Ubuntu – How to configure LVM & LUKS to autodecrypt partition


I have recently installed ubuntu server 11.04 with the full lvm encryption(installed from the setup) . I wish now to use a key file to do automatic unlock. I have tried to follow this guide http://ubuntuforums.org/showthread.php?t=837416

I generated a key with this command: sudo dd if=/dev/urandom of=/boot/grub/keyfile bs=1024 count=4

i putted it in /boot/grub because i think that it's not encrypted . When i try to add the key with this commad sudo cryptsetup luksAddKey /dev/sdX /boot/grub/keyfile
it asks me for the passphrase and when i put it nothing happen , nothing is printed to the screen ! I ignore it and continue the others steps and reboot but nothing happened and it ask for the passphrase .

Thanks for the help .

Best Answer

I've just been through this on my new home server, it took a lot of googling and guessing, but I've got it working. I'll attempt to reproduce the steps here. I'm using Ubuntu Server 11.10, and started with a pretty much standard install using encrypted LVM, so I'll just relate the changes I made from there.


  • /dev/sda1 is my unencrypted /boot partition
  • /dev/sda5 is my lvm partition which contains everything else -- root, swap, and home
  • /dev/sdc1 is the partition on my USB flash drive where I'll store the keyfile

First, I created a keyfile, just in my home directory:

dd if=/dev/urandom of=keyfile bs=512 count=4

(you can use a larger blocksize or count for a larger key)

Tell cryptsetup the new key (it's the contents that are important, not the filename):

sudo cryptsetup luksAddKey /dev/sda5 keyfile

Then, I formatted my USB flash drive with ext2 and gave it a label. I used a label, so that later I can mount it by label, and replace the USB flash drive in case something goes wrong with it.

sudo mkfs -t ext2 /dev/sdc1
sudo e2label /dev/sdc1 KEYS

(of course, your device will vary)

Now, copy the keyfile to the USB flash drive, owned by root mode 400:

mkdir KEYS
sudo mount /dev/sdc1 KEYS
sudo cp keyfile KEYS
sudo chown root KEYS/keyfile
sudo chmod 400 KEYS/keyfile

Modify /etc/crypttab. Mine originally contained

sd5_crypt UUID=(...) none luks

which I changed to

sd5_crypt UUID=(...) /dev/disk/by-label/KEYS:/keyfile luks,keyscript=/lib/cryptsetup/scripts/passdev

Finally, update the initramfs:

sudo update-initramfs -uv

It now boots using the keyfile on the USB flash drive. If I remove the flash drive (say, when I go on holiday) it doesn't boot and my data is secure.

If anyone knows how to get it to ask for the passphrase if the USB flash drive is missing, that would be handy as a fallback. Hope this helps, any additions or corrections would be more than welcome!