).
Still, root doe not get unlocked and I have to enter the password :(

While the USB drive is found during boot into initramfs, I actually do not see messages, that the USB drive is tried as cryptkey??

Maybe I am missing something and sombody ahs an idea for me?

Cheers and thanks for any hints!

<1>

Code: Select all

uname -a
Linux raspberrypi 4.9.11-v7+ #969 SMP Mon Feb 20 12:55:08 GMT 2017 armv7l GNU/Linux
<2>

Code: Select all

pi@raspberrypi:~ $ sudo  lsblk -o NAME,FSTYPE,LABEL,UUID,MOUNTPOINT,SIZE
NAME        FSTYPE      LABEL                UUID                                 MOUNTPOINT   SIZE
sda                                                                                          115,7G
|-sda2      btrfs       raspi-btrfs-tmp-1    9f677a7c-cbc8-491c-88e7-86ce43625417            112,3G
`-sda1      vfat        VFAT-KEY-1           9A2A-6199                                        1000M
mmcblk0                                                                                       59,5G
|-mmcblk0p4                                                                                      1K
|-mmcblk0p2 crypto_LUKS                      aa753e72-d1ac-40b0-8572-a6edbbf1b368              4,9G
| `-sdcard  ext4                             0aed834e-8c8f-412d-a276-a265dc676112 /            4,9G
|-mmcblk0p5 crypto_LUKS                      b88f8dd1-4005-49df-9c7c-3712164c9ee3              1,5G
|-mmcblk0p3 crypto_LUKS                      653b682a-5510-4372-bbab-9aada397c42c             48,8G
|-mmcblk0p1 vfat        boot                 0F5F-3CD8                            /boot         63M
`-mmcblk0p6                                                                                      1M
<3>
background/idea: I have no real sensitive data, but it would make discarding broken cards easier
plus doing it as an "exercise".
Actually I would prefer dodging the performance hit due to the de-/encryption with the CPU's 64bit-mode supporting AES directly -- but have to life with 32bit ;)

<4>

Code: Select all

> /boot/cmdline.txt
dwc_otg.lpm_enable=0 console=serial0,115200 console=tty1 root=/dev/mapper/sdcard cryptdevice=/dev/mmcblk0p2:sdcard cryptkey=/dev/disk/by-id/usb-SanDisk_Ultra_4C530001160919112343-0:0-part1 rootfstype=ext4 elevator=deadline fsck.repair=yes rootwait
<5>

Code: Select all

> /boot/cmdline.txt
dwc_otg.lpm_enable=0 console=serial0,115200 console=tty1 root=/dev/mapper/sdcard cryptdevice=/dev/mmcblk0p2:sdcard cryptkey=/dev/sda1:vfat:luks_usb-stick_part1_4C53000116091911234.key rootfstype=ext4 elevator=deadline fsck.repair=yes rootwait

Return to “Raspberry Pi OS”