I have setup my Pi3 <1> with an encrypted root partition <2>.
Currently, I have to open the root partition manually on startup and would like to auto-unlock it with an attached USB drive <3>
So, my first approach was
* to create a dedicated 1MB partition on the USB drive (avoid any fs dependencies),
* overwrite the partition from /dev/urandom,
* add it as key to the root's LUKS container,
* include it in cmdline.txt with cryptkey <4> and
* rebuild the initramfs.
However, root got unlocked on boot
My second attempt was to go for a dedicated FAT32 partition on the drive and add a key file on the FAT-partition to the LUKS container and to cmdline.txt (plaing save and going directly by /dev/sdX and not relying on links in /dev/disk) <5>
Assumption is that the initramfs includes a vfat driver (else /boot should not be readable, I guess).
Still, root doe not get unlocked and I have to enter the password
While the USB drive is found during boot into initramfs, I actually do not see messages, that the USB drive is tried as cryptkey??
Maybe I am missing something and sombody ahs an idea for me?
Cheers and thanks for any hints!
<1>
Code: Select all
uname -a
Linux raspberrypi 4.9.11-v7+ #969 SMP Mon Feb 20 12:55:08 GMT 2017 armv7l GNU/LinuxCode: Select all
pi@raspberrypi:~ $ sudo lsblk -o NAME,FSTYPE,LABEL,UUID,MOUNTPOINT,SIZE
NAME FSTYPE LABEL UUID MOUNTPOINT SIZE
sda 115,7G
|-sda2 btrfs raspi-btrfs-tmp-1 9f677a7c-cbc8-491c-88e7-86ce43625417 112,3G
`-sda1 vfat VFAT-KEY-1 9A2A-6199 1000M
mmcblk0 59,5G
|-mmcblk0p4 1K
|-mmcblk0p2 crypto_LUKS aa753e72-d1ac-40b0-8572-a6edbbf1b368 4,9G
| `-sdcard ext4 0aed834e-8c8f-412d-a276-a265dc676112 / 4,9G
|-mmcblk0p5 crypto_LUKS b88f8dd1-4005-49df-9c7c-3712164c9ee3 1,5G
|-mmcblk0p3 crypto_LUKS 653b682a-5510-4372-bbab-9aada397c42c 48,8G
|-mmcblk0p1 vfat boot 0F5F-3CD8 /boot 63M
`-mmcblk0p6 1M
background/idea: I have no real sensitive data, but it would make discarding broken cards easier
plus doing it as an "exercise".
Actually I would prefer dodging the performance hit due to the de-/encryption with the CPU's 64bit-mode supporting AES directly -- but have to life with 32bit
<4>
Code: Select all
> /boot/cmdline.txt
dwc_otg.lpm_enable=0 console=serial0,115200 console=tty1 root=/dev/mapper/sdcard cryptdevice=/dev/mmcblk0p2:sdcard cryptkey=/dev/disk/by-id/usb-SanDisk_Ultra_4C530001160919112343-0:0-part1 rootfstype=ext4 elevator=deadline fsck.repair=yes rootwaitCode: Select all
> /boot/cmdline.txt
dwc_otg.lpm_enable=0 console=serial0,115200 console=tty1 root=/dev/mapper/sdcard cryptdevice=/dev/mmcblk0p2:sdcard cryptkey=/dev/sda1:vfat:luks_usb-stick_part1_4C53000116091911234.key rootfstype=ext4 elevator=deadline fsck.repair=yes rootwait