Decrypting a LUKS encrypted drive at boot

DustinB3403

So I have an internal development project I'm working on and I'm trying to sort out specifically how I can decrypt a luks encrypted partition built on a separate mdadm R1 at boot time so that the drive is always available if the system should reboot.

Obviously this isn't an ideal solution since the key would have to be stored in plain-text somewhere outside of the array, but I'm curious if anyone else has had to do something like this and what protections that you may have put into place to protect this information.

Alternatively, the obvious solution would be some intervention to unlock the drive after a reboot, but I was hoping to avoid this manual intervention.

Thanks in advance

Obsolesce

@DustinB3403 does it have a TPM2 chip?

DustinB3403

@Obsolesce said in Decrypting a LUKS encrypted drive at boot:

@DustinB3403 does it have a TPM2 chip?

This vm doesn't, nor a vtpm

Obsolesce

@DustinB3403 Oh is it the boot/os drive of a VM?

EddieJennings

I know it's not your ideal, but have you tried to use /etc/crypttab and store the key in a file somewhere that's owned by root and has 400 permissions, just to see if that method can do the automatic unlocking of the encrypted device?

If you're making said file that /etc/crypttab will use remember to do echo -n 'whatever' > yourfile, instead of just echo, else you'll bang your head against the wall not understanding why the stored password isn't working. Ask me how I know.

dbeato

Did this work for you? https://www.malachisoord.com/2023/11/04/decrypt-additiona-luks-encrypted-volumes-on-boot/

DustinB3403

@Obsolesce said in Decrypting a LUKS encrypted drive at boot:

@DustinB3403 Oh is it the boot/os drive of a VM?

No it wouldn't be the boot partition, but a secondary array (R1).

@EddieJennings said in Decrypting a LUKS encrypted drive at boot:

I know it's not your ideal, but have you tried to use /etc/crypttab and store the key in a file somewhere that's owned by root and has 400 permissions, just to see if that method can do the automatic unlocking of the encrypted device?

If you're making said file that /etc/crypttab will use remember to do echo -n 'whatever' > yourfile, instead of just echo, else you'll bang your head against the wall not understanding why the stored password isn't working. Ask me how I know.

I haven't tried it.

@dbeato said in Decrypting a LUKS encrypted drive at boot:

Did this work for you? https://www.malachisoord.com/2023/11/04/decrypt-additiona-luks-encrypted-volumes-on-boot/

I've never seen it, will review.

IThomeboy80

Here is something i found:

1. Ensure LUKS Drive is Configured
   If the drive isn’t encrypted yet, you can encrypt it with LUKS:

bash
Copy
Edit
sudo cryptsetup luksFormat /dev/sdX
Replace /dev/sdX with the appropriate drive/partition. Be cautious—this step will erase all data on the drive.

2. Add the Drive to /etc/crypttab
   Edit the /etc/crypttab file to configure the system to unlock the drive at boot.

Open the file:

bash
Copy
Edit
sudo nano /etc/crypttab
Add an entry for the encrypted drive:

bash
Copy
Edit
cryptname /dev/sdX none luks
cryptname: A name for the decrypted device (used later in /etc/fstab).
/dev/sdX: Path to the encrypted device.
none: Use none for a passphrase prompt at boot or specify a path to a key file.
luks: Indicates LUKS encryption.
Example:

bash
Copy
Edit
cryptdrive /dev/sdb1 none luks
3. Add the Decrypted Device to /etc/fstab
To automatically mount the decrypted drive after unlocking:

Edit /etc/fstab:

bash
Copy
Edit
sudo nano /etc/fstab
Add an entry for the decrypted drive:

bash
Copy
Edit
/dev/mapper/cryptname /mnt/mountpoint ext4 defaults 0 2
Replace:

/dev/mapper/cryptname with the mapped device from /etc/crypttab.
/mnt/mountpoint with your desired mount point.
ext4 with your file system type.
4. Generate an Initramfs
If the root file system or a critical drive is encrypted, you’ll need to update the initramfs to include decryption tools.

Update the initramfs:

bash
Copy
Edit
sudo update-initramfs -u
Verify that the cryptsetup package is installed in your initramfs configuration.

5. Test Boot Behavior
   Reboot the system and observe the decryption process:

If you specified none in /etc/crypttab, you should be prompted for a passphrase at boot.
If a key file was used, the drive should decrypt automatically.
6. Using a Key File for Automatic Decryption
To avoid entering a passphrase at boot, use a key file:

Generate a key file:

bash
Copy
Edit
sudo dd if=/dev/urandom of=/root/luks-keyfile bs=4096 count=1
Set permissions:

bash
Copy
Edit
sudo chmod 600 /root/luks-keyfile
Add the key file to the LUKS header:

bash
Copy
Edit
sudo cryptsetup luksAddKey /dev/sdX /root/luks-keyfile
Update /etc/crypttab:

bash
Copy
Edit
cryptname /dev/sdX /root/luks-keyfile luks
Update the initramfs:

bash
Copy
Edit
sudo update-initramfs -u
Reboot to test automatic decryption.

7. Troubleshooting
   Device not found during boot: Ensure the correct device path is used in /etc/crypttab.
   Passphrase prompt not appearing: Verify cryptsetup is installed and included in initramfs.
   Boot hangs or fails: Boot into a live session, comment out entries in /etc/fstab or /etc/crypttab, and investigate.