I do the same thing, however I'm afraid my answer won't be satisfactory, as for various reasons I went with a completely custom Initramfs.
Instead of GnuPG
, which is an extra binary that has to be included in the Initramfs (and in case of GnuPG-2
, a rather complex one), I simply used what's already there. And that's obviously dm-crypt/LUKS
.
So suppose you have a keyfile
. Preferably one with random data.
# dd if=/dev/urandom of=keyfile count=1
1+0 records in
1+0 records out
512 bytes (512 B) copied, 0.000189802 s, 2.7 MB/s
Add encryption for it with LUKS (feel free to add your cipher settings of choice).
# truncate -s 2M keyfile.luks
# cryptsetup luksFormat keyfile --header keyfile.luks
WARNING!
========
This will overwrite data on keyfile.luks irrevocably.
Are you sure? (Type uppercase yes): YES
Enter passphrase: bananas
Verify passphrase: bananas
Now you have a keyfile (512 byte) and a keyfile.luks (2MB, which cryptsetup for some reason needs to write the 192k LUKS header). Since the Initramfs will be compressed anyway, that is not too bad (still smaller than GnuPG
).
Now you can decrypt the keyfile:
# cryptsetup luksOpen keyfile --header keyfile.luks lukskey
Enter passphrase for keyfile: bananas
And you have 512 byte of random data in /dev/mapper/lukskey
. (You may write to it if you want to change it, so we could have initialized the file with zeroes earlier.)
# blockdev --getsize64 /dev/mapper/lukskey
512
In Initramfs init
you could then proceed to open the real LUKS volume with it (assuming you added the key first).
cryptsetup --key-file=/dev/mapper/lukskey luksOpen /dev/yourdisk luksyourdisk
cryptsetup luksClose lukskey # clean up
This approach makes GnuPG entirely superfluous, plus you get all LUKS advantages, such as multiple passphrases for the key, cipher of your choice, et cetera. Not to mention a nice (mostly regular) password prompt with multiple retries.
A key file in the /boot directory can be read by any other operation system booted on your machine that is able to mount the filesystem on that /boot is located. Thus, encryption is not really effective. This argument applies to all key file locations on unencrypted file systems.
To avoid key files on unencrypted file systems a password can be used for decryption. Create a strong password for the device. Then, change the line in /etc/crypttab to
hddencrypted UUID=b3024cc1-93d1-439f-80ce-1b1ceeafda1e none luks
and keep the entry in /etc/fstab unmodified. Ubuntu 14.04/16.04/18.04 asks you for the password on startup.
Best Answer
Yes, this is possible. As mentioned by @muldune, you can use a Yubikey to perform 2FA encryption with LUKS. Have a look at my AskUbuntu answer here.